恶鹰变种(Worm.Bagle.ao)蠕虫病毒分析报告

病毒名称: Worm.Bagle.ao

中文名称: 恶鹰变种AO

威胁级别: 二级

病毒别名: I-Worm.Bagle.ao[AVP]

病毒类型: 邮件蠕虫、漏洞蠕虫、黑客、后门

病毒类型: 蠕虫、木马

受影响系统:Win9x/WinNT/Win2K/WinXP/Win2003

破坏方式：

A、使用自带的SMTP引擎大量发送病毒邮件，浪费大量网络资源，并可导致中小型邮件服务器极不稳定；

B、中止被感染系统中的大量安全软件，使系统安全性下降；

C、安装木马，木马下载病毒；

D、在被感染的机器上开后门端口TCP 80和UDP 80,该端口可被利用转发邮件；

E、通过P2P软件及局域网进行传播。

发作现象：

A、结束以下安全相关进程:

ATUPDATER.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVPUPD.EXE

AVWUPD32.EXE

AVXQUAR.EXE

CFIAUDIT.EXE

DRWEBUPW.EXE

ESCANH95.EXE

ESCANHNT.EXE

FIREWALL.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

LUALL.EXE

MCUPDATE.EXE

NUPGRADE.EXE

OUTPOST.EXE

UPDATE.EXE

B、从以下网站下载一个文件到%SystemRoot%\_re_file.exe，并执行

allianzsp.sk

coolweb.psg.sk

cryofthespirit.com

dollypop.com

execpage.com

helpdemos.com

helpingyouth.org

jamesbronner.com

koti.pl

miracle.v6.cz

mountainwings.com

mountainwings4.com

naturalpros.com

oracal.pl

shock.evernet.com.pl

SportLine.go.ro

stroipolymer.ru

theonlineword.com

virtualchurch.com

visionforsouls.org

wingsoverlife.com

www.1800thewoman.com

www.1944.pl

www.45partsdepot.com

www.7pe.friko.pl

www.air-computers.com.ar

www.ametist.spb.ru

www.apodis.pl

www.arrasy.pl

www.arthurspeaks.com

www.astermed.pl

www.atomique.pl

www.atw.hu

www.avatar.ee

www.avers.com.pl

www.baltexpo.spb.ru

www.bomart.cz

www.bravo.gliwice.pl

www.bronnerbros.com

www.buycare.com

www.cumparacd.go.ro

www.da-rom.co.il

www.domu.net

www.eastandard.co.ke

www.elblu.republika.pl

www.elcorsy.com

www.elite-style.com

www.enduser1.fast.net

www.enitex.by

www.enitex-m.by

www.eris.pl

www.europharm.pl

www.extreme-racing.lg.ua

www.fotel.pl

www.fotolab.sk

www.frater.hu

www.gardameditech.com

www.generex.de

www.goldgates.com

www.goodboy.dem.ru

www.hards.pl

www.healthcometh.com

www.holz-studio.at

www.ibplus.sk

www.icpnet.pl

www.icpnet.pl

www.inlan.sk

www.jamesbronner.com

www.jbplus.cz

www.justmatchit.com

www.kubtelecom.ru

www.kuda.com.ua

www.lacittadifiorenzuola.it

www.lotusdog.net

www.ltvo.spb.ru

www.master.pl

www.members.aon.at

www.moteplassen1.com

www.mountainwings2.com

www.multifoto.sk

www.nadodrze.pl

www.nairobiwebspace.com

www.nameitright.com

www.nardo.bbe.pl

www.netland.gda.pl

www.netta.pl

www.nikola.piwko.pl

www.ntrlab.com

www.nustep.sk

www.octava.pl

www.odevnictvo.sk

www.oftza.friko.pl

www.oktbroiler.ru

www.online40.com

www.online50.com

www.oto.lv

www.pancoopzsv.co.yu

www.pay5495.com

www.pc-hard.com.ua

www.perfect-beauty.at

www.pharmag.pl

www.polsl.katowice.pl

www.prophetcollins.com

www.propi.cz

www.pursuit.rv.ua

www.pyrlandia-boogie.pl

www.quatro.sk

www.r-bazar.ru

www.roszkowski.pl

www.silvic.ro

www.sincron.go.ro

www.skylive.pl

www.smgkrc.pl

www.soulring.com

www.star-max.it

www.sunbud.com.pl

www.swez.net

www.system5electronics.com

www.tcvwebtv.com.ar

www.thewoman.com

www.tivis.cz

www.ukpl.pl

www.vacation-network.net

www.wyspian.iap.pl

www.zasada-rowery.pl

C、尝试在以下扩展名文件中搜索邮件地址：

.adb

.asp

.cfg

.cgi

.dbx

.dhtm

.eml

.htm

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.ods

.oft

.php

.pl

.sht

.shtm

.stm

.tbb

.txt

.uin

.wab

.wsh

.xls

.xml。

D、病毒发送的邮件附件为fotos.zip。

技术特点：

A、在注册表主键"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n"下添加如下键值："erthgdr"=""%System%\windll.exe"

B、在"%SYSTEM%"目录下，添加如下文件："windll.exe"

C、在"%SYSTEM%"目录下，添加如下文件："windll.exeopen"

D、在"%SYSTEM%"目录下，添加如下文件："windll.exeopenopen"

E、创建以下互斥体来防止netsky及其变种的感染

　 MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

　'D'r'o'p'p'e'd'S'k'y'N'e't'

　_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

　[SkyNet.cz]SystemsMutex

　AdmSkynetJklS003

　____--->>>>U<<<<--____

　 _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

F、在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

与HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

9XHtProtect

Antivirus

EasyAV

FirewallSvr

HtProtect

ICQ Net

ICQNet

Jammer2nd

KasperskyAVEng

MsInfo

My AV

NetDy

Norton Antivirus AV

PandaAVEngine

SkynetsRevenge

Special Firewall Service

SysMonXP

Tiny AV

Zone Labs Client Ex

service

G、复制自身到包含"shar"字符串的目录下,病毒文件名可能为以下之一:

Microsoft Office 2003 Crack, Working!.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno Screensaver.scr

Serials.txt.exe

KAV 5.0

Kaspersky Antivirus 5.0

Porno pics arhive, xxx.exe

Windows Sourcecode update.doc.exe

Ahead Nero 7.exe

Windown Longhorn Beta Leak.exe

Opera 8 New!.exe

XXX hardcore images.exe

WinAmp 6 New!.exe

WinAmp 5 Pro Keygen Crack Update.exe

Adobe Photoshop 9 full.exe

Matrix 3 Revolution English Subtitles.exe

ACDSee 9.exe

H、在系统目录下创建文件

Doriot.exe

Gdqfw.exe (该EXE其实为一个DLL文件)

I、在注册表项HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

与HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下增加值

"wersds" = "%System%\doriot.exe"

J、把Gdqfw.exe注入到Explorer.exe进程中

K、停止以下服务,并把启动类型改为"禁止"

Windows XP Service Pack 2为: Windows Firewall/Internet Connection Sharing (ICS)

Windows XP Service Pack 1 及以前的为:Internet Connection Firewall (ICF)

/ Internet Connection Sharing (ICS)

Windows 2000为:Internet Connection Sharing (ICS)