Worm.Beagle.bf

目录 [隐藏]

Worm.Beagle.bf 概述

病毒别名：
处理时间：
威胁级别：★★
中文名称：恶鹰变种BF
病毒类型：蠕虫
影响系统：Win9x / WinNT

Worm.Beagle.bf 病毒行为

病毒运行后注入Explorer.exe，阻止用户访问某些网站、阻止用户开启某些服务、移动系统中的文件、更改注册表并从网上下载病毒程序并运行等。

一、病毒运行后

在系统的System32目录下生成winshost.exe和wiwshost.exe

wiwshost.exe注入到Explorer.exe进程中

并在注册表中填加如下一项
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"winshost.exe" - "C:\WINNT\System32\winshost.exe"

二、遍历系统正在运行的进程，并强制关闭下列进程
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE

三、从下列地址下载文件并执行该文件：
http://www.XXXgo.com.pt/osa.gif
http://www.XXXvelourway.com/osa.gif
http://www.XXXaserve.net/osa.gif
http://www.XXXd.dobrcz.pl/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXld.at/osa.gif
http://www.XXXgsley.ch/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXis-presley.ch/osa.gif
http://www.XXXyhome.com.tw/osa.gif
http://www.XXXr.cl/osa.gif
http://www.XXXolfibras.com/osa.gif
http://www.XXX4.ee/osa.gif
http://www.XXXc.com/osa.gif
http://www.XXXreme.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXntong.net/osa.gif
http://www.XXXpie.com/osa.gif
http://www.XXXie.com/osa.gif
http://www.XXXd.com/osa.gif
http://www.XXXnick-spruyt.be/osa.gif
http://www.XXXadownload.com/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXazcd.dp.ua/osa.gif
http://www.XXXdents.stir.ac.uk/osa.gif
http://www.XXXesoftware.com/osa.gif
http://www.XXXtek.co.za/osa.gif
http://www.XXXm.com/osa.gif
http://www.XXXli.sk/osa.gif
http://www.XXXbas.az/osa.gif
http://www.XXXersala.edu.sk/osa.gif
http://www.XXXapex.cz/osa.gif
http://www.XXXptonic.ch/osa.gif
http://www.XXXmarina.com/osa.gif
http://www.XXXink.net/osa.gif
http://www.XXXcoteka-funfactory.com/osa.gif
http://www.XXXssain.be/osa.gif
http://www.XXXs.be/osa.gif
http://www.XXXeters.org/osa.gif
http://www.XXXham.de/osa.gif
http://www.XXXf.de/osa.gif
http://www.XXXz.at/osa.gif
http://www.XXXietaet.de/osa.gif
http://www.XXXm-alliance.de/osa.gif
http://www.XXXc-cassinadepecchi.it/osa.gif
http://www.XXXiverse.sk/osa.gif
http://www.XXXgjuok.com/osa.gif
http://www.XXXtrox.com.tw/osa.gif
http://www.XXXowerchair.com/osa.gif
http://www.XXXripharm.com/osa.gif
http://www.XXXll-cpa.com/osa.gif
http://www.XXX-american.com/osa.gif
http://www.XXXruyssenelektro.be/osa.gif
http://www.XXXtrovestecasa.it/osa.gif
http://www.XXX24h.com/osa.gif
http://www.XXXimeloni.com/osa.gif
http://www.XXXvjiet.ac.in/osa.gif
http://www.XXXe2fateh.com/osa.gif
http://www.XXXketvw.com/osa.gif
http://www.XXXmholz.at/osa.gif
http://www.XXXckonemedia.nl/osa.gif
http://www.XXXomax.fi/osa.gif
http://www.XXXpress-bank.pl/osa.gif
http://www.XXXba.asn.au/osa.gif
http://www.XXXwanjia.com/osa.gif
http://www.XXXwanqing.com/osa.gif
http://www.XXXp.co.za/osa.gif
http://www.XXXomobilonline.de/osa.gif
http://www.XXXgyan.cn/osa.gif
http://www.XXXbuild.com/osa.gif
http://www.XXXle.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXjinyuan.com/osa.gif
http://www.XXXigngong.org/osa.gif
http://www.XXXmegaroy.com/osa.gif
http://www.XXXchcorp.com/osa.gif
http://www.XXXphoto.com/osa.gif
http://www.XXXco.org/osa.gif
http://www.XXXtmajor.ru/osa.gif
http://www.XXXt3.org/osa.gif
http://www.XXXsolutions.com/osa.gif
http://www.XXXcium.biz/osa.gif
http://www.XXXedcom.home.pl/osa.gif
http://www.XXXrit-in-steel.at/osa.gif
http://www.XXXj.az/osa.gif
http://www.XXXt-paulus-bonn.dehtdocs/osa.gif
http://www.XXXtbs.com.hk/osa.gif
http://www.XXXohio.com/osa.gif
http://www.XXXa.com.pe/osa.gif
http://www.XXXsplanet.com/osa.gif
http://www.XXXgodbio.com/osa.gif
http://www.XXXerbetcs.com/osa.gif
http://www.XXXj.vn/osa.gif
http://www.XXXolo.com/osa.gif
http://www.XXXdiheng.com/osa.gif
http://www.XXXria.hu/osa.gif
http://www.XXXternet.hu/osa.gif
http://www.XXXndenservice.be/osa.gif
http://www.XXXhc.hu/osa.gif
http://www.XXXcampus.net/osa.gif
http://www.XXXtentproject.com/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXhni.com.cn/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXifast.com/osa.gif
http://www.XXXiventure.com/osa.gif
http://www.XXXi.com.vn/osa.gif
http://www.XXXplayu.com/osa.gif
http://www.XXX-mutan.com/osa.gif
http://www.XXXetexasoutfitter.com/osa.gif
http://www.XXXhcsd1987.friko.pl/osa.gif
http://www.XXXenextstep.tv/osa.gif
http://www.XXXhenextstep.tv/osa.gif
http://www.XXXsartproductions.com/osa.gif
http://www.XXXlsonscountry.com/osa.gif
http://www.XXXindstar.pl/osa.gif
http://www.XXXe-industries.com/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXhg.net/osa.gif
http://www.XXXovanet.sk/osa.gif
http://www.XXXwombband.com/osa.gif
http://www.XXXtanet.huwww.datanet.hu/osa.gif
http://www.XXXg.hu/osa.gif
http://www.XXXy.com.cn/osa.gif
http://www.XXX-security.de/osa.gif
http://www.XXXe-fliesen.de/osa.gif
http://www.XXXm-invest.com.pl/osa.gif
http://www.XXXlhardtgmbh.de/osa.gif
http://www.XXXhrschule-herb.de/osa.gif
http://www.XXXhrschule-lesser.de/osa.gif
http://www.XXXimex-messzeuge.de/osa.gif
http://www.XXXnside-tgweb.de/osa.gif
http://www.XXXue-bo.com/osa.gif
http://www.XXXniko.de/osa.gif
http://www.XXXikogmbh.com/osa.gif
http://www.XXXenegaderc.com/osa.gif
http://www.XXXchsenbuecher.de/osa.gif
http://www.XXXcvanravenswaaij.nl/osa.gif
http://www.XXXpoden.de/osa.gif
http://www.XXXportnf.com/osa.gif
http://www.XXXweb.cz/osa.gif
http://www.XXXg-sandhausen-basketball.de/osa.gif
http://www.XXXefunkiest.com/osa.gif
http://www.XXXthefunkiest.com/osa.gif
http://www.XXXeoushinn.com/osa.gif
http://www.XXXesley.ch/osa.gif
四、删除下面的文件
mysuperprog.exe

五、更改下面文件的名称
CCSETMGR.EXE 改名为 C1CSETMGR.EXE
CCEVTMGR.EXE 改名为 CC1EVTMGR.EXE
NAVAPSVC.EXE 改名为 NAV1APSVC.EXE
NPFMNTOR.EXE 改名为 NPFM1NTOR.EXE
symlcsvc.exe 改名为 s1ymlcsvc.exe
SPBBCSvc.exe 改名为 SP1BBCSvc.exe
SNDSrvc.exe 改名为 SND1Srvc.exe
ccApp.exe 改名为 ccA1pp.exe
ccl30.dll 改名为 cc1l30.dll
ccvrtrst.dll 改名为 ccv1rtrst.dll
LUALL.EXE 改名为 LUAL1L.EXE
AUPDATE.EXE 改名为 AUPD1ATE.EXE
Luupdate.exe 改名为 Luup1date.exe
LUINSDLL.DLL 改名为 LUI1NSDLL.DLL
RuLaunch.exe 改名为 RuLa1unch.exe
CMGrdian.exe 改名为 CM1Grdian.exe
Mcshield.exe 改名为 Mcsh1ield.exe
outpost.exe 改名为 outp1ost.exe
Avconsol.exe 改名为 Avc1onsol.exe
Vshwin32.exe 改名为 Vshw1in32.exe
VsStat.exe 改名为 Vs1Stat.exe
Avsynmgr.exe 改名为 Av1synmgr.exe
kavmm.exe 改名为 kav12mm.exe
Up2Date.exe 改名为 Up222Date.exe
KAV.exe 改名为 K2A2V.exe
avgcc.exe 改名为 avgc3c.exe
avgemc.exe 改名为 avg23emc.exe
zonealarm.exe 改名为 zo3nealarm.exe
zatutor.exe 改名为 zatu6tor.exe
zlavscan.dll 改名为 zl5avscan.dll
zlclient.exe 改名为 zlcli6ent.exe
isafe.exe 改名为 is5a6fe.exe
cafix.exe 改名为 c6a5fix.exe
vsvault.dll 改名为 vs6va5ult.dll
av.dll 改名为 a5v.dll
vetredir.dll 改名为 ve6tre5dir.dll

六、删除下列注册表值、项：
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"Symantec NetDriver Monitor"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"ccApp"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"NAV CfgWiz"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"SSC_UserPrompt"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"McAfee Guardian"
【HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"McAfee.InstantUpdate.Monitor"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"APVXDWIN"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"KAV50"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"avg7_cc"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"avg7_emc"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"Zone Labs Client"
【HKLM\SOFTWARE\Symantec】
【HKLM\SOFTWARE\McAfee】
【HKLM\SOFTWARE\KasperskyLab】
【HKLM\SOFTWARE\Agnitum】
【HKLM\SOFTWARE\Panda Software】
【HKLM\SOFTWARE\Zone Labs】

七、阻止下列服务：
wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD

八、阻止访问以下网站地址：
updates1.kaspersky-labs.com
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
ftp.kasperskylab.ru
ftp.avp.ch
www.kaspersky.ru
updates1.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates2.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads1.kaspersky-labs.com
www.kaspersky-labs.com
updates3.kaspersky-labs.com
downloads1.kaspersky-labs.com
www3.ca.com
ids.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
download.mcafee.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com

互动百科的词条（含所附图片）系由网友上传，如果涉嫌侵权，请与客服联系，我们将按照法律之相关规定及时进行处理。如需转载，请注明来源于www.hudong.com。

Worm.Beagle.bf

Worm.Beagle.bf 概述

Worm.Beagle.bf 病毒行为

附图

讨论区

编辑者

相关词条