病毒资料:W32/Bagle.FC-mm | |||||||||
基本信息 | |||||||||
病毒名称: | W32/Bagle.FC-mm | 类型: | 木马 | 长度: | 35307 | 威胁级别: | 2 | 捕获日期: | 2006-02-15 |
其它别名: | Email-Worm.Win32.Bagle.fc(KAV), WORM_BAGLE.FC(Trend), W32.Beagle.DU(Norton) | 影响系统: | Windows 98/me,Windows 2K,Windows XP | ||||||
表现特征 | |||||||||
1.系统响应速度相对减慢; 2.存在如下文件: %SYSTEM%\anti_troj.exe %SYSTEM%\winlog.dll %SYSTEM%\winlog.exe %TEMP%\~{RANDOM NUMBER}.tmp %TEMP%\~{RANDOM NUMBER}.exe %TEMP%\~{RANDOM NUMBER+1}.tmp %TEMP%\~{RANDOM NUMBER+1}.exe 注:{RANDOM NUMBER} 为一个随即数字; 3.存在文件夹:%SYSTEM%\exefld\ ; 4.进程列表中存在进程:winlog.exe,~{RANDOM NUMBER+1}.exe ; | |||||||||
行为分析 | |||||||||
1.这是一个 PE 病毒,使用 Yoda's Crypter 加壳,加壳后长度为 35,307 字节; 2.创建如下文件: %SYSTEM%\anti_troj.exe (文件 %TEMP%\~{RANDOM NUMBER+1}.exe 的拷贝) %SYSTEM%\winlog.dll (释放的文件,Fortinet 检测为 W32/Bagle.FC!tr) %SYSTEM%\winlog.exe (文件 %TEMP%\~{RANDOM NUMBER}.exe 的拷贝) %TEMP%\~{RANDOM NUMBER}.tmp (0字节的干净文件) %TEMP%\~{RANDOM NUMBER}.exe (释放的文件,Fortinet 检测为 W32/Bagle.FC!tr) %TEMP%\~{RANDOM NUMBER+1}.tmp (0 字节的干净文件) %TEMP%\~{RANDOM NUMBER+1}.exe (释放的文件,Fortinet 检测为 W32/Bagle.Y!dldr) 注:{RANDOM NUMBER} 为一个随即数字; 3.创建注册表键值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “anti_troj”=“%SYSTEM%\anti_troj.exe” HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “anti_troj”=“%SYSTEM%\anti_troj.exe” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “key2”=“%SYSTEM%\winlog.exe” HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “key2”=“%SYSTEM%\winlog.exe” 4.终止如下安全相关的进程: ashAvast.exe ashDisp.exe ashEnhcd.exe ashPopWz.exe ashShA64.dll ashSimpl.exe ashSkPck.exe ashWebSv.exe AUPDATE.EXE Avconsol.exe avgcc.exe AVGCMSG.DLL avgemc.exe AVGNT.EXE …… (因列表过长,故只列出部分) 5.停止如下安全相关的服务: alerter AlertManger AntiVir Service aswUpdSv Ati HotKey Poller avast! Antivirus AVEService AVExch32Service avg7alrt avg7updsvc AvgCore AvgFsh AvgServ AVIRAMailService AVIRAService avpcc AVUPDService …… (因列表过长,故只列出部分) 6.删除包含如下字符串的文件: “\ashAvast.exe” “\ashDisp.exe” “\ashEnhcd.exe” “\ashPopWz.exe” “\ashShA64.dll” “\ashSimpl.exe” “\ashSkPck.exe” “\ashWebSv.exe” “\AUPDATE.EXE” “\Avconsol.exe” “\avgcc.exe” “\AVGCMSG.DLL” “\avgemc.exe” “\AVGNT.EXE” “\AVSCHED32.DLL” “\AVSCHED32.EXE” “\Avsynmgr.exe” “\AVWUPD32.EXE” “\BCGCB59.dll” “\bdmcon.exe” “\bdnews.exe” “\bdsubmit.exe” “\bdswitch.exe” “\cafix.exe” …… (因列表过长,故只列出部分) 7.阻止对以下安全相关域名的访问: upgrade.bitdefender.com report.bitdefender.com ad.fastclick.net ads.fastclick.net ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net banner.fastclick.net banners.fastclick.net ca.com www.ca.com click.atdmt.com clicks.atdmt.com …… (因列表过长,故只列出部分) 8.删除以下安全相关的注册表项: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs HKLM\SOFTWARE\Trend Micro | |||||||||
清除方法 | |||||||||
1.终止病毒相关进程; 2.删除如下文件: %SYSTEM%\anti_troj.exe %SYSTEM%\winlog.dll %SYSTEM%\winlog.exe %TEMP%\~{RANDOM NUMBER}.tmp %TEMP%\~{RANDOM NUMBER}.exe %TEMP%\~{RANDOM NUMBER+1}.tmp %TEMP%\~{RANDOM NUMBER+1}.exe 3.删除注册表项: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “anti_troj”=“%SYSTEM%\anti_troj.exe” HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “anti_troj”=“%SYSTEM%\anti_troj.exe” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “key2”=“%SYSTEM%\winlog.exe” HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “key2”=“%SYSTEM%\winlog.exe” |
评论