概述
病毒別名:
處理時間:
威脅級別:★★
中文名稱:惡鷹變種BF
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為
病毒運行後注入Explorer.exe,阻止用戶訪問某些網站、阻止用戶開啟某些服務、移動系統中的檔案、更改註冊表並從網上下載病毒程式並運行等。
一、病毒運行後
在系統的System32目錄下生成winshost.exe和wiwshost.exe
wiwshost.exe注入到Explorer.exe進程中
並在註冊表中填加如下一項
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"winshost.exe" - "C:\WINNT\System32\winshost.exe"
二、遍歷系統正在運行的進程,並強制關閉下列進程
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
三、從下列地址下載檔案並執行該檔案:
http://www.XXXgo.com.pt/osa.gif
http://www.XXXvelourway.com/osa.gif
http://www.XXXaserve.net/osa.gif
http://www.XXXd.dobrcz.pl/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXld.at/osa.gif
http://www.XXXgsley.ch/osa.gif
http://www.XXXd.at/osa.gif
http://www.XXXis-presley.ch/osa.gif
http://www.XXXyhome.com.tw/osa.gif
http://www.XXXr.cl/osa.gif
http://www.XXXolfibras.com/osa.gif
http://www.XXX4.ee/osa.gif
http://www.XXXc.com/osa.gif
http://www.XXXreme.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXzn.cz/osa.gif
http://www.XXXntong.net/osa.gif
http://www.XXXpie.com/osa.gif
http://www.XXXie.com/osa.gif
http://www.XXXd.com/osa.gif
http://www.XXXnick-spruyt.be/osa.gif
http://www.XXXadownload.com/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXterdays.co.za/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXkj.com/osa.gif
http://www.XXXazcd.dp.ua/osa.gif
http://www.XXXdents.stir.ac.uk/osa.gif
http://www.XXXesoftware.com/osa.gif
http://www.XXXtek.co.za/osa.gif
http://www.XXXm.com/osa.gif
http://www.XXXli.sk/osa.gif
http://www.XXXbas.az/osa.gif
http://www.XXXersala.edu.sk/osa.gif
http://www.XXXapex.cz/osa.gif
http://www.XXXptonic.ch/osa.gif
http://www.XXXmarina.com/osa.gif
http://www.XXXink.net/osa.gif
http://www.XXXcoteka-funfactory.com/osa.gif
http://www.XXXssain.be/osa.gif
http://www.XXXs.be/osa.gif
http://www.XXXeters.org/osa.gif
http://www.XXXham.de/osa.gif
http://www.XXXf.de/osa.gif
http://www.XXXz.at/osa.gif
http://www.XXXietaet.de/osa.gif
http://www.XXXm-alliance.de/osa.gif
http://www.XXXc-cassinadepecchi.it/osa.gif
http://www.XXXiverse.sk/osa.gif
http://www.XXXgjuok.com/osa.gif
http://www.XXXtrox.com.tw/osa.gif
http://www.XXXowerchair.com/osa.gif
http://www.XXXripharm.com/osa.gif
http://www.XXXll-cpa.com/osa.gif
http://www.XXX-american.com/osa.gif
http://www.XXXruyssenelektro.be/osa.gif
http://www.XXXtrovestecasa.it/osa.gif
http://www.XXX24h.com/osa.gif
http://www.XXXimeloni.com/osa.gif
http://www.XXXvjiet.ac.in/osa.gif
http://www.XXXe2fateh.com/osa.gif
http://www.XXXketvw.com/osa.gif
http://www.XXXmholz.at/osa.gif
http://www.XXXckonemedia.nl/osa.gif
http://www.XXXomax.fi/osa.gif
http://www.XXXpress-bank.pl/osa.gif
http://www.XXXba.asn.au/osa.gif
http://www.XXXwanjia.com/osa.gif
http://www.XXXwanqing.com/osa.gif
http://www.XXXp.co.za/osa.gif
http://www.XXXomobilonline.de/osa.gif
http://www.XXXgyan.cn/osa.gif
http://www.XXXbuild.com/osa.gif
http://www.XXXle.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXleclub.com.cn/osa.gif
http://www.XXXjinyuan.com/osa.gif
http://www.XXXigngong.org/osa.gif
http://www.XXXmegaroy.com/osa.gif
http://www.XXXchcorp.com/osa.gif
http://www.XXXphoto.com/osa.gif
http://www.XXXco.org/osa.gif
http://www.XXXtmajor.ru/osa.gif
http://www.XXXt3.org/osa.gif
http://www.XXXsolutions.com/osa.gif
http://www.XXXcium.biz/osa.gif
http://www.XXXedcom.home.pl/osa.gif
http://www.XXXrit-in-steel.at/osa.gif
http://www.XXXj.az/osa.gif
http://www.XXXt-paulus-bonn.dehtdocs/osa.gif
http://www.XXXtbs.com.hk/osa.gif
http://www.XXXohio.com/osa.gif
http://www.XXXa.com.pe/osa.gif
http://www.XXXsplanet.com/osa.gif
http://www.XXXgodbio.com/osa.gif
http://www.XXXerbetcs.com/osa.gif
http://www.XXXj.vn/osa.gif
http://www.XXXolo.com/osa.gif
http://www.XXXdiheng.com/osa.gif
http://www.XXXria.hu/osa.gif
http://www.XXXternet.hu/osa.gif
http://www.XXXndenservice.be/osa.gif
http://www.XXXhc.hu/osa.gif
http://www.XXXcampus.net/osa.gif
http://www.XXXtentproject.com/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXhni.com.cn/osa.gif
http://www.XXXtivalteatrooccidente.com/osa.gif
http://www.XXXifast.com/osa.gif
http://www.XXXiventure.com/osa.gif
http://www.XXXi.com.vn/osa.gif
http://www.XXXplayu.com/osa.gif
http://www.XXX-mutan.com/osa.gif
http://www.XXXetexasoutfitter.com/osa.gif
http://www.XXXhcsd1987.friko.pl/osa.gif
http://www.XXXenextstep.tv/osa.gif
http://www.XXXhenextstep.tv/osa.gif
http://www.XXXsartproductions.com/osa.gif
http://www.XXXlsonscountry.com/osa.gif
http://www.XXXindstar.pl/osa.gif
http://www.XXXe-industries.com/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXtold.pl/osa.gif
http://www.XXXhg.net/osa.gif
http://www.XXXovanet.sk/osa.gif
http://www.XXXwombband.com/osa.gif
http://www.XXXtanet.huwww.datanet.hu/osa.gif
http://www.XXXg.hu/osa.gif
http://www.XXXy.com.cn/osa.gif
http://www.XXX-security.de/osa.gif
http://www.XXXe-fliesen.de/osa.gif
http://www.XXXm-invest.com.pl/osa.gif
http://www.XXXlhardtgmbh.de/osa.gif
http://www.XXXhrschule-herb.de/osa.gif
http://www.XXXhrschule-lesser.de/osa.gif
http://www.XXXimex-messzeuge.de/osa.gif
http://www.XXXnside-tgweb.de/osa.gif
http://www.XXXue-bo.com/osa.gif
http://www.XXXniko.de/osa.gif
http://www.XXXikogmbh.com/osa.gif
http://www.XXXenegaderc.com/osa.gif
http://www.XXXchsenbuecher.de/osa.gif
http://www.XXXcvanravenswaaij.nl/osa.gif
http://www.XXXpoden.de/osa.gif
http://www.XXXportnf.com/osa.gif
http://www.XXXweb.cz/osa.gif
http://www.XXXg-sandhausen-basketball.de/osa.gif
http://www.XXXefunkiest.com/osa.gif
http://www.XXXthefunkiest.com/osa.gif
http://www.XXXeoushinn.com/osa.gif
http://www.XXXesley.ch/osa.gif
四、刪除下面的檔案
mysuperprog.exe
五、更改下面檔案的名稱
ccsetmgr.exe 改名為 C1CSETMGR.EXE
CCEVTMGR.EXE 改名為 CC1EVTMGR.EXE
NAVAPSVC.EXE 改名為 NAV1APSVC.EXE
NPFMNTOR.EXE 改名為 NPFM1NTOR.EXE
symlcsvc.exe 改名為 s1ymlcsvc.exe
SPBBCSvc.exe 改名為 SP1BBCSvc.exe
SNDSrvc.exe 改名為 SND1Srvc.exe
ccapp.exe 改名為 ccA1pp.exe
ccl30.dll 改名為 cc1l30.dll
ccvrtrst.dll 改名為 ccv1rtrst.dll
LUALL.EXE 改名為 LUAL1L.EXE
AUPDATE.EXE 改名為 AUPD1ATE.EXE
Luupdate.exe 改名為 Luup1date.exe
LUINSDLL.DLL 改名為 LUI1NSDLL.DLL
RuLaunch.exe 改名為 RuLa1unch.exe
CMGrdian.exe 改名為 CM1Grdian.exe
Mcshield.exe 改名為 Mcsh1ield.exe
outpost.exe 改名為 outp1ost.exe
Avconsol.exe 改名為 Avc1onsol.exe
Vshwin32.exe 改名為 Vshw1in32.exe
VsStat.exe 改名為 Vs1Stat.exe
Avsynmgr.exe 改名為 Av1synmgr.exe
kavmm.exe 改名為 kav12mm.exe
Up2Date.exe 改名為 Up222Date.exe
KAV.exe 改名為 K2A2V.exe
avgcc.exe 改名為 avgc3c.exe
avgemc.exe 改名為 avg23emc.exe
zonealarm.exe 改名為 zo3nealarm.exe
zatutor.exe 改名為 zatu6tor.exe
zlavscan.dll 改名為 zl5avscan.dll
zlclient.exe 改名為 zlcli6ent.exe
isafe.exe 改名為 is5a6fe.exe
cafix.exe 改名為 c6a5fix.exe
vsvault.dll 改名為 vs6va5ult.dll
av.dll 改名為 a5v.dll
vetredir.dll 改名為 ve6tre5dir.dll
六、刪除下列註冊表值、項:
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"Symantec NetDriver Monitor"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"ccApp"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"NAV CfgWiz"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"SSC_UserPrompt"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"McAfee Guardian"
【HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"McAfee.InstantUpdate.Monitor"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"APVXDWIN"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"KAV50"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"avg7_cc"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"avg7_emc"
【HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run】
"Zone Labs Client"
【HKLM\SOFTWARE\Symantec】
【HKLM\SOFTWARE\McAfee】
【HKLM\SOFTWARE\kasperskyLab】
【HKLM\SOFTWARE\Agnitum】
【HKLM\SOFTWARE\Panda Software】
【HKLM\SOFTWARE\Zone Labs】
七、阻止下列服務:
wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
八、阻止訪問以下網站地址:
updates1.kaspersky-labs.com
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
ftp.kasperskylab.ru
ftp.avp.ch
www.kaspersky.ru
updates1.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates2.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads1.kaspersky-labs.com
www.kaspersky-labs.com
updates3.kaspersky-labs.com
downloads1.kaspersky-labs.com
www3.ca.com
ids.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
download.mcafee.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-Us3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
