03/16/2004

 

Beagle 駭蟲持續變種
使用者需小心檔案大小約45kb 的.pif, .zip, .rar 信件附加檔案


Beagle 駭蟲目前發展到具有感染.exe檔案的能力,使用者需提防此駭蟲演變成具有破壞行為的變種,避免不中毒最好的方法是對於信件附加檔案為*.pif, *.exe, *.com, *.scr, *.lnk的檔案要留意,就算駭蟲的附加檔案是*.zip或 *.rar,其解壓後所產生的檔案若是以上副檔名格式,都勿直接執行。

對於由 P2P 軟體(如 Kazaa , eDonkey等)所下載的應用程式若符合以下名稱的,都需注意其檔案大小,下載後可經由防毒軟體先行掃描再執行,都可降低中毒機會,被駭蟲利用的應用軟體名稱如下:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe

 Beagle 變種駭蟲信件:
主旨:Password: %s
Pass - %s
Password - %s
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
註:%s代表隨機數字

內文:
Dear user of %s ,
Dear user of %s e-mail server gateway,
Dear user of "%s " mailing server,
Dear user of "%s " mailing domain,
Dear user of "%s " domain,
Dear user of e-mail server "%s ",
Hello user of %s e-mail server,
Dear user of "%s " mailing system,
Dear user, the management of %s
註:%s代表email的Domain

附加檔案:可能以.pif, .zip, .rar等形式出現

 Beagle 變種駭蟲行為:
 1.大量發送駭蟲信件
2.執行駭蟲後,會將駭蟲本身複製到Windows\System\winupd.exe (2000/XP/NT系統為 Winnt\System32\winupd.exe)。
3.修改登錄檔,使開機即啟動駭蟲。
4.執行後駭蟲會,會嘗試關閉一些安全防護軟體的常駐程式。
5.嘗試感染系統中的 *.exe 檔案。
6.將駭蟲自己複製到系統中有"shar"字樣的目錄中,假借為應用軟體名稱。