Email-Worm.Win32.Bagle.bo + Bagle.bp

Email-Worm.Win32.Bagle.bo + Bagle.bp

offline
  • SVITAC 
  • Legendarni građanin
  • Pridružio: 28 Apr 2003
  • Poruke: 5919
  • Gde živiš: Beograd

Dolazi u ZIP+u veličine oko 17 KB'a, sa ili bez naslova u poruci.
Crv skida novije verzije sa neta, (Bagle.bp).

Instalira se na sistem pod nazivima:
Citat:
%System%\winshost.exe
%System%\wiwshost.exe


I dodaje ključeve u reg.bazu:
Citat:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%System%\winshost.exe"


Crv sprečava pristup sledećim sajtovima:

Citat:127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/updates
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-us2.kaspersky-labs.com
127.0.0.1 downloads-us3.kaspersky-labs.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 ftp.avp.ch
127.0.0.1 ftp.downloads2.kaspersky-labs.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.kasperskylab.ru
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 localhost
127.0.0.1 mast.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com/updates
127.0.0.1 updates4.kaspersky-labs.com
127.0.0.1 updates5.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com


I sprečava pokretanje sledećih programa u slučaju da ih imate instalirane,
zapravo briše sledeće ključeve:

Citat:[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\Zone Labs]


----------------------------------------------------------------------------------

Twisted Evil - primetio sam ga u poruci koju sam dobio ali mi nije jasno kako sam ga pokrenuo ..
sve u svemu ugasio mi kav i svukao i .bp verziju.

Dovoljno je da izbrišete iz startupa procese i obrišete fajlove ..
winshost.exe
wiwshost.exe

U slučaju da vam je svukao novu verziju potrebno je izbrisati je iz keša vašeg browsera.

Crvić je detektovan 31.5.05. pa je potrebno da izvršite i update vašeg AV programa.



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • Pridružio: 18 Apr 2003
  • Poruke: 5001
  • Gde živiš: Beograd

Autor se bas potrudio sa onom listom sajtova Smile



offline
  • Pridružio: 19 Mar 2005
  • Poruke: 146
  • Gde živiš: undernet.org

Bone Collector ::Autor se bas potrudio sa onom listom sajtova Smile

to je odavno tako Smile ta lista se moze naci bilo gde na netu...
ali je jedino problem u tome sto takodje AV vendori mogu da dodju do
te liste,pa ne znam bas koliko je delotvorna Smile ali ...

sve se da probati

Ko je trenutno na forumu
 

Ukupno su 1009 korisnika na forumu :: 34 registrovanih, 6 sakrivenih i 969 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, avijacija, babaroga, Bane san, Battlehammer, bigfoot, bojan_t, Boris90, crnitrn, djboj, DPera, FOX, Frunze, Georgius, goxin, Hans Gajger, joca83, JOntra, Komentator, kybonacci, ladro, Marko Marković, milutin134, moldway, nebkv, oldtimer, Petarvu, Povratak1912, predragc, Simon simonović, stegonosa, suton, VJ, wizzardone