病毒别名:W32/Dabber-A [Sophos], W32/Dabber.worm.a [McAfee], WORM_DABBER.A [Trend]
处理时间:2004-06-08
威胁级别:★
中文名称:
病毒类型:蠕虫
影响系统:Windows 2000, Windows XP
病毒行为:
编写工具:
vc编写,upx压缩
传染条件:
发作条件:
系统修改:
1,通过打开sas4dab互斥体来防止重复运行
2,拷贝自身到
%System%package.exe
C:Documents and SettingsAll UsersStart MenuProgramsStartuppackage.exe
%Windir%All UsersMain menuProgramsStartUppackage.exe
使得开机自动运行。
3,向注册表添加
"sassfix"="%System%package.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
删除下列键值:
Video
Microsoft Update
from the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
avserve2.exe
avvserrve32
avserve
Taskmon
Gremlin
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
skynetave.exe
Generic Host Service
Windows Drive Compatibility
windows
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USER.DEFAULTSOFTWAREMicrosoftWindows
CurrentVersionRun
同时删除
HKEY_CLASSES_ROOTCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
InProcServer32
4,蠕虫在被感染的机器上开设后门,端口为:9898,可使攻击者操作被感染机器。
发作现象:
特别说明: