Win32.Hack.Agobot.bv

病毒别名：Backdoor.Agobot.v[AVP]

处理时间：

威胁级别：★★

中文名称：安哥变种BV

病毒类型：黑客程序

影响系统：Win9x/WinNT/Win2K/WinXP/Win2003

病毒行为:

安哥家族

编写工具:

vc编写,upx压缩

传染条件:

利用了DCOM RPC 漏洞和RPC溢出两个漏洞进行传播,同时也利用弱密码攻击进行传播.

发作条件:

运行后将在本机开设后门等待黑客的远程连接和控制.

系统修改:

1,拷贝自身到

%System%spoolsrv32.exe.

2,添加下列注册表键值:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

"MS Security Hotfix"="spoolsrv32.exe"

3,在随机端口开设后门,等待黑客的连接.

4,连接预定的IRc频道,等待黑客通过irc命令进行远程控制.

5,通过TCP 135端口进行DCOM RPC(同冲击波病毒)攻击远程的其它机器,或者通过TCP 445端口进行RPC locator(同震荡波病毒)溢出攻击进行传播.

6,对局域网机器进行弱密码攻击,进而传播

用户名:

Admin

admin

Administrateur

Administrador

administrator

Administrator

qwer

asdf

win

temp

test

home

Dell

x

xyz

a

abc

aaa

Inviter

Gast

Guest

Test

Owner

owner

User

Standard

mgmt

Default

login

pc

密码:

admin

Admin

mypass

mypc

love

pwd

xxx

zxcv

yxcv

secret

foobar

god

sex

root

pat

patrick

alpha

007

123abc

1234qwer

123123

121212

111111

110

2600

2002

2003

enable

godblessyou

ihavenopass

123asd

super

Internet

computer

server

123qwe

sybase

oracle

abcd

database

passwd

pass

88888888

11111111

00000000

000000

111

54321

654321

123456789

12345678

1234567

123456

12345

1234

123

Password

password

7,偷取下列游戏的cd-key:

Warcraft III

Soldier of Fortune II - Double Helix

Neverwinter

WestwoodNox

Tiberian Sun

Red Alert 2

Red Alert

Project IGI 2

Command & Conquer Generals

Battlefield 1942 Secret Weapons of WWII

Battlefield 1942 The Road to Rome

Battlefield 1942

Rainbow Six III RavenShield

Nascar Racing 2003

Nascar Racing 2002

NHL 2003

NHL 2002

FIFA 2003

FIFA 2002

Need For Speed Hot Pursuit 2

The Gladiators

Unreal Tournament 2003

LoMaM

Counter-Strike

Half-Life

8,结束掉以下反病毒软件的进程:

WFINDV32.EXE

WEBSCANX.EXE

VSSTAT.EXE

VSHWIN32.EXE

VSECOMR.EXE

VSCAN40.EXE

VETTRAY.EXE

VET95.EXE

TDS2-NT.EXE

TDS2-98.EXE

TCA.EXE

TBSCAN.EXE

SWEEP95.EXE

SPHINX.EXE

SMC.EXE

SERV95.EXE

SCRSCAN.EXE

SCANPM.EXE

SCAN95.EXE

SCAN32.EXE

SAFEWEB.EXE

RESCUE.EXE

RAV7WIN.EXE

RAV7.EXE

PERSFW.EXE

PCFWALLICON.EXE

PCCWIN98.EXE

PAVW.EXE

PAVSCHED.EXE

PAVCL.EXE

PADMIN.EXE

OUTPOST.EXE

NVC95.EXE

NUPGRADE.EXE

NORMIST.EXE

NMAIN.EXE

NISUM.EXE

NAVWNT.EXE

NAVW32.EXE

NAVNT.EXE

NAVLU32.EXE

NAVAPW32.EXE

N32SCANW.EXE

MPFTRAY.EXE

MOOLIVE.EXE

LUALL.EXE

LOOKOUT.EXE

LOCKDOWN2000.EXE

JEDI.EXE

IOMON98.EXE

IFACE.EXE

ICSUPPNT.EXE

ICSUPP95.EXE

ICMON.EXE

ICLOADNT.EXE

ICLOAD95.EXE

IBMAVSP.EXE

IBMASN.EXE

IAMSERV.EXE

IAMAPP.EXE

FRW.EXE

FPROT.EXE

FP-WIN.EXE

FINDVIRU.EXE

F-STOPW.EXE

F-PROT95.EXE

F-PROT.EXE

F-AGNT95.EXE

ESPWATCH.EXE

ESAFE.EXE

ECENGINE.EXE

DVP95_0.EXE

DVP95.EXE

CLEANER3.EXE

CLEANER.EXE

CLAW95CF.EXE

CLAW95.EXE

CFINET32.EXE

CFINET.EXE

CFIAUDIT.EXE

CFIADMIN.EXE

BLACKICE.EXE

BLACKD.EXE

AVWUPD32.EXE

AVWIN95.EXE

AVSCHED32.EXE

AVPUPD.EXE

AVPTC32.EXE

AVPM.EXE

AVPDOS32.EXE

AVPCC.EXE

AVP32.EXE

AVP.EXE

AVNT.EXE

AVKSERV.EXE

AVGCTRL.EXE

AVE32.EXE

AVCONSOL.EXE

AUTODOWN.EXE

APVXDWIN.EXE

ANTI-TROJAN.EXE

ACKWIN32.EXE

_AVPM.EXE

_AVPCC.EXE

_AVP32.EXE

ZONEALARM.EXE

9,同时结束掉以下敌对病毒的进程:

mspatch.exe

penis32.exe

msblast.exe

scvhosl.exe

winhlpp32.exe

tftpd.exe

dllhost.exe

winppr32.exe

发作现象:

防火墙退出或失效,机器向外大量发送数据包.

特别说明:

利用两个重大漏洞进行传播