病毒类型: 邮件蠕虫、漏洞蠕虫、黑客、后门
病毒类型: 蠕虫、木马
受影响系统:Win9x/WinNT/Win2K/WinXP/Win2003
破坏方式:
A、使用自带的SMTP引擎大量发送病毒邮件,浪费大量网络资源,并可导致中小型邮件服务器极不稳定;
B、中止被感染系统中的大量安全软件,使系统安全性下降;
C、安装木马,木马下载病毒;
D、在被感染的机器上开后门端口TCP 80和UDP 80,该端口可被利用转发邮件;
E、通过P2P软件及局域网进行传播。
发作现象:
A、结束以下安全相关进程:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
B、从以下网站下载一个文件到%SystemRoot%\_re_file.exe,并执行
allianzsp.sk
coolweb.psg.sk
cryofthespirit.com
dollypop.com
execpage.com
helpdemos.com
helpingyouth.org
jamesbronner.com
koti.pl
miracle.v6.cz
mountainwings.com
mountainwings4.com
naturalpros.com
oracal.pl
shock.evernet.com.pl
SportLine.go.ro
stroipolymer.ru
theonlineword.com
virtualchurch.com
visionforsouls.org
wingsoverlife.com
www.1800thewoman.com
www.1944.pl
www.45partsdepot.com
www.7pe.friko.pl
www.air-computers.com.ar
www.ametist.spb.ru
www.apodis.pl
www.arrasy.pl
www.arthurspeaks.com
www.astermed.pl
www.atomique.pl
www.atw.hu
www.avatar.ee
www.avers.com.pl
www.baltexpo.spb.ru
www.bomart.cz
www.bravo.gliwice.pl
www.bronnerbros.com
www.buycare.com
www.cumparacd.go.ro
www.da-rom.co.il
www.domu.net
www.eastandard.co.ke
www.elblu.republika.pl
www.elcorsy.com
www.elite-style.com
www.enduser1.fast.net
www.enitex.by
www.enitex-m.by
www.eris.pl
www.europharm.pl
www.extreme-racing.lg.ua
www.fotel.pl
www.fotolab.sk
www.frater.hu
www.gardameditech.com
www.generex.de
www.goldgates.com
www.goodboy.dem.ru
www.hards.pl
www.healthcometh.com
www.holz-studio.at
www.ibplus.sk
www.icpnet.pl
www.icpnet.pl
www.inlan.sk
www.jamesbronner.com
www.jbplus.cz
www.justmatchit.com
www.kubtelecom.ru
www.kuda.com.ua
www.lacittadifiorenzuola.it
www.lotusdog.net
www.ltvo.spb.ru
www.master.pl
www.members.aon.at
www.moteplassen1.com
www.mountainwings2.com
www.multifoto.sk
www.nadodrze.pl
www.nairobiwebspace.com
www.nameitright.com
www.nardo.bbe.pl
www.netland.gda.pl
www.netta.pl
www.nikola.piwko.pl
www.ntrlab.com
www.nustep.sk
www.octava.pl
www.odevnictvo.sk
www.oftza.friko.pl
www.oktbroiler.ru
www.online40.com
www.online50.com
www.oto.lv
www.pancoopzsv.co.yu
www.pay5495.com
www.pc-hard.com.ua
www.perfect-beauty.at
www.pharmag.pl
www.polsl.katowice.pl
www.prophetcollins.com
www.propi.cz
www.pursuit.rv.ua
www.pyrlandia-boogie.pl
www.quatro.sk
www.r-bazar.ru
www.roszkowski.pl
www.silvic.ro
www.sincron.go.ro
www.skylive.pl
www.smgkrc.pl
www.soulring.com
www.star-max.it
www.sunbud.com.pl
www.swez.net
www.system5electronics.com
www.tcvwebtv.com.ar
www.thewoman.com
www.tivis.cz
www.ukpl.pl
www.vacation-network.net
www.wyspian.iap.pl
www.zasada-rowery.pl
C、尝试在以下扩展名文件中搜索邮件地址:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml。
D、病毒发送的邮件附件为fotos.zip。
技术特点:
A、在注册表主键"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n"下添加如下键值:"erthgdr"=""%System%\windll.exe"
B、在"%SYSTEM%"目录下,添加如下文件:"windll.exe"
C、在"%SYSTEM%"目录下,添加如下文件:"windll.exeopen"
D、在"%SYSTEM%"目录下,添加如下文件:"windll.exeopenopen"
E、创建以下互斥体来防止netsky及其变种的感染
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
F、在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
与HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
service
G、复制自身到包含"shar"字符串的目录下,病毒文件名可能为以下之一:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
H、在系统目录下创建文件
Doriot.exe
Gdqfw.exe (该EXE其实为一个DLL文件)
I、在注册表项HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
与HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下增加值
"wersds" = "%System%\doriot.exe"
J、把Gdqfw.exe注入到Explorer.exe进程中
K、停止以下服务,并把启动类型改为"禁止"
Windows XP Service Pack 2为: Windows Firewall/Internet Connection Sharing (ICS)
Windows XP Service Pack 1 及以前的为:Internet Connection Firewall (ICF)
/ Internet Connection Sharing (ICS)
Windows 2000为:Internet Connection Sharing (ICS)
