病毒名称:
TrojanProxy.Webber.20
类别: 木马病毒
病毒资料:
破坏方法:
LCC编写的木马病毒,运行后将建立一个隐藏的代理服务器,可以盗取用户的信息如:缓冲密码、用户IP地址、用户的网络访问信息
。
病毒一旦运行,将操作如下:
1、首先建立一个互斥量名为:Neher_12,保证只有一个病毒的实例运行
2、以随机文件名复制到系统目录,并释放一个动态链接库文件:
%SYSDIR%\filename1.exe
%SYSDIR%\filename2.dll
其中filename1和filename2都是随机的
3、增加如下键值来使自己随系统自启动:
HKCR\CLSID\{79FB9088-19CE-715D-D85A-216290C5B738}
InProcServer32="C:\WINDOWS\SYSTEM\Eefgikkb.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ShellServiceObjectDelayLoad Web Event Logger="{79FB9088-19CE-715D-D85A-216290C5B738}"
其中Eefgikkb.dll就是病毒释放的动态链接库文件,文件名是可变的。
4、病毒运行后将分为两部分,监听两个端口:1010和1234,一个用来建立一个隐藏的代理,另外一个则用来下载文件
5、病毒可以通过邮件传播:
包含邮件信息如下:
From:
"Account Manager"
标题:
Re: Your credit application
正文:
Dear Sir!
Thank you for your online application for a Home Equity Loan.
In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy
our minimum needs. Consequently, we regret to say that we cannot
approve you for Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that
you submitted with us. Please take a close look at it, you will receive
hard copy by mail withing next few days.
附件:
www.citybankhomeloan.htm.pif
6、此木马中包含如下信息:
Neher(HEXEP) coded by HangUP Team
(commercial version).
Greetz to: Hunk,Ares,Z0mbie,FreeHunt,SBVC,TSRH,Vecna';)
A zdes mogla bi bit vasha reklama ;)
注:
%SYSDIR% 是可变的WINDOWS系统文件夹,默认为:
C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), 或
C:\Windows\System32 (Windows XP)
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2003-12-22