病毒名称:
Worm.Novarg.h
类别: 蠕虫
病毒资料:
破坏方法:
病毒:"SCO炸弹"变种
一个蠕虫病毒
病毒行为:
病毒运行时会在%Temp%目录中生成一个内容为随机数据的文件,并自动调用记事本程序来打开它,从而显示一些伪装信息。
注意:%Temp%是一个变量,它指的是操作系统安装目录中的临时目录,默认是:
“C:\Windows\temp”或:“c:\Winnt\temp”。
病毒运行时会修改注册表:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32和
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32,
使其指向一个病毒自己释放的dll文件。
病毒还在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run中加入自己的键值
病毒运行时会释放后门程序为:%System%\ “随机字符.dll
注意:%system%是一个变量,它指的是操作系统安装目录中的系统目录,默认是:
“C:\Windows\system”或:“c:\Winnt\system32”。
病毒体内带有一段文字:
To netsky's creator(s):
imho, skynet is a decentralized peer-to-peer neural network.
we have seen P2P in Slapper in Sinit only. they may be called skynets,
but not your shitty app
DDos攻击:
病毒建立随机个线程启动对symantec.com发动Ddos攻击。
病毒运行时将会从以下扩展名:
.xls,.jpg,.avi,.wma,.mp4,.mp3,.wav,.wab,.mht,.adb,.tbb,.uin .rtf.,mbx,.eml,.mmf,.nch,.mbx,.ASP,.pl,.sht,.PHP.的文件中搜索email
地址(病毒将避开.edu结尾的email地址),并向这些地址发送病毒邮件。
病毒将终止带有下列字眼的进程:
"hotactio"
"sperm"
"fUCk"
"porn"
"penis"
"pussy"
"taskmo"
"taskmg"
"reged"
"beagle"
"wkufind"
"intren"
"click"
"updat"
"upgrad"
"utpost."
"avwupd"
"avpupd"
"d3du"
并删除如下文件:
"adaware.exe"
"alevir.exe"
"arr.exe"
"backweb.exe"
"bargains.exe"
"belt.exe"
"blss.exe"
"bootconf.exe"
"bpc.exe"
"brasil.exe"
"bundle.exe"
"bvt.exe"
"cfd.exe"
"cmd32.exe"
"cmesys.exe"
"datemanager.exe"
"dcomx.exe"
"divx.exe"
"dllcache.exe"
"dllreg.exe"
"dpps2.exe"
"dssagent.exe"
"emsw.exe"
"eXPlore.exe"
"fsg_4104.exe"
"gator.exe"
"gmt.exe"
"hbinst.exe"
"hbsrv.exe"
"hotfix.exe"
"hotpatch.exe"
"htpatch.exe"
"hxdl.exe"
"hxiul.exe"
"idle.exe"
"iedll.exe"
"iedriver.exe"
"iexplorer.exe"
"inetlnfo.exe"
"infus.exe"
"infwin.exe"
"intdel.exe"
"init.exe"
"isass.exe"
"istsvc.exe"
"jdbgmrg.exe"
"kazza.exe"
"keenvalue.exe"
"kernel32.exe"
"launcher.exe"
"lnetinfo.exe"
"loader.exe"
"mapisvc32.exe"
"md.exe"
"mfin32.exe"
"mmod.exe"
"mostat.exe"
"msapp.exe"
"msbb.exe"
"msblast.exe"
"msdos.exe"
"mscache.exe"
"msccn32.exe"
"mscman.exe"
"msdm.exe"
"msiexec16.exe"
"mslaugh.exe"
"msmgt.exe"
"msmsgri32.exe"
"msrexe.exe"
"mssys.exe"
"msvxd.exe"
"netd32.exe"
"nssys32.exe"
"nstask32.exe"
"nsupdate.exe"
"onsrvr.exe"
"optimize.exe"
"patch.exe"
"pgmonitr.exe"
"powerscan.exe"
"prizesurfer.exe"
"prmt.exe"
"prmvr.exe"
"ray.exe"
"rb32.exe"
"rcsync.exe"
"run32dll.exe"
"rundll.exe"
"rundll16.exe"
"ruxdll32.exe"
"sahagent.exe"
"save.exe"
"savenow.exe"
"sc.exe"
"scam32.exe"
"scrsvr.exe"
"scvhost.exe"
"service.exe"
"servlce.exe"
"servlces.exe"
"showbehind.exe"
"smss32.exe"
"soap.exe"
"spoler.exe"
"spoolcv.exe"
"spoolsv32.exe"
"srng.exe"
"start.exe"
"stcloader.exe"
"support.exe"
"svc.exe"
"sms.exe"
"svchosts.exe"
"svchostc.exe"
"svshost.exe"
"system.exe"
"sysupd.exe"
"system32.exe"
"teekids.exe"
"trickler.exe"
"tsadbot.exe"
"tvmd.exe"
"tvtmd.exe"
"webdav.exe"
"w
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2004-3-4
