Worm.Cissi.c

病毒名称:

Worm.Cissi.c

类别： 蠕虫

病毒资料：

破坏方法：

该病毒是一个通过邮件和ipc弱口令猜测传播的蠕虫，采用Delphi编写，upx压缩

一旦运行，病毒将复制到下列目录：

％SYSDIR％\Cissi.exe

病毒还可能复制到下列目录：

\Documents and Settings\All Users\Start Menu\Programs\Startup

\WINDOWS\Start Menu\Programs\Startup

\WINNT\Profiles\All Users\Start Menu\Programs\Startup

如果操作系统是 Windows 95/98/Me,该病毒将修改文件： System.ini 来自启动

如果操作系统是 Windows NT/2000/XP/2003, 病毒虽然修改文件：System.ini，但不会自启动。

后门：

该病毒是一种IRC bot，它将连接IRC服务器：irc.undernet.org，以某个昵称登录一个IRC频道

：

#TCow cow，一旦连接成功，病毒将等待来自服务器的命令。

网络传播：

病毒将进行IPC弱口令猜测，可能的用户名密码组合为：

用户名：

"Guest"

"Administrator"

"Owner"

"Root"

密码：

"1234"

"passWord"

"6969"

"harley"

"123456"

"golf"

"pussy"

"mustang"

"1111"

"shadow"

"1313"

"fish"

"5150"

"7777"

"qwerty"

"baseball"

"2112"

"letmein"

"12345678"

"12345"

"ccc"

"admin"

"Admin"

"Password"

"1"

"12"

"123"

"1234567"

"123456789"

"654321"

"54321"

"111"

"000000"

"abc"

"pw"

"11111111"

"88888888"

"pass"

"passwd"

"database"

"abcd"

"abc123"

"pass"

"sybase"

"123qwe"

"server"

"computer"

"Internet"

"super"

"123asd"

"0"

"ihavenopass"

"godblessyou"

"enable"

"xp"

"2002"

"2003"

"2600"

"alpha"

"110"

"111111"

"121212"

"123123"

"1234qwer"

"123abc"

"007"

"a"

"aaa"

"patrick"

"pat"

"administrator"

"root"

"sex"

"god"

"Foobar"

"secret"

"abc"

"test"

"test123"

"temp"

"temp123"

"win"

"pc"

"asdf"

"Oracle'pwd"

"qwer"

"yxcv"

"zxcv"

"home"

"xxx"

"owner"

"login"

"Login"

"pw123"

"love"

"mypc"

"mypc123"

"admin123"

"mypass"

"mypass123"

"901100"

一旦成功，病毒将自动复制到该系统并使用计划工作来远程启动病毒

同时该病毒还会在有写权限的网络映射驱动器上复制病毒体。

该病毒还会通过邮件传播：

发送邮件时包含如下特征：

From: Cissi

主题：

"Heres a poem for you"

"Ive written a poem for you"

"Love poems for you :)"

"Look what i wrote for you"

"Poems for you"

"Roses are red,

You are mine,

I love you until im dead,

It will all be fine."

"I do miss you

I do love you

what you want me to do?

I never want to go."

"Where did you run?

Where did you hide?

I stand here undone

I stand here inside"

"How could u do that

Why did you say that

How do you feel inside

I wish i just could hide"

附件名为：

"LovePoem.pif"

"Poem_collection.pif"

"Zipped_poems.exe"

"My Poems.txt.exe"

"Poems.pif"

"Sad Stories and Poems.pif"

"My Story.pif"

"The Poems.pif"

"Poems for you.pif"

"Only Poems.txt.pif"

病毒发送的邮件地址从受感染的系统的下列扩展名的文件中搜索得到：

".htt"

".rtf"

".doc"

".xls"

".ini"

".mdb"

".txt"

".htm"

".Html"

".wab"

".pst"

".fdb"

".cfg"

".ldb"

".eml"

".abc"

".ldif"

".nab"

".adp"

".mdw"

".mda"

".mde"

".ade"

".sln"

".dsw"

".dsp"

".vap"

".PHP"

".ASP"

".shtml"

并将邮件地址保存在文件：

％SYSDIR％\CISSI.DLL

病毒将向默认DNS服务器查询邮件交换记录，一般这个记录包含邮件服务器的IP地址，病毒将使用该地址发送带毒邮件。

病毒的清除法：

使用光华反病毒软件，彻底删除。

病毒演示：

病毒FAQ：

Windows下的PE病毒。

发现日期：

2004-5-14

• ·Worm.Korgo.d.enc
• ·I-Worm.FakeNuker.enc
• ·Worm.Sasser.f
• ·Worm.Cycle.a.enc
• ·Worm.Bugbear.h
• ·Worm.Kibuv.b
• ·Worm.Kibuv.a
• ·Worm.Win32.Dabber.a
• ·Win32.Porex.b
• ·I-Worm.Zeynep.f.enc