Worm.Saros

病毒名称:

Worm.Saros

类别： 蠕虫

病毒资料：

破坏方法：

一个蠕虫病毒

病毒行为：

病毒运行后，将自己复制到％system％目录下文件名为：

NonYou.exe，Love-ScreenSaver.scr，MSOutlookInternetUpdate.exe

之后病毒将显示一个询问用户是否通过email升级outlook的消息框。确定后病毒

同时病毒还将释放一个名为nstdnrdll32.vbs到％system％目录。该文件用来进行

邮件传播。

并在注册表加下以下键值:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

"wincomp32"= "WINDOWS\system32\nstdnrdll32.vbs"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"nldr32"= "WINDOWS\system32\NonYou.exe"

Mirc传播：

病毒将修改Mirc的脚本，在用户进入频道时。将自动将病毒文件或病毒链接发送

出去。

P2P传播：

病毒将自己复制到一些P2P软件的共享目录。如下：

\progra~1\Kazaa\My Shared Folder\Rosy.exe

\progra~1\Kazaa\My Shared Folder\Pipponoto.exe

\progra~1\Kazaa\My Shared Folder\Anastacia - Left Outside Alone.mp3.exe

\progra~1\Kazaa\My Shared Folder\Black Eyed Peas - Hey Mama.mp3.exe

\progra~1\Kazaa\My Shared Folder\Raf - In tutti i miei giorni.mp3.exe

\progra~1\Kazaa\My Shared Folder\Vasco Rossi - Buoni e cattivi.mp3.exe

\progra~1\Kazaa\My Shared Folder\Lionel Richie - Just For You.mp3.exe

\progra~1\Kazaa Lite\My Shared Folder\Rosy.exe

\progra~1\Kazaa Lite\My Shared Folder\Pipponoto.exe

\progra~1\Kazaa Lite\My Shared Folder\Anastacia - Left Outside

Alone.mp3.exe

\progra~1\Kazaa Lite\My Shared Folder\The Rasmus - In The Shadows.mp3.exe

\progra~1\Kazaa Lite K++\My Shared Folder\The Rasmus - In The

Shadows.mp3.exe

\progra~1\Kazaa Lite K++\My Shared Folder\50 Cent - In da Club.mp3.exe

\progra~1\Kazaa Lite K++\My Shared Folder\Vanessa Carltron - Ordinary

Day.mp3.exe\progra~1\Kazaa Lite K++\My Shared Folder\Raf - In tutti i miei

giorni.mp3.exe

\progra~1\Kazaa Lite K++\My Shared Folder\Vasco Rossi - Buoni e

cattivi.mp3.exe

\progra~1\Kazaa Lite K++\My Shared Folder\Lionel Richie - Just For

You.mp3.exe

\progra~1\ICQ\Shared Folder\Rosy.exe

\progra~1\ICQ\Shared Folder\Pipponoto.exe

\progra~1\ICQ\Shared Folder\Anastacia - Left Outside Alone.mp3.exe

\progra~1\ICQ\Shared Folder\The Rasmus - In The Shadows.mp3.exe

\progra~1\ICQ\Shared Folder\50 Cent - In da Club.mp3.exe

\progra~1\ICQ\Shared Folder\Vanessa Carltron - Ordinary Day.mp3.exe

\progra~1\Grokster\My Grokster\The Rasmus - In The Shadows.mp3.exe

\progra~1\Grokster\My Grokster\50 Cent - In da Club.mp3.exe

\progra~1\Grokster\My Grokster\Vanessa Carltron - Ordinary Day.mp3.exe

\progra~1\Grokster\My Grokster\HaidUCii - Dragostea Din Tei.mp3.exe

\progra~1\Grokster\My Grokster\Black Eyed Peas - Hey Mama.mp3.exe

\progra~1\Grokster\My Grokster\Raf - In tutti i miei giorni.mp3.exe

\progra~1\Grokster\My Grokster\Vasco Rossi - Buoni e cattivi.mp3.exe

\progra~1\Grokster\My Grokster\Lionel Richie - Just For You.mp3.exe

\progra~1\Bearshare\Shared\Rosy.exe

\progra~1\Bearshare\Shared\Pipponoto.exe

\progra~1\Bearshare\Shared\Anastacia - Left Outside Alone.mp3.exe

\progra~1\Bearshare\Shared\The Rasmus - In The Shadows.mp3.exe

\progra~1\Bearshare\Shared\50 Cent - In da Club.mp3.exe

\progra~1\Bearshare\Shared\Vanessa Carltron - Ordinary Day.mp3.exe

\progra~1\Bearshare\Shared\Haiducii - Dragostea Din Tei.m

病毒的清除法：

使用光华反病毒软件，彻底删除。

病毒演示：

病毒FAQ：

Windows下的PE病毒。

发现日期：

2004-8-20

• ·I-Worm.Xgtray.f
• ·Worm.Win32.Relic.b
• ·Worm.Win32.Dedler.p
• ·Worm.Win32.Dedler.m
• ·Worm.Win32.Dedler.l
• ·Worm.Neveg.c
• ·Worm.Godog.b
• ·Worm.Novarg.r
• ·Worm.Shorm.100.e
• ·Worm.Win32.Francette.f