VBS.Stefan

病毒名称:

VBS.Stefan

类别： 脚本病毒

病毒资料：

VBS.Stefan 是一个脚本病毒，长度为 17,828 字节，感染 windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows xp 系统，它攻击局域网，利用文件共享传播，降低计算机安全设置，当收到、打开此病毒时，主要有以下危害：

A 在当前目录创建文件 SteFanie.URL ，包含以下网址(经检查不是有害网页)，病毒稍后会启动浏览器打开这个网址

http://myspace-291.vo.llnwd.net/[已删除]/131127291_l.jpg

B 复制自身到以下列表:

C:\WINDOWS\system32\drivers\etc\hosts.vbs

C:\WINDOWS\system32\drivers\etc\SteFanie.vbs

C:\WINDOWS\system\SteFanie.vbs

C:\Documents and Settings\Administrator\Desktop\SteFanie.vbs

C:\Documents and Settings\All Users\Start Menu\PRograms\Startup\Startup.vbs

C:\WINDOWS\Start Menu\Programs\Startup\Starup.vbs

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\Startup.vbs

C:\SteFanie.vbs

C:\My Downloads\SteFanie.vbs

C:\My Shared Folder\SteFanie.vbs

C:\Inetpub\wwwroot\index.htm

A:\SteFanie.vbs

B:\SteFanie.vbs

G:\SteFanie.vbs

H:\SteFanie.vbs

I:\SteFanie.vbs

J:\SteFanie.vbs

K:\SteFanie.vbs

L:\SteFanie.vbs

M:\SteFanie.vbs

N:\SteFanie.vbs

O:\SteFanie.vbs

P:\SteFanie.vbs

Q:\SteFanie.vbs

R:\SteFanie.vbs

S:\SteFanie.vbs

T:\SteFanie.vbs

U:\SteFanie.vbs

V:\SteFanie.vbs

W:\SteFanie.vbs

X:\SteFanie.vbs

Y:\SteFanie.vbs

Z:\SteFanie.vbs

程序目录\Kazaa\My Shared Folder\Young teen.jpg.vbs

程序目录\Kazaa\My Shared Folder\Hot Girl.jpg.vbs

程序目录\Kazaa\My Shared Folder\Pussy.jpg.vbs

程序目录\Kazaa\My Shared Folder\sex.jpg.vbs

程序目录\Kazaa\My Shared Folder\big boobs.jpg.vbs

程序目录\Kazaa\My Shared Folder\Sex Tips.doc.vbs

程序目录\Kazaa\My Shared Folder\Lord of the rings.doc.vbs

程序目录\Kazaa\My Shared Folder\How To Rip DVDs.doc.vbs

程序目录\KaZaA Lite\My Shared Folder\Young teen.jpg.vbs

程序目录\KaZaA Lite\My Shared Folder\Hot Girl.jpg.vbs

程序目录\KaZaA Lite\My Shared Folder\Pussy.jpg.vbs

程序目录\KaZaA Lite\My Shared Folder\sex.jpg.vbs

程序目录\KaZaA Lite\My Shared Folder\big boobs.jpg.vbs

程序目录\KaZaA Lite\My Shared Folder\Sex Tips.doc.vbs

程序目录\KaZaA Lite\My Shared Folder\Lord of the rings.doc.vbs

程序目录\Morpheus\My Shared Folder\Young teen.jpg.vbs

程序目录\Morpheus\My Shared Folder\Hot Girl.jpg.vbs

程序目录\Morpheus\My Shared Folder\Pussy.jpg.vbs

程序目录\Morpheus\My Shared Folder\sex.jpg.vbs

程序目录\Morpheus\My Shared Folder\big boobs.jpg.vbs

程序目录\Morpheus\My Shared Folder\Sex Tips.doc.vbs

程序目录\Morpheus\My Shared Folder\Lord of the rings.doc.vbs

程序目录\Grokster\My Grokster\Young teen.jpg.vbs

程序目录\Grokster\My Grokster\Hot Girl.jpg.vbs

程序目录\Grokster\My Grokster\Pussy.jpg.vbs

程序目录\Grokster\My Grokster\sex.jpg.vbs

程序目录\Grokster\My Grokster\big boobs.jpg.vbs

程序目录\Grokster\My Grokster\Sex Tips.doc.vbs

程序目录\Grokster\My Grokster\Lord of the rings.doc.vbs

程序目录\BearShare\Shared\Young teen.jpg.vbs

程序目录\BearShare\Shared\Hot Girl.jpg.vbs

程序目录\BearShare\Shared\Pussy.jpg.vbs

程序目录\BearShare\Shared\sex.jpg.vbs

程序目录\BearShare\Shared\big boobs.jpg.vbs

程序目录\BearShare\Shared\Sex Tips.doc.vbs

程序目录\BearShare\Shared\Lord of the rings.doc.vbs

C 增加注册表项

"SteFanie" = "SteFanie.vbs"

"Systray" = "C:\WINDOWS\system\SteFanie.vbs"

到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

使得病毒每次开机后自动执行

D 增加注册表项

"NoClose" = "1"

"NoDrives" = "0x03ffffff"

"NoViewContextMenu" = "1"

"NoFolderOptions" = "1"

到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

E 增加注册表项

"[°K°]" = "[°K°]"

到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner

F 增加注册表项

"LegalNoticeCaption" = "HAHA You Have The VBS/SteFanie Virus!!! By [°K°]"

"LegalNoticeText" = "HAHA You Have The VBS/SteFanie Virus!!! By [°K°]"

到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon

G 增加注册表项

"Source" = "C:\SteFanie.Html"

"SubscribedURL" = "C:\SteFanie.html"

到 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1

H 修改注册表项

"DisableTaskMgr" = "1"

"DisallowRun" = "1"

"DisallowRun\"1" = "notepad.exe"

"DisallowRun\"2" = "regedit.exe"

"DisallowRun\"3" = "Wordpad.exe"

"DisallowRun\"4" = "cmd.exe""DisallowRun\"5" = "write.exe"

"DisallowRun\"6" = "wuaUClt.exe"

"DisallowRun\"7" = "rstrui.exe"

"DisallowRun\"8" = "taskmgr.exe"

"DisallowRun\"9" = "ntbackup.exe"

"DisallowRun\"10" = "mcagent.exe"

"DisallowRun\"11" = "mcvsshld.exe"

"DisallowRun\"12" = "mcshield.exe"

"DisallowRun\"13" = "mcvsescn.exe"

"DisallowRun\"14" = "mcvsrte.exe"

"DisallowRun\"15" = "DefWatch.exe"

"DisallowRun\"16" = "Rtvscan.exe"

"DisallowRun\"17" = "ccEvtMgr.exe"

"DisallowRun\"18" = "NISUM.EXE"

"DisallowRun\"19" = "ccPxySvc.exe"

"DisallowRun\"20" = "navapsvc.exe"

"DisallowRun\"21" = "NPROTECT.EXE"

"DisallowRun\"22" = "NUPGRADE.EXE"

"DisallowRun\"23" = "LUALL.EXE"

"DisallowRun\"24" = "DRWEBUPW.EXE"

"DisallowRun\"25" = "AUTODOWN.EXE"

"DisallowRun\"26" = "alogserv.exe"

"DisallowRun\"27" = "RuLaunch.exe"

"DisallowRun\"28" = "Avconsol.exe"

"DisallowRun\"29" = "PavFires.exe"

"DisallowRun\"30" = "FIREWALL.EXE"

"DisallowRun\"31" = "ATUPDATER.EXE"

"DisallowRun\"32" = "Vshwin32.exe"

"DisallowRun\"33" = "VsStat.exe"

"DisallowRun\"34" = "Avsynmgr.exe"

"DisallowRun\"35" = "ccApp.exe"

"DisallowRun\"36" = "nopdb.exe"

"DisallowRun\"37" = "OUTPOST.EXE"

"DisallowRun\"38" = "ICSSUPPNT.EXE"

"DisallowRun\"39" = "ICSUPP95.EXE"

"DisallowRun\"40" = "ESCANH95.EXE"

"DisallowRun\"41" = "AVXQUAR.EXE"

"DisallowRun\"42" = "ESCANHNT.EXE"

"DisallowRun\"43" = "ATUPDATER.EXE"

"DisallowRun\"44" = "AUPDATE.EXE"

"DisallowRun\"45" = "AUTOTRACE.EXE"

"DisallowRun\"46" = "AUTOUPDATE.EXE"

"DisallowRun\"47" = "AVXQUAR.EXE"

"DisallowRun\"48" = "AVWUPD32.EXE"

"DisallowRun\"49" = "AVPUPD.EXE "

"DisallowRun\"50" = "CFIAUDIT.EXE"

"DisallowRun\"51" = "UPDATE.EXE"

"DisallowRun\"52" = "symlcsvc.exe"

"DisallowRun\"53" = "MCUPDATE.EXE"

"DisallowRun\"54" = "NUPGRADE.EXE"

"DisallowRun\"55" = "pavsrv50.exe"

"DisallowRun\"56" = "SAVScan.exe"

"DisallowRun\"57" = "SNDSrvc.exe"

"DisallowRun\"58" = "NPROTECT.EXE"

"DisallowRun\"59" = "navapsvc.exe"

"DisallowRun\"60" = "ccProxy.exe"

"DisallowRun\"61" = "SHSTAT.EXE"

"DisallowRun\"62" = "navapsvc.exe"

"DisallowRun\"63" = "UpdaterUI.exe"

"DisallowRun\"64" = "VsTskMgr.exe"

"DisallowRun\"65" = "FrameworkService.exe"

"DisallowRun\"66" = "LUCOMS~1.EXE"

"DisallowRun\"67" = "blackd.exe"

"DisallowRun\"68" = "bawindo.exe "

"DisallowRun\"69" = "AVENGINE.EXE"

"DisallowRun\"70" = "APVXDWIN.EXE"

"DisallowRun\"71" = "pavProxy.exe"

"DisallowRun\"72" = "navapw32.exe"

"DisallowRun\"73" = "IEXPLORE.EXE"

"DisallowRun\"74" = "vpc32.exe"

位置为 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

降低系统安全设置

I 增加注册表项

"Screen Name" = "Free SteFanie"

到 HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Login

J 增加注册表项

""EmailName" = "ILoveSteFanie@Myspace.com"

到 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

K 试图删除以下文件，破坏系统和聊天工具

c:\windows\explorer.exe

C:\Program Files\AIM\aim.exe

L 每个月的 2、13、20 号显示以下内容

M 突然打开光盘驱动器

N 1月13号显示以下信息

O 显示以下信息

P 在Windows目录下创建文件windows.cmd，内容是关机命令

Q 每个月的 19 号显示以下信息

R 运行 windows.cmd ，重启计算机

病毒的清除法：

使用光华反病毒软件，彻底删除。

病毒演示：

病毒FAQ：

Windows下的PE病毒。

发现日期：

2005-9-26

• ·Script.Madonna.B
• ·Script.Exploit.htm.page
• ·Script.PlayBoy
• ·Script.Hack.PlayBoy
• ·Script.Hack.LoveBean
• ·VBS/Zxq.d
• ·Matlab.Lagob
• ·Win32.HLLW.Mintop
• ·Worm.Keco.a
• ·Worm.Sober.d.enc