病毒名称:
W32.Chod.B@mm
类别: 邮件病毒
病毒资料:
该病毒长度152,204 字节,感染windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统。它是一个复合型邮件病毒,能够通过MSN传播,在计算机里设置后门,使用IRC通信工具远程控制,重写Hosts文件,屏蔽一些安全网站访问,当收到、打开此病毒时,有以下危害:
A 显示以下信息
• Run-time Error
• Run-time error #7: Out of memory
B 创建以下文件到系统目录:
• cpu.dll
• [随机目录]\csrss.dat
• [随机目录]\csrss.exe
• [随机目录]\csrss.ini
C 创建快捷方式Programs\Startup\csrss.lnk到启动文件夹,使得每次开机病毒自动执行取得控制权。
D 每次执行时,病毒创建以下注册表项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Csrss" = "%System%\[随机目录]\csrss.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Csrss" = "%System%\[随机目录]\csrss.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "%System%\[随机目录]\csrss.exe"
使得每次开机病毒自动执行取得控制权。
E病毒创建以下注册表项,作为自身识别感染标志
HKEY_CLASSES_ROOT\Chode\"Installed" = "1"
HKEY_CURRENT_USER\Software\Chode\"Installed" = "1"
F每次开机时,删除以下注册表项关闭反病毒软等软件的执行:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAISafe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPwdSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccSetMgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISSVC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\navapsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutpostFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcCtlCom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAVScan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPBBCSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsmon
G 病毒修改以下注册表项先隐藏自身
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
H 从注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\里删除以下值:
TmPfw
tmproxy
Tmntsrv
net stop
sc config
start
CleanUp
MCUpdateExe
VirusScan Online
VSOCheckTask
ccApp
Symantec NetDriver Monitor
Outpost Firewall
gcasServ
pccguide.exe
KAVPersonal50
Zone Labs Client
services
microsoft antispyware
hijackthis
I 修改注册表关闭组册表编辑和管理项:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"NoAdminPage" = "1"
J 创建以下注册表项:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"Load" = "%System%\[随机目录]\csrss.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "%System%\[随机目录]\csrss.exe"
K 从以下扩展名的文件中搜寻邮件地址:
.adb
.ASP
.cgi
.ctt
.dbx
.dhtm
.doc
.eml
.htm
.Html
.msg
.oft
.PHP
.pl
.rtf
.sht
.shtm
.sql
.tbb
.txt
.uin
.vbs
.wab
.XML
邮件地址中包括以下内容时,不作处理,以便避开防毒软件等:
.gov
.mil
abuse
antivirus
avp
bitdefender
f-pro
f-secure
fbi
kaspersky
McAfee
messagelabs
microsoft
norton
spam
Symantec
L 发送以下内容的电子邮件传播自身:
From: (以下三种)
security@microsoft.com
security@trendmicro.com
securityresponse@symantec.com
Subject: (以下两种)
Warning - you have been infected!
Your computer may have been infected
Message:
Your message was undeliverable due to the following reason(s):
Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your original message has been attached.
Attachment: (以下四种)
netsky_removal.exe
removal_tool.exe
message.pif
message.scr
M 通过MSN发送如下的消息:
内容:(以下11种)
check out what I just found on some stupid website
dude check this out, it's awesome! :D
haha you have to see this, I almost couldn't believe it! :O
holy shit you have to see this... :
I just found this on a CD... you won't believe it! :
LOL! look at this, I can't explain it it in Words..
naked lesbian twister
omg check this out, it's just wrong :O
ROFL!! you have to see this... wtf...
you have to see this, it freaked me out :S
you have to see this, it's amazing!
复制自身为以下文件名:(9种)
check this out
gross
my sister's webcam
mypic
paris hilton
picture
rofl
us together
wtf
使用的扩展名(2种)
.pif
.scr
N 重写Hosts文件,屏蔽以下网站访问
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
fastclick.net
FTP.f-secure.com
ftp.sophos.com
grisoft.com
housecall.trendmicro.com
kaspersky.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
merijn.org
my-etrust.com
nai.com
networkassociates.com
pandasoftware.com
phpbb.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spywareinfo.com
support.microsoft.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.com
www.avp.com
www.awaps.net
www.ca.com
www.f-secure.com
www.fastclick.net
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.merijn.org
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.phpbb.com
www.sophos.com
www.spywareinfo.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.zonelabs.com
www3.ca.com
zonelabs.com
O 结束以下名称的内存进程,对数为反病毒软件:
bbeagle.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccsetmgr.exe
d3dupdate.exe
enterprise.exe
gcasdtserv.exe
gcasserv.exe
hijackthis.exe
i11r54n4.exe
irun4.exe
isafe.exe
issvc.exe
kav.exe
kavsvc.exe
mcagent.exe
mcdash.exe
mcinfo.exe
mcmnhdlr.exe
mcshield.exe
mcvsescn.exe
mcvsftsn.exe
mcvsrte.exe
mcvsshld.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
msblast.exe
msconfig.exe
mscvb32.exe
mskagent.exe
mwincfg32.exe
navapsvc.exe
navapw32.exe
navw32.exe
npfmntor.exe
outpost.exe
pandaavengine.exe
pccguide.exe
pcclient.exe
pcctlcom.exe
penis32.exe
regedit.exe
smc.exe
sndsrvc.exe
spbbcsvc.exe
symlcsvc.exe
sysinfo.exe
sysmonxp.exe
teekids.exe
tmntsrv.exe
tmpfw.exe
tmproxy.exe
usrprmpt.exe
vsmon.exe
wincfg32.exe
winsys.exe
winupd.exe
zapro.exe
zlclient.exe
P 打开后门,让攻击的黑客远程连接进来,对计算机进行以下操作:
下载执行任意文件
安装卸载IRCD
对指定计算机进行ping, TCP, UDP拒绝服务攻击
发送任意邮件
关闭和重启计算机
用邮件传播自身
用MSN传播自身
Q 盗窃以下软件的口令
AOL Instant Messenger (in old versions)
AOL Instant Messenger/Netscape 7
GAIM
ICQ Lite 4.x/2003
Miranda
MSN Messenger
Trillian
Windows Messenger (on Windows XP)
Yahoo Messenger (Versions 5.x and 6.x)
R 使用以下软件记录窃取口令
Intelligent TCPIP.SYS patcher
MessenPass
Protected Storage PassView
S 修改Win.ini文件
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2005-4-4