分享
 
 
 

W32.Chod.B@mm

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

病毒名称:

W32.Chod.B@mm

类别: 邮件病毒

病毒资料:

该病毒长度152,204 字节,感染windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统。它是一个复合型邮件病毒,能够通过MSN传播,在计算机里设置后门,使用IRC通信工具远程控制,重写Hosts文件,屏蔽一些安全网站访问,当收到、打开此病毒时,有以下危害:

A 显示以下信息

• Run-time Error

• Run-time error #7: Out of memory

B 创建以下文件到系统目录:

• cpu.dll

• [随机目录]\csrss.dat

• [随机目录]\csrss.exe

• [随机目录]\csrss.ini

C 创建快捷方式Programs\Startup\csrss.lnk到启动文件夹,使得每次开机病毒自动执行取得控制权。

D 每次执行时,病毒创建以下注册表项

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Csrss" = "%System%\[随机目录]\csrss.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Csrss" = "%System%\[随机目录]\csrss.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "%System%\[随机目录]\csrss.exe"

使得每次开机病毒自动执行取得控制权。

E病毒创建以下注册表项,作为自身识别感染标志

HKEY_CLASSES_ROOT\Chode\"Installed" = "1"

HKEY_CURRENT_USER\Software\Chode\"Installed" = "1"

F每次开机时,删除以下注册表项关闭反病毒软等软件的执行:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAISafe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccProxy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPwdSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccSetMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\navapsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutpostFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcCtlCom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAVScan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPBBCSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsmon

G 病毒修改以下注册表项先隐藏自身

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

H 从注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\里删除以下值:

TmPfw

tmproxy

Tmntsrv

net stop

sc config

start

CleanUp

MCUpdateExe

VirusScan Online

VSOCheckTask

ccApp

Symantec NetDriver Monitor

Outpost Firewall

gcasServ

pccguide.exe

KAVPersonal50

Zone Labs Client

services

microsoft antispyware

hijackthis

I 修改注册表关闭组册表编辑和管理项:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"NoAdminPage" = "1"

J 创建以下注册表项:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"Load" = "%System%\[随机目录]\csrss.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "%System%\[随机目录]\csrss.exe"

K 从以下扩展名的文件中搜寻邮件地址:

.adb

.ASP

.cgi

.ctt

.dbx

.dhtm

.doc

.eml

.htm

.Html

.msg

.oft

.PHP

.pl

.rtf

.sht

.shtm

.sql

.tbb

.txt

.uin

.vbs

.wab

.XML

邮件地址中包括以下内容时,不作处理,以便避开防毒软件等:

.gov

.mil

abuse

antivirus

avp

bitdefender

f-pro

f-secure

fbi

kaspersky

McAfee

messagelabs

microsoft

norton

spam

Symantec

L 发送以下内容的电子邮件传播自身:

From: (以下三种)

security@microsoft.com

security@trendmicro.com

securityresponse@symantec.com

Subject: (以下两种)

Warning - you have been infected!

Your computer may have been infected

Message:

Your message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your original message has been attached.

Attachment: (以下四种)

netsky_removal.exe

removal_tool.exe

message.pif

message.scr

M 通过MSN发送如下的消息:

内容:(以下11种)

check out what I just found on some stupid website

dude check this out, it's awesome! :D

haha you have to see this, I almost couldn't believe it! :O

holy shit you have to see this... :

I just found this on a CD... you won't believe it! :

LOL! look at this, I can't explain it it in Words..

naked lesbian twister

omg check this out, it's just wrong :O

ROFL!! you have to see this... wtf...

you have to see this, it freaked me out :S

you have to see this, it's amazing!

复制自身为以下文件名:(9种)

check this out

gross

my sister's webcam

mypic

paris hilton

picture

rofl

us together

wtf

使用的扩展名(2种)

.pif

.scr

N 重写Hosts文件,屏蔽以下网站访问

avp.com

ca.com

customer.symantec.com

dispatch.mcafee.com

download.mcafee.com

f-secure.com

fastclick.net

FTP.f-secure.com

ftp.sophos.com

grisoft.com

housecall.trendmicro.com

kaspersky.com

liveupdate.symantec.com

mast.mcafee.com

mcafee.com

merijn.org

my-etrust.com

nai.com

networkassociates.com

pandasoftware.com

phpbb.com

rads.mcafee.com

secure.nai.com

securityresponse.symantec.com

service1.symantec.com

sophos.com

spywareinfo.com

support.microsoft.com

symantec.com

trendmicro.com

update.symantec.com

updates.symantec.com

us.mcafee.com

vil.nai.com

viruslist.com

www.avp.com

www.awaps.net

www.ca.com

www.f-secure.com

www.fastclick.net

www.grisoft.com

www.kaspersky.com

www.mcafee.com

www.merijn.org

www.microsoft.com

www.my-etrust.com

www.nai.com

www.networkassociates.com

www.pandasoftware.com

www.phpbb.com

www.sophos.com

www.spywareinfo.com

www.symantec.com

www.trendmicro.com

www.viruslist.com

www.zonelabs.com

www3.ca.com

zonelabs.com

O 结束以下名称的内存进程,对数为反病毒软件:

bbeagle.exe

ccapp.exe

ccevtmgr.exe

ccproxy.exe

ccsetmgr.exe

d3dupdate.exe

enterprise.exe

gcasdtserv.exe

gcasserv.exe

hijackthis.exe

i11r54n4.exe

irun4.exe

isafe.exe

issvc.exe

kav.exe

kavsvc.exe

mcagent.exe

mcdash.exe

mcinfo.exe

mcmnhdlr.exe

mcshield.exe

mcvsescn.exe

mcvsftsn.exe

mcvsrte.exe

mcvsshld.exe

mpfagent.exe

mpfservice.exe

mpftray.exe

msblast.exe

msconfig.exe

mscvb32.exe

mskagent.exe

mwincfg32.exe

navapsvc.exe

navapw32.exe

navw32.exe

npfmntor.exe

outpost.exe

pandaavengine.exe

pccguide.exe

pcclient.exe

pcctlcom.exe

penis32.exe

regedit.exe

smc.exe

sndsrvc.exe

spbbcsvc.exe

symlcsvc.exe

sysinfo.exe

sysmonxp.exe

teekids.exe

tmntsrv.exe

tmpfw.exe

tmproxy.exe

usrprmpt.exe

vsmon.exe

wincfg32.exe

winsys.exe

winupd.exe

zapro.exe

zlclient.exe

P 打开后门,让攻击的黑客远程连接进来,对计算机进行以下操作:

下载执行任意文件

安装卸载IRCD

对指定计算机进行ping, TCP, UDP拒绝服务攻击

发送任意邮件

关闭和重启计算机

用邮件传播自身

用MSN传播自身

Q 盗窃以下软件的口令

AOL Instant Messenger (in old versions)

AOL Instant Messenger/Netscape 7

GAIM

ICQ Lite 4.x/2003

Miranda

MSN Messenger

Trillian

Windows Messenger (on Windows XP)

Yahoo Messenger (Versions 5.x and 6.x)

R 使用以下软件记录窃取口令

Intelligent TCPIP.SYS patcher

MessenPass

Protected Storage PassView

S 修改Win.ini文件

病毒的清除法:

使用光华反病毒软件,彻底删除。

病毒演示:

病毒FAQ:

Windows下的PE病毒。

发现日期:

2005-4-4

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有