病毒名称(中文):
安哥变种
病毒别名:
Backdoor.Agobot.gen[AVP]
威胁级别:
★☆☆☆☆
病毒类型:
黑客程序
病毒长度:
195
影响系统:
WinNTWin2000WinXPWin2003
病毒行为:
编写工具:VC6.0,PECompact压缩
传染条件:
A、该病毒通过已知的以下微软漏洞进行主动传播:
RemoteProcedureCall(RPC)DistributedComponentObjectModel(DCOM)缓冲区溢出漏洞(MS03-26)
IIS5/WEBDAV缓冲区溢出漏洞(MS03-07)
TheWorkstationservicebufferoverrun漏洞(MS03-49)
TheMicrosoftMessengerService缓冲区溢出漏洞(MS03-43)
TheLocatorservice漏洞(MS03-001)
TheUPnP漏洞(MS01-059)
MicrosoftSQLServer2000或MSDE2000audit内的漏洞(MS02-61)
B、病毒还可以通过弱密码攻击远程系统进行主动传播
C、可利用mIRC软件进行远程控制或是传播
D、通过恶鹰留下的后端口进行传播
发作条件:
系统修改:
A、在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
中添加如下键值:
"MicrsoftBUSPCFG32"="buspcom32.exe"
以便病毒可以自启动
B、拷贝自身到系统目录:
%System%uspcom32.exe
发作现象:
A、终止大量反病毒软件的病毒防火墙和杀毒主程、升级程序,以及网络防火墙
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
B、将会稍扫描局域网内的IP,并向它们发送信使服务,弹出的对话框如下:
非凡说明: