Win32.Hack.Agobot.ag

病毒名称(中文):

病毒别名:

Backdoor.Agobot.gen[AVP]

威胁级别:

★★☆☆☆

病毒类型:

黑客程序

病毒长度:

206336

影响系统:

Win9xWinNTWin2000WinXPWin2003

病毒行为:

编写工具:

vc编写,upx压缩

传染条件:

通过irc和攻击弱密码的方式传播

发作条件:

发作后会泄漏本机信息并开设后门等待黑客的远程控制

系统修改:

1,拷贝自身到%System%,文件名为下列之一:

Cavapsvc.exe

Csrrs.exe

Cvhost.exe

DIIhost.exe

Dosrun32.exe

Dos32.exe

Lsas.exe

Regloadr.exe

Schost.exe

Scvhost.exe

Service.exe

Servicess.exe

Sochost.exe

Swchost.exe

System.exe

Update.exe

Wdrun32.exe

Winhlpp32.exe

Winreg.exe

Winupdsdgm.exe

2,向注册表添加下列键值之一:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

"RegistryLoader"="regloadr.exe"

"RegistryLoader"="winhlpp32.exe"

"UpdateInstaller"="Swchost.exe"

"WindowsExplorer"="Lsas.exe"

"ConfigurationLoader"="dosrun32.exe"

"ConfigurationLoader"="Service.exe"

"ConfigurationLoader"="Winreg.exe"

"ConfigurationLoader"="System.exe"

"AutomaticWindowsUpdater"="Update.exe"

"MicrosoftWindows2000"="Winupdsdgm.exe"

"WindowLoader"="Dos32.exe"

"iConfigLoader"="DIIhost.exe"

"ConfigLoader"="Scvhost.exe"

"UpdateInstall"="Schost.exe"

"StartupUpdate"="Cvshost.exe"

"NortonLiveUpdater"="Cavapsvc.exe"

"ServiceController"="Csrrs.exe"

"ConfigurationLoader"="Servicess.exe"

"WindowsStartup"="Wdrun32.exe"

"NortonLiveUpdater"="Sochost.exe"

3,添加下列注册表键值作为标记:

HKEY_LOCAL_MACHINESystemCurrentControlSetenum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemCurrentControlSetservicesA3X

HKEY_LOCAL_MACHINESystemControlSet001enum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemControlSet001servicesA3X

HKEY_LOCAL_MACHINESystemControlSet002enum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemControlSet002servicesA3X

4,在随机tcp端口开设后门等待黑客连接.

5,连接到预定irc服务器并等待黑客通过irc发送的命令

6,开设后门,使黑客具有以下能力:

下载并执行蠕虫

升级蠕虫

偷取本机信息

下载并执行文件

发送蠕虫到别的irc用户

添加新的治理员帐号

7,进行弱密码攻击,使用的字典如下:

帐号:

Administrador

Administrateur

Administrator

Default

Dell

Gast

Guest

Inviter

Owner

Standard

Test

User

a

aaa

abc

admin

administrator

asdf

home

mgmt

pc

qwer

temp

test

win

x

xyz

Password:

0

007

000000

00000000

1

110

111

111111

11111111

12

121212

123

123123

1234

12345

123456

1234567

12345678

123456789

1234qwer

123abc

123asd

123qwe

2002

2600

54321

654321

88888888

Internet

Login

Password

a

aaa

abc

abcd

alpha

computer

database

enable

foobar

god

godblessyou

home

ihavenopass

login

love

mypass

mypc

oracle

owner

pass

passwd

password

pat

patrick

pc

pw

pwd

root

secret

server

sex

super

sybase

temp

test

win

xp

xxx

yxcv

zxcv

Administrador

Administrateur

Administrator

Default

Dell

Gast

Guest

Inviter

Owner

Standard

Test

User

a

aaa

abc

admin

administrator

asdf

home

mgmt

pc

qwer

temp

test

win

x

xyz

密码:

0

007

000000

00000000

1

110

111

111111

11111111

12

121212

123

123123

1234

12345

123456

1234567

12345678

123456789

1234qwer

123abc

123asd

123qwe

2002

2600

54321

654321

88888888

Internet

Login

Password

a

aaa

abc

abcd

alpha

computer

database

enable

foobar

god

godblessyou

home

ihavenopass

login

love

mypass

mypc

oracle

owner

pass

passwd

password

pat

patrick

pc

pw

pwd

root

secret

server

sex

super

sybase

temp

test

win

xp

xxx

yxcv

zxcv

9,偷取下列游戏的cd-key:

SoldierofFortuneII-DoubleHelix

Neverwinter

WestwoodNox

TiberianSun

RedAlert2

RedAlert

ProjectIGI2

Command&ConquerGenerals

Battlefield1942SecretWeaponsofWWII

Battlefield1942TheRoadtoRome

Battlefield1942

RainbowSixIIIRavenShield

NascarRacing2003

NascarRacing2002

NHL2003

NHL2002

FIFA2003

FIFA2002

NeedForSpeedHotPursuit2

TheGladiators

UnrealTournament2003

LegendsofMightandMagic

Counter-Strike

Half-Life

10,结束掉下列进程:

ACKWIN32.EXE

ANTI-TROJAN.EXE

APVXDWIN.EXE

AUTODOWN.EXE

AVCONSOL.EXE

AVE32.EXE

AVGCTRL.EXE

AVKSERV.EXE

AVNT.EXE

AVP.EXE

AVP32.EXE

AVPCC.EXE

AVPDOS32.EXE

AVPM.EXE

AVPTC32.EXE

AVPUPD.EXE

AVSCHED32.EXE

AVWIN95.EXE

AVWUPD32.EXE

BLACKD.EXE

BLACKICE.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLAW95.EXE

CLAW95CF.EXE

CLEANER.EXE

CLEANER3.EXE

DVP95.EXE

DVP95_0.EXE

ECENGINE.EXE

ESAFE.EXE

ESPWATCH.EXE

F-AGNT95.EXE

F-PROT.EXE

F-PROT95.EXE

F-STOPW.EXE

FINDVIRU.EXE

FP-WIN.EXE

FPROT.EXE

FRW.EXE

IAMAPP.EXE

IAMSERV.EXE

IBMASN.EXE

IBMAVSP.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFACE.EXE

IOMON98.EXE

JEDI.EXE

LOCKDOWN2000.EXE

LOOKOUT.EXE

LUALL.EXE

MOOLIVE.EXE

MPFTRAY.EXE

MSCONFIG.EXE

N32SCANW.EXE

NAVAPW32.EXE

NAVLU32.EXE

NAVNT.EXE

NAVW32.EXE

NAVWNT.EXE

NISUM.EXE

NMAIN.EXE

NORMIST.EXE

NUPGRADE.EXE

NVC95.EXE

OUTPOST.EXE

PADMIN.EXE

PAVCL.EXE

dllhost.exe

msblast.exe

mspatch.exe

penis32.exe

scvhosl.exe

tftpd.exe

winppr32.exe

PAVSCHED.EXE

PAVW.EXE

PCCWIN98.EXE

PCFWALLICON.EXE

PERSFW.EXE

RAV7.EXE

RAV7WIN.EXE

RESCUE.EXE

SAFEWEB.EXE

SCAN32.EXE

SCAN95.EXE

SCANPM.EXE

SCRSCAN.EXE

SERV95.EXE

SMC.EXE

SPHINX.EXE

SWEEP95.EXE

TBSCAN.EXE

TCA.EXE

TDS2-98.EXE

TDS2-NT.EXE

VET95.EXE

VETTRAY.EXE

VSCAN40.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSSTAT.EXE

WEBSCANX.EXE

WFINDV32.EXE

ZONEALARM.EXE

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

11,结束掉下列病毒的进程(对手):

dllhost.exe

msblast.exe

mspatch.exe

penis32.exe

scvhosl.exe

tftpd.exe

winppr32.exe

发作现象:

cpu占用率很高,防火墙可能会静静退出,在%system%目录可发现下列文件之一:

Cavapsvc.exe

Csrrs.exe

Cvhost.exe

DIIhost.exe

Dosrun32.exe

Dos32.exe

Lsas.exe

Regloadr.exe

Schost.exe

Scvhost.exe

Service.exe

Servicess.exe

Sochost.exe

Swchost.exe

System.exe

Update.exe

Wdrun32.exe

Winhlpp32.exe

Winreg.exe

Winupdsdgm.exe

非凡说明:

• ·Win32.Troj.Qukart.i
• ·Win32.Troj.Small.ah
• ·Win32.Troj.Small.bb
• ·Win32.Troj.Wisdoor.h
• ·Win32.Troj.Wisdoor.k
• ·Win32.Hack.Zdemon.10
• ·Win32.Troj.Cmjspy
• ·Win32.Troj.MirPirate30
• ·Win32.Bolzano
• ·Win32.Hack.Optix132C