病毒名称(中文):
飞虫间谍
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
100767
影响系统:
Win9xWinNTWin2000WinXPWin2003
病毒行为:
编写工具:
LCCWin321.03
传染条件:
发作条件:
系统修改:
A、将自制复制到:
%SYSTEM%Explorer.exe
%SYSTEM%kazaabackupfiles
%SYSTEM%kazaabackupfileszoneallarm_pro_crack.exe
%SYSTEM%kazaabackupfilesAVP_Crack.exe
%SYSTEM%kazaabackupfilesPorn.exe
%SYSTEM%kazaabackupfilesBattlefield1942_bloodpatch.exe
%SYSTEM%kazaabackupfilesUnreal2_bloodpatch.exe
%SYSTEM%kazaabackupfilesUT2003_bloodpatch.exe
%SYSTEM%kazaabackupfilesAquaNox2Crack.exe
%SYSTEM%kazaabackupfilesNBA2003_crack.exe
%SYSTEM%kazaabackupfilesFIFA2003crack.exe
%SYSTEM%kazaabackupfilesC&CGenerals_crack.exe
%SYSTEM%kazaabackupfilesporn.exe
%SYSTEM%kazaabackupfilesPORNO.exe
%SYSTEM%kazaabackupfilesADULT.exe
%SYSTEM%kazaabackupfilesSEX.exe
%SYSTEM%kazaabackupfilesMATRIX.exe
%SYSTEM%kazaabackupfilesMATRIX2.exe
%SYSTEM%kazaabackupfilesPORNO.exe
%SYSTEM%kazaabackupfilesPoRN.exe
%SYSTEM%kazaabackupfilesAdult.exe
%SYSTEM%kazaabackupfilesXXX.exe
%SYSTEM%kazaabackupfilesSEX.exe
%SYSTEM%kazaabackupfileshack_yahoo.exe
%SYSTEM%kazaabackupfileshack.exe
%SYSTEM%kazaabackupfileshack_hotmail.exe
%SYSTEM%kazaabackupfileshacking.exe
%SYSTEM%kazaabackupfilesCounter-strike.exe
%SYSTEM%kazaabackupfilesFuck.exe
%SYSTEM%kazaabackupfilesfucking.exe
同时假如程序不是以如上路径及文件名运行,则删除自身。
B、在注册表主键HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce下添加键值:
"Winsock2driver"="Explorer.exe"
在注册表主键HKEY_LOCAL_MATIONSOFTWAREMicrosoftWindowsCurrentVersionRun下添加键值:
"Winsock2driver"="EXPLORER.EXE"
在注册表主键HKEY_CURRENT_USERSOFTWARE下新建两级子键"KAZAALocalContent",
在注册表主键HKEY_CURRENT_USERSOFTWAREKAZAALocalContent下新建键值:
"Dir0"="012345:%SYSTEM%kazaabackupfiles"
C、开放113端口作为后门,等待连接。
发作现象:
A、因为病毒远行后会启动资源治理器,所以电脑启动会自动打开两个资源治理器
B、禁止如下进程运行(包括了注册表编辑器、系统配置实用程序、病毒防火墙):
"REGEDIT.EXE"
"MSCONFIG.EXE"
"NETSTAT.EXE"
"CCAPP.EXE"
"NAVASPSVC.EXE"
"CCEVTMGR.EXE"
"CCREGVFY.EXE"
"RAVTRAY8.EXE"
"RAVWIN8.EXE"
"RAVTRAY7.EXE"
"RAVWIN7.EXE"
"RAVMON.EXE"
"APVXDWIN.EXE"
"UPGRADER.EXE"
"IFACE.EXE"
"PAVJOBS.EXE"
"FLASHGET.EXE"
"AVP32.EXE"
"AVP32.EXE"
"KAVI.EXE"
"AVPCC.EXE"
"AVRESCUE.EXE"
"AVPM.EXE"
"NAV.EXE"
"FP-WIN.EXE"
"CV.EXE"
"SETUP.EXE"
"NAV9_15D.EXE"
"NAV9.EXE"
由于禁止了setup.exe的运行,许多软件将无法安装。
非凡说明:
这个程序开放的后门可以使远程控制者完全控制用户的电脑:获取用户信息,修改文件甚至以之为据点攻击其他机器。