病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
229376
影响系统:
Win9xWinNT
病毒行为:
这是一种集IRC后门、蠕虫功能于一体的,通过ipc,邮件服务,操作系统漏洞进行传播的病毒,病毒运行后把自己加载到注册表启动项,以使自己下次开机能够继续运行。打开被感染机器的一些共享目录,窃取用户机器上的一些重要信息。并且会通过控制被感染的机子对其他地址进行拒绝服务式攻击,并且病毒自身带有密码字典,会对其他机器进行溢出攻击,猜测治理员权限达到控制机器的目的。以中病毒的机器通过40403端口和控制机器通讯。
1.文件增加:
%system32%\sysproc.exe
2.增加注册表项,使病毒开机启动
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
增加键SystemDocumentApplication
键值sysproc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
增加键SystemDocumentApplication
键值sysproc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
增加键SystemDocumentApplication
键值sysproc.exe
3会通过mIRC,控制感染其他机器
4会盗取一下程序的CD-KEY
IGI2Retail
EAGAMES
FIFA2003
CallofDuty
NeedForSpeedHotPursuit
Command&ConquerGenerals
NFSHP2
Battlefield1942RoadToRome
RainbowSixIIIRavenShield
Counter-Strike(Retail)
UnrealTournament2003
Half-Life
5可以进行SYN攻击
6会开启以下共享:C$D$IPC$ADMIN$
7密码字典内容:
"!@#$"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"%"
"0"
"00"
"000"
"0000"
"00000"
"000000"
"00000000"
"007"
"0wn3d"
"0wned"
"1"
"110"
"111"
"111"
"111111"
"11111111"
"11111111"
"12"
"121"
"121212"
"123"
"123123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"sql"
"sqlpass"
"sa"
"cisco"
"dell"
"compaq"
"siemens"
"yellow"
"pink"
"xp"
"control"
"mass"
"office"
"blank"
"winpass"
"capitol"
"userpassword"
"main"
"hq"
"headoffice"
"ctx"
"nokia"
"lan"
"internet"
"intranet"
"bill"
"fred"
"freddy"
"glen"
"turnip"
"afro"
"user1"
"student"
"student1"
"teacher"
"staff"
"root"
"Root"
"ROOT"
"CISCO"
"Cisco"
