Worm.MSNLoveme.e

病毒名称(中文):

性感鸡变种E

病毒别名:

威胁级别:

★★★☆☆

病毒类型:

蠕虫病毒

病毒长度:

17429

影响系统:

Win9xWinNT

病毒行为:

该病毒为性感鸡变种E,它通过MSN和网络共享目录传播自身.当用户感染该病毒后,该病毒会修改hosts文件,使众多安全及反病毒公司网站重定向一个固定的IP,导致无法正常这此公司的网站;结束常用的反病毒软件进程;禁止运行一些系统程序(如:任务治理器,msconfig.exe等),严重影响用户的正常工作.

1.复制自身到系统目录%System32%下:

serbw.exe

formatsys.exe

2.复制自身到%SystemRoot%下:

msmbw.exe

3.在系统盘根目录下创建以下文件:

Crazy-Frog.Html

lspt.exe

Crazyfroggetskilledbytrain!.pif

Annoyingcrazyfroggettingkilled.pif

Seemylesbianfriends.pif

LOLthaturpic!.pif

Mynewphoto!.pif

Meonholiday!.pif

TheCatAndTheFanpiccy.pif

HowaBlondeEatsaBanana...pif

MonaLisaWantsHerSmileBack.pif

ToplessinMiniSkirt!lol.pif

FatElvis!lol.pif

JenniferLopez.scr

Messageton00bLARISSA.txt

4.修改注册表使自身随计算机启而自动运行

在以下注册表项:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

添加(随机):

serpe="%System32%\serbw.exe"

ltwob="%System32%\formatsys.exe"

avnort="%SystemRoot%\msmbw.exe"

5.修改hosts文件,使众多安全及反病毒公司网站重定向一个固定的IP,导致无法正常下列公司的网站:

64.233.167.104www.symantec.com

64.233.167.104www.sophos.com

64.233.167.104www.mcafee.com

64.233.167.104www.viruslist.com

64.233.167.104www.f-secure.com

64.233.167.104www.avp.com

64.233.167.104www.kaspersky.com

64.233.167.104www.networkassociates.com

64.233.167.104www.ca.com

64.233.167.104www.my-etrust.com

64.233.167.104www.nai.com

64.233.167.104www.trendmicro.com

64.233.167.104www.grisoft.com

64.233.167.104securityresponse.symantec.com

64.233.167.104symantec.com

64.233.167.104sophos.com

64.233.167.104mcafee.com

64.233.167.104liveupdate.symantecliveupdate.com

64.233.167.104viruslist.com

64.233.167.104f-secure.com

64.233.167.104kaspersky.com

64.233.167.104kaspersky-labs.com

64.233.167.104avp.com

64.233.167.104networkassociates.com

64.233.167.104ca.com

64.233.167.104mast.mcafee.com

64.233.167.104my-etrust.com

64.233.167.104download.mcafee.com

64.233.167.104dispatch.mcafee.com

64.233.167.104secure.nai.com

64.233.167.104nai.com

64.233.167.104update.symantec.com

64.233.167.104updates.symantec.com

64.233.167.104us.mcafee.com

64.233.167.104liveupdate.symantec.com

64.233.167.104customer.symantec.com

64.233.167.104rads.mcafee.com

64.233.167.104trendmicro.com

64.233.167.104grisoft.com

64.233.167.104sandbox.norman.no

64.233.167.104www.pandasoftware.com

64.233.167.104uk.trendmicro-europe.com

6.结束安全软件和禁止运行一些系统程序(如:任务治理器,msconfig.exe等):

7.向MSN好友发送病毒文件,如下图:

8.弹出一个记事本窗口,如下图:

9.通网络共享目录(如eMule)传播自身,可能的文件名如下:

MessengerPlus!3.50.exe

MSNallversionpolygamy.exe

MSNnudgebomb.exe

10.关闭包含以下字符串的窗口,从而达到保护病毒自身的目的:

ADWARE

ALERTS

ANTI

AUTOSTARTED

Avg

BENIGN

BLOCKER

BUG

BULLGUARD

BUSTER

CENTER

CILLIN

CLEANER

CMD

Command

DESTROY

DETECTION

DOCTOR

EARTHLINK

EDITOR

ELIMINATE

EYE

FIGHT

Filter

FIREWALL

FIX

FIXING

HEAL

HELP

HUNTER

KERIO

Kill

LABS

LIVEUPDATE

MALWARE

MALWHERE

MCAFEE

NETCOP

NOD32

NORTON

PANDA

PROMPT

PROTECTOR

REGISTRY

REMOVAL

RESTORE

SANDBOX

SCAN

SECURE

SECURITY

SOPHOS

SPY

SPYBOT

SPYWARE

STOPPER

SWEEPER

TASK

TOOL

TREND

Update

VCATCH

VIRUS

WATCH

WORM

PROCESS

• ·Win32.Troj.QQmsg.ti
• ·Worm.Sober.k
• ·Macro.Excel97.Yinyin
• ·Worm.Elitper.b
• ·Win32.Troj.Fengshen.b
• ·Worm.Myst.10
• ·Worm.MSNLoveme.f
• ·Worm.Sober.l
• ·Worm.Bagz.i
• ·Worm.MSNLoveme.g