病毒名称(中文):
性感鸡变种E
病毒别名:
威胁级别:
★★★☆☆
病毒类型:
蠕虫病毒
病毒长度:
17429
影响系统:
Win9xWinNT
病毒行为:
该病毒为性感鸡变种E,它通过MSN和网络共享目录传播自身.当用户感染该病毒后,该病毒会修改hosts文件,使众多安全及反病毒公司网站重定向一个固定的IP,导致无法正常这此公司的网站;结束常用的反病毒软件进程;禁止运行一些系统程序(如:任务治理器,msconfig.exe等),严重影响用户的正常工作.
1.复制自身到系统目录%System32%下:
serbw.exe
formatsys.exe
2.复制自身到%SystemRoot%下:
msmbw.exe
3.在系统盘根目录下创建以下文件:
Crazy-Frog.Html
lspt.exe
Crazyfroggetskilledbytrain!.pif
Annoyingcrazyfroggettingkilled.pif
Seemylesbianfriends.pif
LOLthaturpic!.pif
Mynewphoto!.pif
Meonholiday!.pif
TheCatAndTheFanpiccy.pif
HowaBlondeEatsaBanana...pif
MonaLisaWantsHerSmileBack.pif
ToplessinMiniSkirt!lol.pif
FatElvis!lol.pif
JenniferLopez.scr
Messageton00bLARISSA.txt
4.修改注册表使自身随计算机启而自动运行
在以下注册表项:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
添加(随机):
serpe="%System32%\serbw.exe"
ltwob="%System32%\formatsys.exe"
avnort="%SystemRoot%\msmbw.exe"
5.修改hosts文件,使众多安全及反病毒公司网站重定向一个固定的IP,导致无法正常下列公司的网站:
64.233.167.104www.symantec.com
64.233.167.104www.sophos.com
64.233.167.104www.mcafee.com
64.233.167.104www.viruslist.com
64.233.167.104www.f-secure.com
64.233.167.104www.avp.com
64.233.167.104www.kaspersky.com
64.233.167.104www.networkassociates.com
64.233.167.104www.ca.com
64.233.167.104www.my-etrust.com
64.233.167.104www.nai.com
64.233.167.104www.trendmicro.com
64.233.167.104www.grisoft.com
64.233.167.104securityresponse.symantec.com
64.233.167.104symantec.com
64.233.167.104sophos.com
64.233.167.104mcafee.com
64.233.167.104liveupdate.symantecliveupdate.com
64.233.167.104viruslist.com
64.233.167.104f-secure.com
64.233.167.104kaspersky.com
64.233.167.104kaspersky-labs.com
64.233.167.104avp.com
64.233.167.104networkassociates.com
64.233.167.104ca.com
64.233.167.104mast.mcafee.com
64.233.167.104my-etrust.com
64.233.167.104download.mcafee.com
64.233.167.104dispatch.mcafee.com
64.233.167.104secure.nai.com
64.233.167.104nai.com
64.233.167.104update.symantec.com
64.233.167.104updates.symantec.com
64.233.167.104us.mcafee.com
64.233.167.104liveupdate.symantec.com
64.233.167.104customer.symantec.com
64.233.167.104rads.mcafee.com
64.233.167.104trendmicro.com
64.233.167.104grisoft.com
64.233.167.104sandbox.norman.no
64.233.167.104www.pandasoftware.com
64.233.167.104uk.trendmicro-europe.com
6.结束安全软件和禁止运行一些系统程序(如:任务治理器,msconfig.exe等):
7.向MSN好友发送病毒文件,如下图:
8.弹出一个记事本窗口,如下图:
9.通网络共享目录(如eMule)传播自身,可能的文件名如下:
MessengerPlus!3.50.exe
MSNallversionpolygamy.exe
MSNnudgebomb.exe
10.关闭包含以下字符串的窗口,从而达到保护病毒自身的目的:
ADWARE
ALERTS
ANTI
AUTOSTARTED
Avg
BENIGN
BLOCKER
BUG
BULLGUARD
BUSTER
CENTER
CILLIN
CLEANER
CMD
Command
DESTROY
DETECTION
DOCTOR
EARTHLINK
EDITOR
ELIMINATE
EYE
FIGHT
Filter
FIREWALL
FIX
FIXING
HEAL
HELP
HUNTER
KERIO
Kill
LABS
LIVEUPDATE
MALWARE
MALWHERE
MCAFEE
NETCOP
NOD32
NORTON
PANDA
PROMPT
PROTECTOR
REGISTRY
REMOVAL
RESTORE
SANDBOX
SCAN
SECURE
SECURITY
SOPHOS
SPY
SPYBOT
SPYWARE
STOPPER
SWEEPER
TASK
TOOL
TREND
Update
VCATCH
VIRUS
WATCH
WORM
PROCESS