病毒名称(中文):
病毒别名:
IM-Worm.Win32.Aimes.C[AVP]
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
53248
影响系统:
Win9xWinNT
病毒行为:
这是一个通过AIM传播的蠕虫病毒。该病毒会在特定目录下寻找AIM并运行,然后给AIM好友发送信息:“HeyIwenttoawildpartylast
week!checkoutthepics!!!!”,并发送文件文件C:\party!!.pif,以此进行传播。病毒还修改注册表禁止任务治理器和注册表编辑器,尝试调用TaskKill关闭某些系统进程,并对某个网站发动攻击。与变种B不同的是,该变种增加了邮件传播的感染方式,病毒冒充安全软件公司symantec,向外发送携带病毒副本的邮件。
1.释放文件。
将自己复制为以下文件:
C:\Windows\sys32dll.exe
C:\party!!.pif
2.修改注册。
修改添加注册表键值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sys32dll
"<病毒全路径>C:\Windows\sys32dll.exe"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"NoAutoUpdate"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\securitycenter"FirewallDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\securitycenter"UpdatesDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\securitycenter"AntiVirusDisableNotify"=dword:0x1
HKLM\Software\Microsoft\securitycenter"FirewallDisableNotify"=dword:0x1
HKLM\Software\Microsoft\securitycenter"UpdatesDisableNotify"=dword:0x1
HKLM\Software\Microsoft\securitycenter"AntiVirusDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"DisableTaskMgr"=dword:0x1
"DisableRegistryTools"=dword:0x1
删除注册表键值:
HKLM\software\Microsoft\windows\currentversion\run
"windowsautoupdate.exe"
3.终止系统进程(WinXP以上系统):
TASKKILL/T/F/IMSVCHOST.exe
TASKKILL/F/IMLSASS.exe
4.并对某个网站发动攻击。
5.尝试运行AIM:
C:\ProgramFiles\AIM\aim.exe
C:\ProgramFiles\AIM95\aim.exe
C:\ProgramFiles\AIM\aim.exe
C:\ProgramFiles\AIM95\aim.exe
给AIM好友发送信息:“HeyIwenttoawildpartylastweek!checkoutthepics!!!!”,并发送文件文件C:\party!!.pif,以此进行传
播。
6.搜索本地磁盘中扩展名为一下的文件中的邮箱地址,然后向搜索到的邮箱地址发邮件,以病毒副本为附件。
标题可能为:
Newwormonthelooserpleaseread
Blasterstrikesagain...pleaseread!
NewComputerVirusProtection!!
Readthisplease!
Readit!
FamilyAlbum
AntivirusUpdate
ProtectyourSYSTEMfromnewviruses!
DestroyBlaster
ReadthisforyourPC"ssafety!!
发送人:securityresponse@symantec.com
邮件内容为:
Dearuser,anewvariantoftheworm"Blaster"hasbeenreleasedaweekago!
It"sspreadingfasterthaniteverdid,thisversionofBlasterhasbeenclassifiedas"Category5".
PleaseclickonthefollowinglinktounderstandhowbadisawormclassifiedinCategory5:
http://securityresponse.symantec.com/avcenter/threat.severity.html#categ...
Symantechasdeveloppedanew"patch"filewhichwillpreventthenewvariantofBlastertobeexecutedandkeepyoursystemsafeandclean.
ThePatchfilecanbefoundintheattachment,pleasemakesureyouinstallitbeforebeinginfected,becauseifyou"realreadyinfected,thepatchfilecannotfix/removethistypeofthreatasit"snotyetstudiedquitegood.Symantecstronglyrecommendsyoutodownloadandinstallthepatchfilebeforeit"stoolate!
Symantecwillsoonreleasethe"RemovalTool"forthisthreat.
Soifyoudon"toftenvisitSymantec.com,werecommendyoutovisituseverydaytobeintouchwiththenewsofthistypeof
threat.
P.S:WewouldliketothankMr.Bazziformakingthispatchfile.
Regards,
Symantec,http://www.symantec.com
附件名为:Patch.zip