病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
79936
影响系统:
WinNTWin2000WinXPWin2003
病毒行为:
该病毒是一个恶意的蠕虫病毒,能通过MS05-039漏洞,P2P软件共享目录,邮件等途径传播自身,当该病毒运行时,它会结束诸多安全软件的进程和服务,并且删除这些安全软件,修改hosts文件,使用户无法正常登录Avp的网站.
1.在%SYSTEMROOT%目录下释放以下文件
msdefr.exe
nb32ext2.exe
services.exe
2.修改Hosts文件,在该文件后增加
avp.com127.0.0.1
使得用户无法正常登录avp的网站
3.修改注册表
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PoliciesDisableRegistryToolsdword:00000000
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer
IEPsdgxcdword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorerfdfgdword:00000013
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policiesDisableRegistryToolsdword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRPCserv32g"D:\WINNT\services.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceshelloworld"nb32ext2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit"%System32%\userinit.exe,"%SystemRoot%\services.exe,"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Startdword:00000004
4.关闭以下服务并删除相关文件
NETSKY"
"navapsvc"
"NProtectService"
"NortonAntivirusServer"
"VexiraAntivirus"
"dvpinit"
"dvpapi"
"schscnt"
"BackWebClient-7681197"
"F-SecureGatekeeperHandlerStarter"
"FSMA"
"AVPCC"
"KAVMonitorService"
"NormanNJeeves"
"NVCScheduler"
"nvcoas"
"NormanZANDA"
"PASSRV"
"SweepNet"
"SWEEPSRV.SYS"
"NOD32ControlCenter"
"NOD32Service"
"PCCPFW"
"Tmntsrv"
"AvxIni"
"XCOMM"
"ravmon8"
"SmcService"
"BlackICE"
"PersFW"
"McAfeeFirewall"
"OutpostFirewall"
"NWService"
"NISUM"
"NISSERV"
"vsmon"
5.结束以下进程并删除相关文件
"LienVandeKelderrr.exe"
"winshost.exe"
"msnmsgr.exe"
"wfdmgr.exe"
"OUTPOST.EXE"
"IAOIN.EXE"
"RB.EXE"
"b055262c.dll"
"backdoor.rbot.gen.exe"
"backdoor.rbot.gen_(17).exe"
"msssss.exe"
"rasmngr.exe"
"dailin.exe"
"wowpos32.exe"
"wuamgrd.exe"
"taskmanagr.exe"
"wuamga.exe"
"ATUPDATER.EXE"
"AVWUPD32.EXE"
"AVPUPD.EXE"
"LUALL.EXE"
"DRWEBUPW.EXE"
"ICSSUPPNT.EXE"
"ICSUPP95.EXE"
"UPDATE.EXE"
"NUPGRADE.EXE"
"ATUPDATER.EXE"
"AUPDATE.EXE"
"AUTODOWN.EXE"
"AUTOTRACE.EXE"
"AUTOUPDATE.EXE"
"AVXQUAR.EXE"
"CFIAUDIT.EXE"
"MCUPDATE.EXE"
"NUPGRADE.EXE"
"Systra.exe"
"RAVMOND.exe"
"GfxAcc.exe"
"VisualGuard.exe"
"WIN-BUGSFIX.EXE"
"WIN32.EXE"
"WIN32US.EXE"
"WINACTIVE.EXE"
"WINDOW.EXE"
"WINDOWS.EXE"
"WININETD.EXE"
"WININIT.EXE"
"WININITX.EXE"
"WINLOGIN.EXE"
"WINMAIN.EXE"
"WINPPR32.EXE"
"WINRECON.EXE"
"WINSSK32.EXE"
"WINSTART.EXE"
"WINSTART001.EXE"
"WINTSK32.EXE"
"WINUPDATE.EXE"
"WKUFIND.EXE"
"WNAD.EXE"
"WNT.EXE"
"WRADMIN.EXE"
"WRCTRL.EXE"
"WUPDATER.EXE"
"WUPDT.EXE"
"WYVERNWORKSFIREWALL.EXE"
"XPF202EN.EXE"
"ZAPRO.EXE"
"ZAPSETUP3001.EXE"
"ZATUTOR.EXE"
"ZONALM2601.EXE"
"ZONEALARM.EXE"
"_AVP32.EXE"
"_AVPCC.EXE"
"_AVPM.EXE"
"HIJACKTHIS.EXE"
"F-AGOBOT.EXE"
6.向好友发送带毒邮件
7.通过MS05-039漏洞攻击网络上的其它主机,攻击成功,则被攻击主机感染上该病毒