Worm.Zotob.c

病毒名称(中文):

狙击波变种C

病毒别名:

威胁级别:

★★★☆☆

病毒类型:

蠕虫病毒

病毒长度:

31744

影响系统:

WinNTWin2000WinXPWin2003

病毒行为:

该病毒通过MS05-039漏洞和MS04-007漏洞,以及邮件进行传播.病毒会向未感染的机器发生漏洞溢出数据包,假如攻击失败,受攻击的机器会发生崩溃,出现倒计时对话框,用户可以通过网络防火墙关闭445端口,以阻止攻击.用户一旦感染该病毒,就会通过IRC被病毒传播者控制.该病毒还会禁止用户更新安全软件.

1.病毒将自身复制到以下目录：

%system%\per.exe

2.在注册表中添加如下键值：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService

"WINDOWSSYSTEM"="per.exe"

以在每次启动时运行

3.修改以下服务

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

"Start"=0x00000004

以阻止WinXP自带的防火墙运行

4.通过MS05-039进行攻击

//-=PNP=-//transfercompletetoip:

5.通过MS04-007漏洞进行传播

6.病毒会创建以下互斥量,以保证系统只一个进程运行

B-O-T-Z-O-R

7.病毒文件中含有以下作者信息

Botzor2005ByDiablO

8.病毒会链接

diabl0.turk*****s.net

网站的IRC频道,以接受病毒传播者的控制.

9.修改Host文件

Botzor2pnp+asn+mailspread.GreetztogoodfriendCoder.BasedOnHellBot3

f-secure,sophosokwaitbitchs!!!

n127.0.0.1www.symantec.com

127.0.0.1securityresponse.symantec.com

127.0.0.1symantec.com

127.0.0.1www.sophos.com

127.0.0.1sophos.com

127.0.0.1www.mcafee.com

127.0.0.1mcafee.com

127.0.0.1liveupdate.symantecliveupdate.com

127.0.0.1www.viruslist.com

127.0.0.1viruslist.com

127.0.0.1viruslist.com

127.0.0.1f-secure.com

127.0.0.1www.f-secure.com

127.0.0.1kaspersky.com

127.0.0.1kaspersky-labs.com

127.0.0.1www.avp.com

127.0.0.1www.kaspersky.com

127.0.0.1avp.com

127.0.0.1www.networkassociates.com

127.0.0.1networkassociates.com

127.0.0.1www.ca.com

127.0.0.1ca.com

127.0.0.1mast.mcafee.com

127.0.0.1my-etrust.com

127.0.0.1www.my-etrust.com

127.0.0.1download.mcafee.com

127.0.0.1dispatch.mcafee.com

127.0.0.1secure.nai.com

127.0.0.1nai.com

127.0.0.1www.nai.com

127.0.0.1update.symantec.com

127.0.0.1updates.symantec.com

127.0.0.1us.mcafee.com

127.0.0.1liveupdate.symantec.com

127.0.0.1customer.symantec.com

127.0.0.1rads.mcafee.com

127.0.0.1trendmicro.com

127.0.0.1pandasoftware.com

127.0.0.1www.pandasoftware.com

127.0.0.1www.trendmicro.com

127.0.0.1www.grisoft.com

127.0.0.1www.microsoft.com

127.0.0.1microsoft.com

127.0.0.1www.virustotal.com

127.0.0.1virustotal.com

127.0.0.1www.amazon.com

127.0.0.1www.amazon.co.uk

127.0.0.1www.amazon.ca

127.0.0.1www.amazon.fr

127.0.0.1www.paypal.com

127.0.0.1paypal.com

127.0.0.1moneybookers.com

127.0.0.1www.moneybookers.com

127.0.0.1www.ebay.com

127.0.0.1ebay.com

10.从以下扩展名的文件中搜索电子邮件地址

txt

htm

sht

jsp

cgi

xml

php

asp

dbx

tbb

adb

pl

html

wab

11.去除含有以下字符的邮件地址

abuse

security

admin

support

contact

webmaster

info

samples

postmaster

webmaster

noone

nobody

nothing

anyone

someone

your

you

me

bugs

rating

site

contact

soft

no

somebody

privacy

service

help

not

submit

feste

ca

gold-certs

the.bat

page

syma

icrosof

msn.

hotmail

panda

sopho

borlan

inpris

example

mydomai

nodomai

ruslis

.gov

gov.

.mil

foo.

unix

math

bsd

mit.e

gnu

fsf.

ibm.com

google

kernel

linux

fido

usenet

iana

ietf

rfc-ed

sendmail

arin.

ripe.

isi.e

isc.o

secur

acketst

pgp

tanford.e

utgers.ed

mozilla

icrosoft

support

ntivi

unix

bsd

linux

listserv

certific

google

accoun

12.邮件主题为

Warning!!

**Warning**

Hello

Confirmed...

Important!

13.邮件内容为以下之一：

looooool

Wefoundaphotoofyouin...

That"syourphoto!!?

hey!!

0Khereisit!

14.邮件附件名为以下之一：

photo

your_photo

image

picture

sample

loool

webcam_photo

15.邮件附件后缀名为以下之一：

pif

scr

exe

cmd

bat

• ·Win32.Troj.Mir2.en
• ·Win32.Troj.Lineage.gl
• ·Win32.Troj.QieTingQi
• ·Win32.Joke.FloatLeaf
• ·Win32.Troj.Lmir.um
• ·Win32.Troj.Agent.gc
• ·Win32.Troj.KillAV.fn
• ·Win32.Hack.SdBot.yx
• ·Win32.Troj.jiaozhu
• ·Worm.Zotob.D