病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
41239
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒.
自动搜索用户机器上的电子邮件地址,自建SMTP引擎,把自身伪装成windows的更新程序,作为邮件附件发送出去.还能删除用户的系统文件,导致系统不稳定.能造成DoS攻击.
1,释放312个文件到下面目录:
"c:\programmi\gnucleus\downloads\incoming\PCBooster.exe"
"c:\programmi\gnucleus\downloads\PCBooster.exe"
"c:\programmi\KMD\mysharedfolder\PCBooster.exe"
"c:\programmi\BearShare\Shared\PCBooster.exe"
"c:\programmi\KaZaaLite\MySharedFolder\PCBooster.exe"
"c:\programmi\KaZaa\MySharedFolder\PCBooster.exe"
"c:\programmi\Morpheus\mysharedfolder\PCBooster.exe"
"c:\programmi\Morpheus\mysharedfolder\PCBooster.exe"
"c:\programmi\eDonkey2000\incoming\PCBooster.exe"
"c:\programmi\directconnect\receivedfiles\PCBooster.exe"
"c:\programmi\grokster\mygrokster\PCBooster.exe"
"c:\programmi\limeWire\shared\PCBooster.exe"
"c:\programmi\icq\sharedfiles\WindowsRemotePasswordStealer.exe"
"c:\programmi\gnucleus\downloads\incoming\mIRCNuker2003.exe"
"c:\programmi\directconnect\receivedfiles\mIRCNuker2003.exe"
"c:\programmi\KaZaa\MySharedFolder\MatrixCodeEmulator.exe"
"c:\programmi\limeWire\shared\MatrixCodeEmulator.exe"
"c:\programmi\BearShare\Shared\NeroBurningROMKeygen.exe"
"c:\programmi\limeWire\shared\NeroBurningROMKeygen.exe"
"c:\programmi\KaZaa\MySharedFolder\MatrixmakeSex.scr"
"c:\programmi\BearShare\Shared\HotmailPasswordStealer.exe"
"c:\programfiles\grokster\mygrokster\WindowsRemotePasswordStealer.exe"
"c:\programfiles\limeWire\shared\WindowsRemotePasswordStealer.exe"
"c:\programfiles\icq\sharedfiles\WindowsRemotePasswordStealer.exe"
"c:\programfiles\gnucleus\downloads\incoming\mIRCNuker2003.exe"
"c:\programfiles\KaZaa\MySharedFolder\mIRCNuker2003.exe"
等等
2,释放下列文件到系统目录:
"%system32%\svchost.ocx"
"%system32%\services.acm"
"%system32%\sol.dat"
"%system32%\winmine.dat"
"%system32%\freecell.vxd"
"%system32%\chimera.zip"
"%system32%\spoolmgr.exe"
"%system32%update.exe"
3,增加注册表项
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
"SpoolerManager"="update.exe"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000000"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000001"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000002"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000003"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000004"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000005"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000006"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000007"
"HKLM\Software\microsoft\InternetAccountManager\Accounts\00000008"
"SMTPServer"="update.exe"
"HKLM\Software\\Microsoft\\Windows"
"Explorer"="update.exe"
4,每隔0.5秒就向www.google.com发送请求,可能造成DoS
5,开放5822端口,接受远程命令后会删除文件:
"%root%\config.sys"
"%root%\command.com"
"%root%\io.sys"
"%root%\boot.ini"
"%windows%\regedit.exe"
"%windows%\win.ini"
"%windows%\system.ini"
"%windows%\win.com"
"%system%\win.com"
"%system%winsock.dll"
然后,病毒运行后弹出对话框
标题:"W32.Chimera"
内容:"!BadLuck!"
"Todayit",27h,"sabaddayforyourcomputer:"
"Importantsfileshadbeendeletedfromyourdrive"
6,建立SMTP引擎,发送电子邮件.
7,搜索用户outlook中的电子邮件,把病毒作为附件,发送到以@yahoo.com和@hotmail.com结尾的电子邮箱中.
8,邮件以下面的形式出现:
MAILFROM:security@microsoft.com
RCPTTO:*@yahoo.com或者*@hotmail.com
Subject:InternetSecurityUpdate
Content:WhyWeAreIssuingThisUpdate:
Asecurityissuehasbeenidentifiedthatcouldallowanattackertocompromise
acomputerrunningMicrosoftWindowsandgaincontroloverit.
Youcanprotectyourcomputerbyinstallingtheattachedupdate.
SeverityLevel:Critical
附件名称:update.exe
9,用户打开附件后,病毒运行,弹出下列对话框
标题:"WindowsSecurityUpdate"
内容:"Systemupdated.ThankyouforyourinterestinWindowsUpdate"
或者
标题:"Explorer"
内容:"ThisisnotavalidWin32application"
