病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
606208
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
该病毒是一个通过邮件传播及共享传播的蠕虫病毒。该病毒的主要危害是在用户主机上打开后门,该后门使得黑客通过IRC聊天室使用特定命令进行远程控制,使用户主机沦为“肉鸡”;该病毒还会进行拒绝服务(Ddos)攻击。该病毒主要通过邮件传播,建议用户不要打开运行不明邮件的附件。该病毒也会通过默认网络共享(ipc$,Admin$,c$,d$等)进行传播,建议用户使用较复杂的主机用户名及登陆口令。
1,添加启动项
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
"Shell"
2,通过网络共享进行传播
\\%s\ipc$
Admin$
c$\winnt\system32
c$\windows\system32
d$\winnt\system32
d$\windows\system32
文件名为eraseme_%d%d%d%d%d.exe
3,从下列文件中搜索邮件地址
txt
htmb
shtl
jspl
cgil
xmls
phpq
aspd
dbxn
tbbg
adbh
pl
html
4,通过邮件传播的邮件内容
Dearuser%s,
Youhavesuccessfullyupdatedthepasswordofyour%saccount.
Ifyoudidnotauthorizethischangeorifyouneedassistancewithyouraccount,pleasecontact%scustomerserviceat:%s
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dearuser%s,
Ithascometoourattentionthatyour%sUserProfile(x)recordsareoutofdate.Forfurtherdetailsseetheattached
document.
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dear%sMember,
Wehavetemporarilysuspendedyouremailaccount%s.
Thismightbeduetoeitherofthefollowingreasons:
1.Arecentchangeinyourpersonalinformation(i.e.changeofaddress).
2.Submitinginvalidinformationduringtheinitialsignupprocess.
3.Aninnabilitytoaccuratelyverifyyourselectedoptionofsubscriptionduetoaninternalerrorwithinourprocessors.
Seethedetailstoreactivateyour%saccount.
Sincerely,The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dear%sMember,
Youre-mailaccountwasusedtosendahugeamountofunsolicitedspammessagesduringtherecentweek.Ifyoucouldplease
take5-10minutesoutofyouronlineexperienceandconfirmtheattacheddocumentsoyouwillnotrunintoanyfuture
problemswiththeonlineservice.
Ifyouchoosetoignoreourrequest,youleaveusnochoicebuttocancelyourmembership.
Virtuallyyours,
The%sSupportTeam
+++Attachment:NoVirusfound
+++%sAntivirus-www.%s
5,IRC聊天室远控命令
login
l
threads
t
sub
kill
k
logout
lo
who
remove
bye
testdlls
cel
uptime
up
installed
it
version
v
status
s
secure
sec
unsecure
unsec
process
ps
list
kill
del
hide
create
nickupdate
nu
randnick
rand
exploitftpd
eftpd
socks4
s4
redirect
rd
netstatp
nsp
iestart
ies
encrypt
enc
join
j
part
p
raw
r
prefix
pr
resolve
dns
currentip
cip
stats
st
banner
ban
advscan
asc
scanall
sa
lsascan
lsa
ntscan
nts
wksescan
wkse
wksoscan
wkso
pnpscan
pnp
flusharp
farp
flushdns
fdns
pstore
pst
sysinfo
si
netinfo
ni
driveinfo
di
total
t
mb
gb
mirccmd
mirc
system
sys
file
f
type
cat
exists
ex
del
rm
rmdir
move
mv
copy
cp
attrib
at
open
op
down
wget
update
upd
if
i
else
e
nick
n
host
h
id
uptime
up
recordup
rup
private
p
status
s
等
6,通过注册表检测是否在虚拟机里运行,假如是则不进行感染,退出并删除自身
7,进行拒绝服务攻击
8,通过ftp或者http下载病毒并命名为eraseme_%d%d%d%d%d.exe