病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
44544
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
该病毒是一个通过邮件及文件共享传播的蠕虫病毒。该病毒运行后,拷贝自身到系统目录下,文件名为remote.exe,并添加启动项,使能随开机启动。该病毒会删除原文件,达到隐身目的。该病毒“IRC机器人”通过IRC聊天室接收黑客的攻击命令,来达到被远控的目的。该病毒会接收特定明林会进行洪水攻击及IRC共享攻击。该病毒会通过邮件传播。该病毒还会通过文件共享(如kazaa,ftp)进行传播。
1,生成文件
%system%\remote.exe
2,添加注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemotes
"ImagePath"="%system%\remote.exe"
3,屏蔽下列网址
0.0.0.0www.virustotal.com
0.0.0.0microsoft.com
0.0.0.0www.microsoft.com
0.0.0.0www.grisoft.com
0.0.0.0www.trendmicro.com
0.0.0.0www.pandasoftware.com
0.0.0.0pandasoftware.com
0.0.0.0www.pandaguard.com
0.0.0.0trendmicro.com
0.0.0.0rads.mcafee.com
0.0.0.0customer.symantec.com
0.0.0.0liveupdate.symantec.com
0.0.0.0us.mcafee.com
0.0.0.0updates.symantec.com
0.0.0.0update.symantec.com
0.0.0.0www.nai.com
0.0.0.0nai.com
0.0.0.0secure.nai.com
0.0.0.0dispatch.mcafee.com
0.0.0.0download.mcafee.com
0.0.0.0www.my-etrust.com
0.0.0.0my-etrust.com
0.0.0.0mast.mcafee.com
0.0.0.0ca.com
0.0.0.0www.ca.com
0.0.0.0networkassociates.com
0.0.0.0www.networkassociates.com
0.0.0.0avp.com
0.0.0.0www.kaspersky.com
0.0.0.0www.avp.com
0.0.0.0kaspersky-labs.com
0.0.0.0kaspersky.com
0.0.0.0www.f-secure.com
0.0.0.0f-secure.com
0.0.0.0viruslist.com
0.0.0.0www.viruslist.com
0.0.0.0liveupdate.symantecliveupdate.com
0.0.0.0mcafee.com
0.0.0.0www.mcafee.com
0.0.0.0sophos.com
0.0.0.0www.sophos.com
0.0.0.0symantec.com
0.0.0.0securityresponse.symantec.com
0.0.0.0www.symantec.com
0.0.0.0www.symantec.com.cn
0.0.0.0symantec.com.cn
0.0.0.0www.kaspersky.com.cn
0.0.0.0kaspersky.com.cn
0.0.0.0scan.kingsoft.com
0.0.0.0db.kingsoft.com
0.0.0.0kingsoft.com
0.0.0.0www.iduba.net
0.0.0.0iduba.net
0.0.0.0online.rising.com.cn
0.0.0.0www.rising.com.cn
0.0.0.0rising.com.cn
0.0.0.0Update3.JiangMin.com
0.0.0.0Update2.JiangMin.com
0.0.0.0www.jiangmin.com
0.0.0.0jiangmin.com
4,通过脚本及ftp服务进行远程控制,其它简单命令如下
NOTICE
JOIN
PONG
PING
NICK
USER
PASS
等
5,在包含下列字符串的文件夹里复制病毒文件
软件
备份
共享
下载
上传
soft
upload
mule
morpheus
lime
kazaa
icq
www
ftp
http
htdocs
donkey
bear
bak
download
incoming
sharing
share
6,复制的病毒文件名为
hardcorepics.jpg.exe
WinXPeBooknewest.doc.exe
WindowsXPcrack.exe
Windows2003crack.exe
Windows2000Sourcecode.doc.exe
WinAmp13full.exe
WinLonghornre.exe
WinLonghorn.doc.exe
Winxp_Crack.exe
Winamp5.exe
VisualStudioNetCrackall.exe
virii.scr
UleadKeygen2004.exe
UltraEdit-3212.01+Cracker.exe
TheSims4beta.exe
TeenPorn15.jpg.pif
TouchNetBrowser1.29b.exe
StarOffice9.exe
Smashingthestackfull.rtf.exe
Serialsedition.txt.exe
Screensaver2.scr
SaddamHussein.jpg.exe
Serials2005_New.exe
Strip-Girl-2.0b.exe
SuperDollfie.pif
strippoker.exe
Serial.txt.exe
Ringtones.mp3.exe
Ringtones.doc.exe
RFCcompilation.doc.exe
RealPlayer_New.exe
rfccompilation.doc.exe
Rain.scr
PornoScreensaverbritney.scr
Partitionsmagic10beta.exe
programmingbasics.doc.exe
porno.scrOpera11.exe
Office_Crack.exe
NortonAntivirus2005beta.exe
netskysourcecode.scr
nuke2004.exe
MSServicePack6.exe
MicrosoftWinXPCrackfull.exe
MicrosoftOffice2003Crackbest.exe
Matrix.mpg.exe
MagixVideoDeluxe5beta.exe
maxpayne2.crack.exe
Maxthon_New.exe
MSN7-final.exe
matrix.scr
Lightwave9Update.exe
LearnProgramming2004.doc.exe
Keygen4allnew.exe
KazaaLite4.0new.exe
Kula.jpg.pif
Kula.scr
InternetExplorer9setup.exe
icq2005-final.exe
Howtohacknew.doc.exe
HarryPotter.doc.exe
HarryPottergame.exe
HarryPotterebook.doc.exe
HarryPotteralle.book.doc.exe
HarryPotter5.mpg.exe
HarryPotter1-6book.txt.exe
howtohack.doc.exe
Gimp1.8FullwithKey.exe
Fullalbumall.mp3.pif
firefox-1.6a1.en-US.win32.installer.exe
Eminem.mp3.exe
EminemSpearsporn.jpg.exe
EminemSongtextarchive.doc.exe
EminemSexyarchive.doc.exe
Eminemsexxxx.jpg.exe
EminemPoster.jpg.exe
Eminemfullalbum.mp3.exe
Eminemblowjob.jpg.exe
E-BookArchive2.rtf.exe
eminem-lickmypussy.mp3.pif
e-book.archive.doc.exe
e.book.doc.exe
Doom3release2.exe
DivX8.0final.exe
DictionaryEnglish2004-France.doc.exe
DarkAngelsnew.pif
dolly_buster.jpg.pif
dictionary.doc.exe
dcom_patches.exe
doom2.doc.pif
Cracks&WarezArchiv.exe
Cloning.doc.exe
CloneDVD6.exe
coolscreensaver.scr
BritneySpears.mp3.exe
BritneySpears.jpg.exe
BritneySpearsSongtextarchive.doc.exe
BritneySpearsSexyarchive.doc.exe
BritneySpearsporn.jpg.exe
BritneySpearsfullalbum.mp3.exeBritneySpearsfuck.jpg.exe
BritneySpearscumshot.jpg.exe
BritneySpearsblowjob.jpg.exe
BritneySpearsandEminemporn.jpg.exe
Britneysexxxx.jpg.exe
BestMatrixScreensavernew.scr
BlackIce_Firewall_Enterpriseactivation_Crack.exeButterfly.scr
Bifrost.scr
ArnoldSchwarzenegger.jpg.exe
AmericanIdol.doc.exe
AltkinsDiet.doc.exe
AheadNero8.exe
AdobePremiere10.exe
AdobePhotoshop10full.exe
AdobePhotoshop10crack.exe
ACDSee10.exe
AcrobatReader_New.exeactivation_crack.exe
angels.pif
3DStudioMax63dsmax.exe
1001Sexandmore.rtf.exe
7,发送的邮件内容
Dear%sMember,
Wehavetemporarilysuspendedyouremailaccount%s.
Thismightbeduetoeitherofthefollowingreasons:
1.Arecentchangeinyourpersonalinformation(i.e.changeofaddress).
2.Submitinginvalidinformationduringtheinitialsignupprocess.
3.Aninnabilitytoaccuratelyverifyyourselectedoptionofsubscriptionduetoaninternalerrorwithinourprocessors.
Seethedetailstoreactivateyour%saccount.
Sincerely,The%sSupportTeam
Youre-mailaccountwasusedtosendahugeamountofunsolicitedspammessagesduringtherecentweek.Ifyoucouldpleasetake5-10minutesoutofyouronlineexperienceandconfirmtheattacheddocumentsoyouwillnotrunintoanyfutureproblemswiththeonlineservice.
Ifyouchoosetoignoreourrequest,youleaveusnochoicebuttocancelyourmembership.
Virtuallyyours,
+++Attachment:NoVirusfound
%sAntivirus-www.%s
Dearuser%s,
Ithascometoourattentionthatyour%sUserProfile(x)recordsareoutofdate.Forfurtherdetailsseetheattacheddocument.
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
%sAntivirus-www.%s
Dearuser%s,
SkypeisalittlepieceofsoftwarethatletsyoutalkovertheInternettoanyone,anywhereforfree.
Anditjustgotevenbetter—downloadthelatestversionofSkype:
Ourcallqualityisthebesteverfortalking,laughingandsharingstories.
Youcanforwardcallsontomobiles,landlinesandotherSkypeNames.
MakecallsinstantlyfromOutlookemailorInternetExplorerwithournewtoolbars.
PersonaliseyourSkype—playaroundwithsounds,ringtonesandpicturestoshowtheworldwhoyouare.
Forfurtherdetailsseetheattacheddocument.
Thismessagecontainsgraphics.Ifyoudonotseethegraphics,clickhere(href=http://www.s***e.com/pr***cts)toview.
©2002-2005bySkypeTechnologiesS.A.
href=http://skype.com/company/legal/terms/tos_web.html#hdr-website>Legalinformation
8,病毒后台打开ftp进行下载、上传文件
9,其它
通过注册服务达到开机运行
通过删除原文件达到隐身目的
使用进程隐藏,使任务治理器等软件看不到进程信息
接受命令可以进行拒绝服务攻击及ipc攻击
10,对卡巴斯基说的一句话
MSGtoKaspersky:I’mnotgoingtoputupwiththis!Justlookatwhatyou’vedone!Youarefuckingyour"FanBot"andthatyouwillknowwhatpainis!!!I"m[Phantom]!!!byEvil[xiaoyu]
