Worm.Brontok.f

王朝other·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

81920

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个通过邮件传播的蠕虫病毒。该病毒的主要危害是降低系统安全等级;在满足特定条件时,重起用户计算机。该病毒被双击运行后,会打开我的文档;并在完成感染系统后删除自己。

1,生成文件

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\csrss.exe

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\inetinfo.exe

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\lsass.exe

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\services.exe

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\smss.exe

%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\winlogon.exe

%DocumentsandSettings%\%User%\StartMenu\Programs\Startup\Empty.pif

%DocumentsandSettings%\%User%\Templates\bararontok.com

%System%\%username%"sSetting.scr

%Windows%\ShellNew\ElnorB.exe

%windows%\Tasks\At1.job

%system%\drivers\etc\hosts-DeniedBy-%username%.com

2,添加启动项:

(1),HKLM\Software\Microsoft\Windows\CurrentVersion\Run

"Bron-Spizaetus"="%Windir%\ShellNew\ElnorB.exe"

(2),HKCU\Software\Microsoft\Windows\CurrentVersion\Run

"Tok-Cirrhatus"="%DocumentsandSettings%\User\LocalSettings\ApplicationData\smss.exe"

(3),计划任务At1.job

内容为天天17:08启动病毒%DocumentsandSettings%\%User%\Templates\bararontok.com

(4),%DocumentsandSettings%\%User%\StartMenu\Programs\Startup\Empty.pif随开机启动

3,修改注册表

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"NoFolderOptions"="1"

HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced

"Hidden"="0"

"ShowSuperHidden"="0"

"HideFileExt"="1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

"DisableRegistryTools"="1"

"DisableCMD"="0"

4,创建文件夹

Ok-SendMail-Bron-tok

Bron.tok-*-*

其中*为随机数字

5,从本机下列文件中找邮件地址

asp

cfm

csv

doc

eml

html

php

txt

wab

6,过滤包含下列字符串的邮件地址

ADMIN

AHNLAB

ALADDIN

ALERT

ALWIL

ANTIGEN

ASSOCIATE

AVAST

AVIRA

BILLING@

BUILDER

CILLIN

CONTOH

CRACK

DATABASE

DEVELOP

ESAFE

ESAVE

ESCAN

EXAMPLE

GRISOFT

HAURI

INFO@

LINUX

MASTER

MICROSOFT

NETWORK

NOD32

NORMAN

NORTON

PANDA

PROGRAM

PROLAND

PROTECT

ROBOT

SECURITY

SOURCE

SYBARI

SYMANTEC

TRUST

UPDATE

VAKSIN

VAKSIN

VIRUS

7,其它

假如当前窗口的标题包含下列字符串时,重起计算机

.exe

Registry

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航