Worm.Rontokbro.an

王朝other·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

35168

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

Worm.Rontokbro.an是一个能疯狂发送邮件的蠕虫病毒

1,释放病毒文件到下列目录:

%Windows%\j[RandomName].exe

%Windows%\o[RandomName].exe

%Windows%\_default[RandomName].pif

%System%\c_[RandomName]k.com

%systemroot%\BacaBro!!!.txt

2,建立名称为随机的文件夹,并释放下列病毒文件:

c.bron.tok.txt

getdomlist.txt

csrss.exe

lsass.exe

services.exe

smss.exe

winlogon.exe

m[RANDOM].exe

zh59[RANDOM].exe

yesbron.com

qm[RANDOM].exe

2,添加注册表键值

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

"AlternateShell"="c_[RANDOM]k.com"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"[RANDOM]"=""%Windir%\j[RANDOM].exe""

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies

\Explorer\Run

"[RANDOM]"=""%Windir%\_default[RANDOM].pif""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"[RANDOM]"=""%System%\s[RANDOM]\zh59[RANDOM].exe""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies

\Explorer\Run

"[RANDOM]"=""%UserProfile%\LocalSettings\ApplicationData\dv[RANDOM]0x\yesbron.com""

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

"Userinit"="%System%\userinit.exe,%Windir%\j[RANDOM].exe"

"Shell"="Explorer.exe"%Windir%\o[RANDOM].exe""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

"Hidden"="0"

"HideFileExt"="1"

"ShowSuperHidden"="0"

3,禁用任务治理器

4,修改host文件:

127.0.0.22mcafee.com

127.0.0.22[http://]www.mcafee.com/

127.0.0.22mcafee.net

127.0.0.22[http://]www.mcafee.net/

127.0.0.22mcafee.org

127.0.0.22[http://]www.mcafee.org/

127.0.0.22mcafeesecurity.com

127.0.0.22[http://]www.mcafeesecurity.com/

127.0.0.22mcafeesecurity.net

127.0.0.22[http://]www.mcafeesecurity.net/

127.0.0.22mcafeesecurity.org

127.0.0.22[http://]www.mcafeesecurity.org/

127.0.0.22mcafeeb2b.com

127.0.0.22[http://]www.mcafeeb2b.com/

127.0.0.22mcafeeb2b.net

127.0.0.22[http://]www.mcafeeb2b.net/

127.0.0.22mcafeeb2b.org

127.0.0.22[http://]www.mcafeeb2b.org/

127.0.0.22nai.com

127.0.0.22[http://]www.nai.com/

127.0.0.22nai.net

127.0.0.22[http://]www.nai.net/

127.0.0.22nai.org

127.0.0.22[http://]www.nai.org/

127.0.0.22vil.nai.com

127.0.0.22[http://]www.vil.nai.com/

127.0.0.22vil.nai.net

127.0.0.22[http://]www.vil.nai.net/

127.0.0.22vil.nai.org

127.0.0.22[http://]www.vil.nai.org/

127.0.0.22grisoft.com

127.0.0.22[http://]www.grisoft.com/

127.0.0.22grisoft.net

127.0.0.22[http://]www.grisoft.net/

127.0.0.22grisoft.org

127.0.0.22[http://]www.grisoft.org/

127.0.0.22kaspersky-labs.com

127.0.0.22[http://]www.kaspersky-labs.com/

127.0.0.22downloads1.kaspersky-labs.com

127.0.0.22[http://]www.downloads1.kaspersky-labs.com/

127.0.0.22[http://]www.downloads4.kaspersky-labs.org/

127.0.0.22download.mcafee.com

127.0.0.22[http://]www.download.mcafee.org/

127.0.0.22norton.org

127.0.0.22[http://]www.norton.org/

127.0.0.22symantec.com

127.0.0.22[http://]www.symantec.org/

127.0.0.22liveupdate.symantecliveupdate.com

127.0.0.22[http://]www.liveupdate.symantecliveupdate.com/

127.0.0.22liveupdate.symantec.com

127.0.0.22[http://]www.liveupdate.symantec.com/

127.0.0.22liveupdate.symantec.net

127.0.0.22[http://]www.update.symantec.com/

127.0.0.22update.symantec.net

127.0.0.22securityresponse.symantec.com

127.0.0.22[http://]www.securityresponse.symantec.com/

127.0.0.22[http://]www.sarc.net/

127.0.0.22sarc.org

127.0.0.22[http://]www.vaksin.org/

127.0.0.22forum.vaksin.com

127.0.0.22[http://]www.forum.vaksin.com/

127.0.0.22[http://]www.norman.com/

127.0.0.22[http://]www.trendmicro.com/

127.0.0.22datafellows.com

127.0.0.22[http://]www.datafellows.com/

127.0.0.22datafellows.net

127.0.0.22[http://]www.datafellows.net/

127.0.0.22datafellows.org

127.0.0.22[http://]www.datafellows.org/

127.0.0.22cheyenne.com

127.0.0.22[http://]www.cheyenne.com/

127.0.0.22cheyenne.net

127.0.0.22[http://]www.cheyenne.net/

127.0.0.22[http://]www.castlecops.net/

127.0.0.22castlecops.org

127.0.0.22[http://]www.castlecops.org/

127.0.0.22anti-virus.org

127.0.0.22blogs.compactbyte.org

127.0.0.22[http://]www.blogs.compactbyte.org/

等等

5,终止含有下列字符串的进程

ahnlab

aladdin

Alicia

Anti

ash

ashmaisv

aswupdsv

avast

avg

bitdef

ccapps

cclaw

cillin

ctfmon

Dian

diary

foto

hijack

iexplorer

kangen

kill

lexplorer

machine

Mariana

mcaf

peid

untukmu

update

xpshare

zlh

taskmanager

bacabro!!!

registry

commandprompt

systemconfiguration

grouppolicy

cmd.exe

computermanagement

scheduledtask

killbox

hijack

SYSINTERNAL

PROCESSEXP

REMOVER

CLEANER

anti

washer

ertanto

BROWNIES

movzx

killer

pcmedia

pc-media

rontok

rontox

robknot

commander

windowsscript

norman

norton

symantec

taskview

peid

ahnlab

6,冲含有下列后缀名的文件中查找电子邮件地址:

.BAT

.PIF

.COM

.SCR

.EXE

.PPT

.XLS

.DOC

.CFM

.PHP

.ASP

.WAB

.EML

.CSV

.HTML

.HTM

.TXT

7用自带的smtp引擎,把自身作为福建发送出去。邮件格式为:

From:

Spoofed

Subject:

MyBestPhoto

FotokuygPalingCantik

消息内容:

Hi,

Iwanttosharemyphotowithyou.

Wishingyouallthebest.

Regards,

Hi,

Akulgisengajapengenkirimfotokekamu.

Janganlupainakuya!.

Thanks,

附件名称:

Photo.zip

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航