Worm.Sower

病毒名称(中文):

索尔

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

113664

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个可以通过多种方式传播的蠕虫病毒。该病毒的主要危害是结束大量反病毒软件，降低系统的安全等级。

1，生成文件

%system%\RAVMOND.exe

%system%\IEXPLORE.EXE

%system%\kernel66.dll

%system%\msjdbc11.dll

%system%\MSSIGN30.DLL

%windows%\SYSTRA.EXE

2，添加启动项

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows

"run"="RAVMOND.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"VFWEncoder/DecoderSettings"="RUNDLL32.EXEMSSIGN30.DLLondll_reg"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices

"SystemTra"="%windows%\SYSTRA.EXE"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg

"ImagePath"="Rundll32.exemsjdbc11.dllondll_server"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"ProgramInWindows"="%system%\IEXPLORE.EXE"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsManagementProtocolv.0(experimental)

"ImagePath"="Rundll32.exemsjdbc11.dllondll_server"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"ProtectedStorage"="RUNDLL32.EXEMSSIGN30.DLLondll_reg"

3，结束含有下列字符串的进程

RISING

SKYNET

SYMANTEC

MCAFEE

GATE

RFW.EXE

RAVMON.EXE

KILL

NAV

DUBA

KAV

KV

4，通过可移动磁盘传播

枚举磁盘驱动器，拷贝下列病毒文件到磁盘根目录

随机文件名

PassWord

email

book

letter

bak

WORK

Important

TEST666

TEST

exe_start

Anti_virus_v99

随机后缀名

.ZIP

.RAR

.scr

.pif

.com

.exe

command.exe

autorun.inf

autorun.inf内容

[AUTORUN]

Open="%c:\COMMAND.EXE"

5，通过p2p文件共享软件传播

拷贝下列病毒文件到共享目录

Thankyou.doc.exe

3DFlashAnimator.rar.bat

SWFBrowser2.93.txt.exe

Download.exe

PandaCrack.zip.exe

WinRARV3.2.0Beta2.exe

Swish2.00.pif

AAdobePhotoshop7.0creak.pif

You_Life.JPG.pif

CloneCDcrack.exe

WinZipv9.0BetaBuild5480crack.exe

Real-DRAWPROv3.10.exe

StarWarsDownloader.exe

HyperSnap-DXv5.20.01.exe

AdobePhotoshop6.0.zip.exe

HyperSnap-DXv4.51.01.exe

6，通过弱口令攻击传播

系统弱帐号及弱口令如下：

Guest

Administrator

zxcv

yxcv

xxx

xp

win

test123

test

temp123

temp

sybase

super

sex

secret

pwd

pw123

pw

pc

Password

owner

oracle

mypc123

mypc

mypass123

mypass

love

login

Login

Internet

home

godblessyou

god

enable

database

computer

alpha

admin123

Admin

abcd

aaa

a

88888888

2600

2003

2002

123asd

123abc

123456789

1234567

123123

121212

12

11111111

110

007

00000000

000000

0

pass

54321

12345

password

passwd

server

sql

!@#$%^&*

!@#$%^&

!@#$%^

!@#$%

asdfgh

asdf

!@#$

1234

111

1

root

abc123

12345678

abcdefg

abcdef

abc

888888

666666

111111

admin

administrator

guest

654321

123456

321

123

7，邮件传播

邮件内容：

Ifyoucankeepyourheadwhenallaboutyou

Arelosingtheirsandblamingitonyou;

Ifyoucantrustyourselfwhenallmendoubtyou,

Butmakeallowancefortheirdoubtingtoo;

Ifyoucanwaitandnotbetiredbywaiting,

Or,beingliedabout,don"tdealinlies,

Or,beinghated,don"tgivewaytohating,

Andyetdon"tlooktoogood,nortalktoowise;

......morelooktotheattachment.

附件名：

thehardcoregame-.pif

SexinOffice.rm.scr

DeutschBloodPatch!.exe

s3msong.MP3.pif

Me_nude.AVI.pif

HowtoCrackallgamez.exe

MacromediaFlash.scr

SETUP.EXE

Shakira.zip.exe

dreamweaverMX(crack).exe

StarWars2-CloneAttack.rm.scr

IndustryGiantII.exe

DSLModemUncapper.rar.exe

joke.pif

Britneyspearsnude.exe.txt.exe

IamForu.doc.exe

• ·Win32.Troj.QQPass.l
• ·Win32.Troj.PswGame.ht
• ·Win32.Troj.Lmir.ah
• ·Win32.Troj.WowPsw.av
• ·Win32.Hack.Wootbot.cn
• ·Win32.Troj.Lmir.em
• ·Win32.Troj.Downloader.d
• ·Worm.Small.vb
• ·Win32.Troj.Downloader.d
• ·Win32.Troj.PswQQ.xd