Win32.Hack.Rbot.ak

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

黑客程序

病毒长度:

12621

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

该病毒是一个黑客病毒。运行该病毒会在系统留下后门，

等待黑客的控制指令，同时它会的弹出一些色情网页。

建议电脑用户升级杀毒软件和打开防火墙，以免中毒受害。

1、第一阶段生成的文件

%SystemRoot%\system32\winrnt.exe

%SystemRoot%\system32\idbg32.exe

%SystemRoot%\system32\aset32.exe

2、第二阶段生成的文件

%SystemRoot%\system32\rmass.exe

%SystemRoot%\system32\ntdbg.exe

%SystemRoot%\system32\ahuy.exe

%SystemRoot%\system32\RECOVER32.DLL

3、病毒运行后的第一阶段，该病毒运行时先自身拷贝为系统文件夹winrnt.exe文件，

然后由winrnt.exe进程维护自身并释放idbg32.exe、aset32.exe两个文件和不断的

尝试下载并运行另一个病毒rmass.exe。

4、病毒运行后的第二阶段，rmass.exe病毒下载并运行后它会结束winrnt.exe进程，

并删除第一阶段病毒生成的三个文件和释放ntdbg.exe、ahuy.exe、RECOVER32.DLL三个文件。

然后就疯狂的访问一些色情web服务器，并不停的弹出一些色情网页。

5、第二阶段病毒弹出的广告页面

http://jlo.t0p**0.com/

http://aguilera.ft**0.net/

http://czech-s**.com/include/popup/czech-sex.html

http://amateur.multitop**st.com/?id=kair

http://www.adult-sex-special-of**r.com/naughty_amateur.html

http://tits.multitop**st.com/?ref=noexit

6、在一轮疯狂的访问后，病毒会平静下来，只是偶然访问mailrelay.**.website.ws服务器，

但该病毒会一直打开并监听一10**的udp端口，等待黑客的指令。

7、第一阶段对%System%\driver\etc\host文件的修改，添加域名解释地址：

69.31.81.22www.google.mugoogle.ciwww.google.ieespanol.search.yahoo.com

search.msn.comgoogle.com.uasearch.msn.com.sg

69.31.81.22www.google.plwww.google.co.ilgoogle.com.sg

www.google.figoogle.com.dogoogle.aswww.google.com.ni

69.31.81.22google.co.nzbeta.search.msn.atwww.google.com.my

google.iegoogle.dewww.google.co.vegoogle.com.vc

69.31.81.22www.google.com.hkgoogle.djtoolbar.search.msn.com

google.com.mtgoogle.co.jpgoogle.chsearch.msn.dk

69.31.81.22www.google.rubeta.search.sympatico.msn.cagoogle.com.py

google.com.mywww.google.rwwww.google.hnwww.google.kz

69.31.81.22www.google.uzcf.search.yahoo.comsearch.msn.de

google.com.brwww.google.smgoogle.co.ukbeta.search.msn.ch

69.31.81.22google.aewww.google.co.ukwww.google.com.mt

www.google.com.trgoogle.mnwww.google.com.prwww.google.co.kr

69.31.81.22www.google.bewww.google.com.fjwww.google.com.ar

google.co.krgoogle.com.ecwww.google.co.nzwww.google.co.hu

69.31.81.22www.google.mngoogle.sewww.google.skwww.google.co.in

google.gggoogle.frwww.google.nl

69.31.81.22google.liwww.google.lvwww.google.mwwww.google.tm

uk.search.yahoo.comgoogle.com.trgoogle.com.fj

69.31.81.22google.com.cugoogle.rowww.google.com.brwww.google.es

google.rusearch.msn.atwww.google.co.ug

69.31.81.22www.google.com.dogoogle.cagoogle.nlgoogle.ms

google.co.crgoogle.clgoogle.sh

69.31.81.22www.google.co.thwww.google.co.jpwww.google.glgoogle.dk

google.mwwww.google.atgoogle.kz

69.31.81.22google.cgwww.google.tdmx.search.yahoo.comwww.google.gg

ct.search.yahoo.comgoogle.comgoogle.at

69.31.81.22beta.search.msn.nowww.google.com.gtwww.google.li

www.google.segoogle.mubeta.search.msn.dkwww.google.fm

69.31.81.22google.rwwww.google.pnbeta.search.msn.segoogle.bi

www.google.comsearch.msn.itwww.google.lu

69.31.81.22google.eswww.google.co.crwww.google.asgoogle.pl

www.google.com.augoogle.azwww.google.cd

69.31.81.22google.com.uywww.google.msgoogle.amwww.google.ch

google.com.auar.search.yahoo.comgoogle.com.hk

69.31.81.22beta.search.msn.co.ukwww.google.com.vnwww.google.gm

google.tdwww.google.com.nawww.google.com.ecwww.google.cg

69.31.81.22beta.search.msn.co.ingoogle.lvwww.google.com.sv

google.com.nigoogle.off.aiwww.google.ptgoogle.tt

69.31.81.22google.cdgoogle.co.ilgoogle.fmfr.search.yahoo.com

br.search.yahoo.comgoogle.co.lssearch.msn.fi

69.31.81.22www.google.vggoogle.smsearch.msn.chsearch.msn.co.in

beta.search.msn.com.sgwww.google.ttgoogle.be

69.31.81.22search.msn.frwww.google.co.kebeta.search.ninemsn.com.au

search.ninemsn.com.augoogle.com.cobeta.search.msn.bewww.google.com.uy

69.31.81.22beta.search.msn.co.zasearch.msn.nowww.google.com.pa

www.google.co.lswww.google.aegoogle.com.lywww.google.bi

69.31.81.22www.google.amgoogle.tmbeta.search.msn.frgoogle.co.je

www.google.com.pybeta.search.msn.nlsearch.msn.nl

69.31.81.22search.yahoo.comgoogle.com.npgoogle.com.grgoogle.it

www.google.com.vcwww.google.com.sagoogle.co.th

69.31.81.22google.com.twgoogle.uzgoogle.com.giwww.google.sh

google.com.vnsearch.sympatico.msn.caau.search.yahoo.com

69.31.81.22www.google.com.mxgoogle.com.sawww.google.com.gigoogle.gm

www.google.com.phgoogle.fisearch.msn.co.uk

69.31.81.22beta.search.msn.dewww.google.degoogle.pnsearch.msn.es

google.com.pawww.google.azgoogle.com.gt

69.31.81.22google.lugoogle.co.keit.search.yahoo.comgoogle.co.hu

google.ptgoogle.glca.search.yahoo.com

69.31.81.22www.google.com.cuwww.google.com.pkgoogle.com.sv

www.google.nogoogle.com.pewww.google.com.agwww.google.com.tw

69.31.81.22search.msn.begoogle.com.nagoogle.com.nfgoogle.vg

de.search.yahoo.comsearch.msn.segoogle.com.ar

69.31.81.22www.google.rogoogle.co.vebeta.search.xtramsn.co.nz

google.com.prwww.google.com.uagoogle.com.phgoogle.sk

69.31.81.22www.google.com.grwww.google.itgoogle.ltuk.search.msn.com

www.google.frgoogle.hnwww.google.ci

69.31.81.22search.xtramsn.co.nzwww.google.com.pewww.google.cl

www.google.ltgoogle.com.aggoogle.co.ugwww.google.com.sg

69.31.81.22www.google.co.jegoogle.com.pkwww.google.dj

beta.search.msn.itwww.google.dkwww.google.casearch.msn.co.za

69.31.81.22beta.search.msn.eswww.google.off.aigoogle.no

www.google.com.npwww.google.com.cowww.google.com.lybeta.search.msn.com

69.31.81.22beta.search.msn.figoogle.com.mxgoogle.co.in

www.google.com.nfauto.search.msn.com

8、第二阶段对%System%\driver\etc\host文件的修改

删除第一阶段添加的域名解释，只添加另外一个域名解释地址

127.0.0.1jdial.bizcontent.jdial.biznichetgp.comwww.nichetgp.com

• ·Win32.Troj.PSWGame.na
• ·Win32.Troj.QQHook.je
• ·Win32.Troj.Downloader.a
• ·Win32.Troj.KeyLog.jr
• ·Worm.Mytob.ge
• ·Win32.Troj.PswBawang.a
• ·Win32.Hack.Prosti.rq
• ·Win32.Troj.Downloader.h
• ·Win32.BackDown.a
• ·Win32.Troj.KillFile.av