病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
81920
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过邮件传播的蠕虫病毒,该病毒会在感染机器上搜索邮件地址,把自己发送到这个地址,还会修改大量IE设置。
1.生成文件:
%Windows%\ShellNew\ElnorB.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\csrss.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\inetinfo.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\lsass.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\services.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\smss.exe
%DocumentsandSettings%\%User%\LocalSettings\ApplicationData\winlogon.exe
%DocumentsandSettings%\%User%\Templates\bararontok.com
%DocumentsandSettings%\%User%\「开始」菜单\程序\启动\Empty.pif
%System%\%username%"sSetting.scr
%windows%\Tasks\At1.job
2.添加注册表起始项,使病毒开机运行:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
%Systemroot%\ShellNew\ElnorB.exe
3.计划任务At1.job
内容为天天17:08启动病毒%DocumentsandSettings%\%User%\Templates\bararontok.com
注释为:由NetScheduleJobAdd创建
4.修改以下键值:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
5,从感染机器中搜索以下后缀的文件,来寻找邮件地址
asp
cfm
csv
doc
eml
html
php
txt
wab
6,过滤包含下列字符串的邮件地址
ADMIN
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
ASSOCIATE
AVAST
AVIRA
BILLING@
BUILDER
CILLIN
CONTOH
CRACK
DATABASE
DEVELOP
ESAFE
ESAVE
ESCAN
EXAMPLE
GRISOFT
HAURI
INFO@
LINUX
MASTER
MICROSOFT
NETWORK
NOD32
NORMAN
NORTON
PANDA
PROGRAM
PROLAND
PROTECT
ROBOT
SECURITY
SOURCE
SYBARI
SYMANTEC
TRUST
UPDATE
VAKSIN
VAKSIN
VIRUS
