病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
102912
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒。该病毒会将自己的多个副本拷贝到系统中,并通过修改注册表来禁止用户使用注册表编辑器和命令行,向2个站点发起黑客攻击,当病毒检测到某个窗口的标题中包含特定的字符串时就重起系统。病毒会从特定类型的文件中收集邮件地址并伪造发信人把病毒做为邮件附件发送给这些邮件接收者,诱骗其打开运行。
1.病毒运行后会将自己拷贝到下列目录中:
C:\Windows\PIF\CVT.exe
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\APPDATA\winlogon.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%System%\3DAnimation.scr
2.添加注册表启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Bron-Spizaetus"="C:\WINDOWS\PIF\CVT.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Tok-Cirrhatus"="%UserProfile%\APPDATA\IDTemplate.exe"
3.修改注册表键值,禁用注册表编辑器和命令行:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\System
"DisableRegistryTools"="1"
"DisableCMD"="2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\Explorer"NoFolderOptions"="1"
4.建立文件夹:
%UserProfile%\LocalSettings\ApplicationData\Bron.tok-24
5.改写C:\Autoexec.bat脚本的内容为"pause"
6.当病毒检测到某窗口的标题包含下列字眼就重起系统:
..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMANDPROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOGOFFWINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPTHOST
SEARCHR
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUTDOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEMCONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWSSECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE
7.向下面2个站点发起PING洪水攻击:
israel.gov.il
playboy.com
8.从C盘到Y盘的下列文件中收集邮件地址:
.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab
9.过滤包含下列字符串的邮件地址:
PLASA
TELKOM
INDO
.CO.ID
.GO.ID
.MIL.ID
.SCH.ID
.NET.ID
.OR.ID
.AC.ID
.WEB.ID
.WAR.NET.ID
ASTAGA
GAUL
BOLEH
EMAILKU
SATU
10.用伪造的发信人地址向收集来的邮件地址发送带毒邮件:
标题:[空]
正文:
--Hentikankebobrokandinegeriini--
1.AdiliKoruptor,Penyelundup,TukangSuap,Penjudi,&BandarNARKOBA
(Sendto"NUSAKAMBANGAN")
2.StopFreeSex,Absorsi,&Prostitusi
3.Stop(pencemaranlaut&sungai),pembakaranhutan&perburuanliar.
4.SAYNOTODRUGS!!!
--KIAMATSUDAHDEKAT--
Terinspirasioleh:ElangBrontok(SpizaetusCirrhatus)yanghampirpunah
附件:Kangen.exe