其它名稱:Downloader-BAI!M711 (McAfee), W32/Downloader.AYEV (Trend), W32/Dref-X (Sophos), Win32/Luder.K!corrupt, Win32/Luder.K!Worm, Trojan.Peacomm (Symantec), Email-Worm.Win32.Zhelatin.a (Kaspersky)
病毒屬性:蠕蟲病毒危害性:中等危害流行程度:高
具體介紹:
病毒特性:
Win32/Luder.K是一種通過郵件傳播的蠕蟲,並暫存在PE 檔案中進行傳播。另外,它還會生成一個特洛伊,用來下載並運行其它的惡意程式。它是大小為47,235位元組,以UPX加殼的加密的Win32可運行程式。
感染方式:
運行時,Win32/Luder.K複製"alsys.exe"到%System%目錄 ,並設定檔案屬性為隱藏。隨後,修改以下註冊表鍵值,以確保在每次系統啟動時運行這個副本:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Agent = "%System%\alsys.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Agent = "%System%\alsys.exe"
蠕蟲還生成"klllekkdkkd"互斥體,以確保每次只有一個副本運行。
註:'%System%'是一個可變的路徑。病毒通過查詢作業系統來決定當前系統資料夾的位置。Windows 2000 and NT默認的系統安裝路徑是C:\Winnt\System32; 95,98 和 ME 的是C:\Windows\System; XP 的是C:\Windows\System32。
傳播方式:
通過郵件傳播
Luder.K從 'Z:\' 到 'C:\' 驅動器上搜尋小於122,880位元組並包含"exe", "scr" 和 "rar"擴展名的檔案,查找郵件地址。
蠕蟲執行DNS MX (mail exchanger)查詢,為每個域找到適合的郵件伺服器來傳送病毒。它使用本地配置的默認的DNS伺服器來執行這些查詢。
Luder.K嘗試傳送郵件到它收集的每個郵件地址。蠕蟲傳送的郵件帶有以下特點:
發件地址:
蠕蟲使用任意名稱(從蠕蟲自帶的一個列表中選擇),或生成一個任意字元的字元串並結合"yahoo.com",例如 [email protected]。
主題可能是:
5 Reasons I Love You
A Bouquet of Love
A Day in Bed Coupon
A Hug & Roses
A Kiss for You
A Kiss So Gentle
A Little (sex) Card
A Monkey Rose for You
A Red Hot Kiss
A Relaxing Coupon
A Romantic Place
A Song to You
A Special Flower for You
A Special Kiss
A Sweet Love
A Token of My Love
A Weekend Getaway
Against All Odds
All For You
All That Matters
Angel of Love
Awaiting Your Love
Baby, I'll Be There
Back Together
Between Us
Bewitching Moonlight
Brand New Love
Breakfast in Bed Coupon
Bubble Bath Coupon
Can't Wait to See You!
Crazy way to say I Luv U
Cuddle Me Please
Cuddle Up
Cyber Love
Dancing With You
Dinner Coupon
Doing It for You
Dream Date Coupon
Dream Girl
Emptiness Inside Me
Eternity of Your Love
Evening Romance
Every Inch of Your Body
Everyone Needs Someone
Falling In Love with You
Feeling Horny?
Fields Of Love
For Better of For Worse
For You
For You....My Love
Forever and Ever
Forever in Love
From this day forward
Full Heart
Hand in Hand
Hand in Hand
He Blessed Our Lives
Heart is Breaking
Heart of Mine
Hey Cutie
Hold Me (distant love)
Hold On
How Much I Love You
Hugging My Pillow
I Always Knew
I am Complete
I Am Lost In You
I Believe
I Can't Function
I Dream of you
I Give to You
I Love Thee
I Love Thee
I Love You Mower
I Love You So
I Love You Soo Much
I Love You with All I Am
I Still Love You
I Think of You
I Win with You
I wish
I Woof You
I Would Do Anything
I Would Give you Anything
If I Could
If I Knew
I'll Be Your Man
In Love
In My Heart
Inside My Heart
Internet Love
It's Your Move
Just You
Just You & Me
Kiss Coupon
Kisses, Hugs & Roses
Last Night was Hot!
Let's Get Frisky
Live With Me
Longing for You
Love at First Sight
Love Birds
Love for Granted
Love is in the Air
Love Remains
Love You Deeply
Made for Each Other
Magic of Flowers
Massage Coupon
Memories
Miracle of Love
Miracle of Love
Moonlit Waterfall
Most Beautiful Girl
My Eye on You
My Heart belongs to you
My Heart is Thinking
My Invitation
My Love
My Perfect Love
Now and Forever
Now I Know
Old Together
Only You
Our Love
Our Love Everyday
Our Love is Free
Our Love is Strong
Our love is torn by miles
Our Love Nest
Our Love Will Last
Our Two Hearts
Our Wedding Day
P.M.S
Passionate Kiss
Peek-A-Boo
Pockets of Love
Puppy Love
Red Rose
Romantic Picnic Coupon
Rose for my Love
Safe and Sound
Safe With You
Search for One
Sending Kiss
Sending You My Love
Sending You My Love
Showers Of Love
So in Love
So in Love
So Unique
Solitary Beauty
Someone at Last
Soul Mates
Soul Partners
Steamy Dream
Steamy Sex Coupon
Summer Love
Take My Hand
Teddy Bear & Roses
Tender Whispers
Thanks...Love
That Special Love
The Candle's Light
The Dance of Love
The Kiss
The Letter
The Long Haul
The Love Bugs
The Miracle of Love
The Mood for Love
The Mood for Love
The Sweet Taste of Love
The Time for Love
Thinking about you
Thinking of You
This Day Forward
This Feeling
Til the End of Time
Till Morning's Light
Till Morninig's Light
Times Are Hard, I Luv U
To New Spouse
Together Again
Together You and I
Touched by Love
True Love
Trunk Full Of Love
Twice Blest
Twilight Paradise
Two of a Kind
Unique Love
Unmatchable Beauty
Until the Day
Vacation Love
Waiting for You
Want to Meet?
Want You to Know
We Are Different
We Have Walked
We're a Perfect Fit
When I look at you
When I'm With You
When I'm With You
When You Fall in Love
Why I Love You
Wild Nights--Wild Nights
Will You?
Window of Beauty
Wine and Roses
Wish I Could Tell You
Wish Upon a Star
With All My Love
With All of My Heart
With This Ring
Without Your Love
Won't you dance with me
Words I Write
Worthy of You
Wrapped in Your Arms
Wrapped Up
You + Me
You and I
You and I Forever
You Are My Guiding Star
You are out of this world
You Asked Me Why
You Brighten My Day
You Lucky Duck!
You Rock Me!
You Were Worth the Wait
Your Love Has Opened
Your Silly Smile
You're My Hero
You're so Far Away
You're Soo kissable
You're the One
附屬檔案名稱:
flash postcard.exe
Flash Postcard.exe
Greeting Card.exe
greeting card.exe
Greeting Postcard.exe
greeting postcard.exe
Postcard.exe
postcard.exe
通過檔案感染-PE檔案
Luder.K每次發現一個帶有"exe" 或 "scr" 擴展名的檔案,都使用.t檔案名稱複製病毒到檔案所在目錄,並設定為隱藏檔案。
註:由8個小寫字母組成。例如:"vrstmkgk.t"。
Luder.K檢查檔案的PE頭,來查看是否有足夠的空間運行,並在中間插入一個代碼。另外,它不會感染已經被感染的DLL或執行檔。如果被運行,它首先運行相關的.t。Luder.K在被感染檔案的PE頭的timestamp中寫入666作為一個標記,避免再次感染同一檔案。
註:生成的.t檔案即使不滿足感染的所有條件,也不會被Luder.K修改。
危害:
生成並運行其它惡意程式
Luder.K在被感染機器上生成Win32/Pecoan.E特洛伊。
終止進程
每隔4秒,如果註冊表編輯器(regedit.exe)和名稱中包含以下字元串的其它進程(顯示在Windows Title Bar中)正在運行,Luder.K就會嘗試終止註冊表編輯器和這些進程:
anti
avg
avp
blackice
firewall
f-pro
hijack
lockdown
mcafee
msconfig
nav
nod32
rav
reged
spybot
taskmgr
troja
viru
vsmon
zonea
修改系統設定
Luder.K修改以下註冊表鍵值,使得"Windows Firewall/Internet Connection Sharing (ICS)"(還稱為"Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)")服務失效:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 4
清除:
KILL安全胄甲InoculateIT 23.73.120,Vet 30.3.3343版本可檢測/清除此病毒。
相關條目
特洛伊病毒Win32.SillyDl.IQ
Win32.Kipis.A蠕蟲病毒
蠕蟲病毒Win32.Luder.U
特洛伊病毒Win32.Chepvil.C
蠕蟲病毒Win32.Luder.O
蠕蟲病毒Win32.Robzips.M
蠕蟲病毒Win32.Duiskbot.AF