病毒名稱
病毒別名:IM-Worm.Win32.Aimes.C【AVP】
處理時間:
威脅級別:★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為
這是一個通過AIM傳播的蠕蟲病毒。該病毒會在特定目錄下尋找AIM並運行,然後給AIM好友傳送信息:“Hey I went to a wild party last
week! checkout the pics!!!!”,並傳送檔案檔案C:\party!!.pif,以此進行傳播。病毒還修改註冊表禁止任務管理器和註冊表編輯器,嘗試調用taskkill關閉某些系統進程,並對某個網站發動攻擊。與變種B不同的是,該變種增加了郵件傳播的感染方式,病毒冒充安全軟體公司symantec,向外傳送攜帶病毒副本的郵件。
1.釋放檔案。
將自己複製為以下檔案:
C:\Windows\sys32dll.exe
C:\party!!.pif
2.修改註冊。
修改添加註冊表鍵值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sys32dll
"C:\Windows\sys32dll.exe"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
"NoAutoUpdate"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=dword:0x1
"DisableRegistryTools"=dword:0x1
刪除註冊表鍵值:
HKLM\software\Microsoft\windows\currentversion\run
"windows auto update.exe"
3.終止系統進程(Win XP以上系統):
TASKKILL /T /F /IM SVCHOST.exe
TASKKILL /F /IM LSASS.exe
4.並對某個網站發動攻擊。
5.嘗試運行AIM:
C:\Program Files\AIM\aim.exe
C:\Program Files\aim95\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
給AIM好友傳送信息:“Hey I went to a wild party last week! checkout the pics!!!!”,並傳送檔案檔案C:\party!!.pif,以此進行傳
播。
6.搜尋本地磁碟中擴展名為一下的檔案中的信箱地址,然後向搜尋到的信箱地址發郵件,以病毒副本為附屬檔案。
標題可能為:
New worm on the looser please read
Blaster strikes again...please read!
New Computer Virus Protection!!
Read this please!
Read it!
Family Album
Antivirus Update
Protect your SYSTEM from new viruses!
Destroy Blaster
Read this for your PC's safety!!
傳送人:[email protected]郵件內容為:
Dear user, a new variant of the worm 'Blaster' has been released a week ago!
It's spreading faster than it ever did, this version of Blaster has been classified as 'Category 5'.
Please click on the following link to understand how bad is a worm classified in Category 5:
http://securityresponse.symantec.com/avcenter/threat.severity.html#category
Symantec has developped a new 'patch' file which will prevent the new variant of Blaster to be executed and keep your system safe and clean.
The Patch file can be found in the attachment, please make sure you install it before being infected, because if you're already infected, the patch file cannot fix/remove this type of threat as it's not yet studied quite good. Symantec strongly recommends you to download and install the patch file before it's too late!
Symantec will soon release the 'Removal Tool' for this threat.
So if you don't often visit Symantec.com, we recommend you to visit us everyday to be in touch with the news of this type of
threat.
P.S: We would like to thank Mr.Bazzi for making this patch file.
Regards,
Symantec, http://www.symantec.com
附屬檔案名為:Patch.zip
