病毒簡介
病毒別名:處理時間:2005-08-18
威脅級別:★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win 2000/NT,Win XP,Win 2003
病毒行為
該病毒是一個惡意的蠕蟲病毒, 能通過MS05-039漏洞,P2P軟體已分享資料夾,郵件等途徑傳播自身,當該病毒運行時,它會結束諸多安全軟體的進程和服務,並且刪除這些安全軟體,修改hosts檔案,使用戶無法正常登錄Avp的網站.1.在%SYSTEMROOT%目錄下釋放以下檔案
msdefr.exe
nb32ext2.exe
services.exe
2.修改Hosts檔案,在該檔案後增加
avp.com 127.0.0.1
使得用戶無法正常登錄avp的網站
3.修改註冊表
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies DisableRegistryTools dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IEPsdgxc dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer fdfg dword:00000013
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies DisableRegistryTools dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RPCserv32g "D:\WINNT\services.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices helloworld "nb32ext2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit "%System32%\userinit.exe,"%SystemRoot%\services.exe,"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start dword:00000004
4.關閉以下服務並刪除相關檔案
NETSKY"
"navapsvc"
"NProtectService"
"Norton Antivirus Server"
"VexiraAntivirus"
"dvpinit"
"dvpapi"
"schscnt"
"BackWeb Client - 7681197"
"F-Secure Gatekeeper Handler Starter"
"FSMA"
"avpcc"
"KAVMonitorService"
"Norman NJeeves"
"NVCScheduler"
"nvcoas"
"Norman ZANDA"
"PASSRV"
"SweepNet"
"SWEEPSRV.SYS"
"NOD32ControlCenter"
"NOD32Service"
"PCCPFW"
"Tmntsrv"
"AvxIni"
"XCOMM"
"ravmon8"
"SmcService"
"BlackICE"
"PersFW"
"McAfee Firewall"
"OutpostFirewall"
"NWService"
"NISUM"
"NISSERV"
"vsmon"
5.結束以下進程並刪除相關檔案
"Lien Van de Kelderrr.exe"
"winshost.exe"
"msnmsgr.exe"
"wfdmgr.exe"
"OUTPOST.EXE"
"IAOIN.EXE"
"RB.EXE"
"b055262c.dll"
"backdoor.rbot.gen.exe"
"backdoor.rbot.gen_(17).exe"
"msssss.exe"
"rasmngr.exe"
"dailin.exe"
"wowpos32.exe"
"wuamgrd.exe"
"taskmanagr.exe"
"wuamga.exe"
"ATUPDATER.EXE"
"AVWUPD32.EXE"
"AVPUPD.EXE"
"LUALL.EXE"
"DRWEBUPW.EXE"
"ICSSUPPNT.EXE"
"ICSUPP95.EXE"
"UPDATE.EXE"
"NUPGRADE.EXE"
"ATUPDATER.EXE"
"AUPDATE.EXE"
"AUTODOWN.EXE"
"AUTOTRACE.EXE"
"AUTOUPDATE.EXE"
"AVXQUAR.EXE"
"CFIAUDIT.EXE"
"MCUPDATE.EXE"
"NUPGRADE.EXE"
"Systra.exe"
"RAVMOND.exe"
"gfxacc.exe"
"VisualGuard.exe"
"WIN-BUGSFIX.EXE"
"win32.exe"
"win32us.exe"
"winactive.exe"
"window.exe"
"windows.exe"
"wininetd.exe"
"wininit.exe"
"WININITX.EXE"
"winlogin.exe"
"winmain.exe"
"winppr32.exe"
"winrecon.exe"
"winssk32.exe"
"winstart.exe"
"winstart001.exe"
"wintsk32.exe"
"winupdate.exe"
"wkufind.exe"
"wnad.exe"
"WNT.EXE"
"WRADMIN.EXE"
"WRCTRL.EXE"
"WUPDATER.EXE"
"wupdt.exe"
"WYVERNWORKSFIREWALL.EXE"
"XPF202EN.EXE"
"ZAPRO.EXE"
"ZAPSETUP3001.EXE"
"ZATUTOR.EXE"
"ZONALM2601.EXE"
"ZONEALARM.EXE"
"_AVP32.EXE"
"_AVPCC.EXE"
"_AVPM.EXE"
"hijackthis.exe"
"F-AGOBOT.EXE"
6.向好友傳送帶毒郵件
7.通過MS05-039漏洞攻擊網路上的其它主機,攻擊成功,則被攻擊主機感染上該病毒