病毒簡介
病毒別名:處理時間:2005-08-01
威脅級別:★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
這是一個通過電子郵件傳播的蠕蟲病毒.
自動搜尋用戶機器上的電子郵件地址,自建SMTP引擎,把自身偽裝成windows的更新程式,作為郵件附屬檔案傳送出去.還能刪除用戶的系統檔案,導致系統不穩定.能造成DoS攻擊.
1,釋放312個檔案到下面目錄:
'c:\programmi\gnucleus\downloads\incoming\PC Booster.exe'
'c:\programmi\gnucleus\downloads\PC Booster.exe'
'c:\programmi\KMD\my shared folder\PC Booster.exe'
'c:\programmi\BearShare\Shared\PC Booster.exe'
'c:\programmi\KaZaa Lite\My Shared Folder\PC Booster.exe'
'c:\programmi\KaZaa\My Shared Folder\PC Booster.exe'
'c:\programmi\Morpheus\my shared folder\PC Booster.exe'
'c:\programmi\Morpheus\my shared folder\PC Booster.exe'
'c:\programmi\eDonkey2000\incoming\PC Booster.exe'
'c:\programmi\direct connect\received files\PC Booster.exe'
'c:\programmi\grokster\my grokster\PC Booster.exe'
'c:\programmi\LimeWire\shared\PC Booster.exe'
'c:\programmi\icq\shared files\Windows Remote Password Stealer.exe'
'c:\programmi\gnucleus\downloads\incoming\mIRC Nuker 2003.exe'
'c:\programmi\direct connect\received files\mIRC Nuker 2003.exe'
'c:\programmi\KaZaa\My Shared Folder\Matrix Code Emulator.exe'
'c:\programmi\limeWire\shared\Matrix Code Emulator.exe'
'c:\programmi\BearShare\Shared\Nero Burning ROM Keygen.exe'
'c:\programmi\limeWire\shared\Nero Burning ROM Keygen.exe'
'c:\programmi\KaZaa\My Shared Folder\Matrix make Sex.scr'
'c:\programmi\BearShare\Shared\Hotmail Password Stealer.exe'
'c:\program files\grokster\my grokster\Windows Remote Password Stealer.exe'
'c:\program files\limeWire\shared\Windows Remote Password Stealer.exe'
'c:\program files\icq\shared files\Windows Remote Password Stealer.exe'
'c:\program files\gnucleus\downloads\incoming\mIRC Nuker 2003.exe'
'c:\program files\KaZaa\My Shared Folder\mIRC Nuker 2003.exe'
等等
2,釋放下列檔案到系統目錄:
'%system32%\svchost.ocx'
'%system32%\services.acm'
'%system32%\sol.dat'
'%system32%\winmine.dat'
'%system32%\freecell.vxd'
'%system32%\chimera.zip'
'%system32%\spoolmgr.exe'
'%system32%update.exe'
3,增加註冊表項
'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
'Spooler Manager'= 'update.exe'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000000'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000001'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000002'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000003'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000004'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000005'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000006'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000007'
'HKLM\Software\microsoft\Internet Account Manager\Accounts\00000008'
"SMTP Server"="update.exe"
"HKLM\Software\\Microsoft\\Windows"
"Explorer" = 'update.exe'
4,每隔0.5秒 就向www.google.com傳送請求,可能造成DoS
5,開放5822連線埠,接受遠程命令後會刪除檔案:
'%root%\config.sys'
'%root%\command.com'
'%root%\io.sys'
'%root%\boot.ini'
'%windows%\regedit.exe'
'%windows%\win.ini'
'%windows%\system.ini'
'%windows%\win.com'
'%system%\win.com'
'%system%winsock.dll'
然後,病毒運行後彈出對話框
標題:'W32.Chimera'
內容:'!Bad Luck!'
'Today it',27h,'s a bad day for your computer:'
'Importants files had been deleted from your drive'
6,建立 SMTP 引擎,傳送電子郵件.
7,搜尋用戶outlook中的電子郵件,把病毒作為附屬檔案,傳送到以@yahoo.com和@hotmail.com結尾的電子信箱中.
8,郵件以下面的形式出現:
MAIL FROM: [email protected]RCPT TO: *@yahoo.com或者*@hotmail.com
Subject: Internet Security Update
Content: Why We Are Issuing This Update:
A security issue has been identified that could allow an attacker to compromise
a computer running Microsoft Windowsand gain control over it.
You can protect your computer by installing the attached update.
Severity Level: Critical
附屬檔案名稱:update.exe
9,用戶打開附屬檔案後,病毒運行,彈出下列對話框
標題:'Windows Security Update'
內容:'System updated. Thank you for your interest in Windows Update'
或者
標題:"Explorer"
內容:"This is not a valid Win32 application"
