概述
病毒別名:
處理時間:
威脅級別:★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為:
特性
這是一種集IRC後門、蠕蟲功能於一體的,通過ipc,郵件服務,作業系統漏洞進行傳播的病毒,病毒運行後把自己載入到註冊表啟動項,以使自己下次開機能夠繼續運行。打開被感染機器的一些已分享資料夾,竊取用戶機器上的一些重要信息。並且會通過控制被感染的機子對其他地址進行拒絕服務式攻擊,並且病毒自身帶有密碼字典,會對其他機器進行溢出攻擊,猜測管理員許可權達到控制機器的目的。以中病毒的機器通過40403連線埠和控制機器通訊。
1.檔案增加:
%system32%\sysproc.exe
2.增加註冊表項,使病毒開機啟動
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
增加鍵System Document Application
鍵值sysproc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
增加鍵System Document Application
鍵值sysproc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
增加鍵System Document Application
鍵值sysproc.exe
3 會通過mIRC,控制感染其他機器
4 會盜取一下程式的CD-KEY
IGI 2 Retail
EA GAMES
FIFA 2003
Call of Duty
Need For Speed Hot Pursuit
Command & Conquer Generals
NFSHP2
Battlefield 1942 Road To Rome
Rainbow Six III RavenShield
Counter-Strike ( Retail )
Unreal Tournament 2003
Half-Life
5 可以進行SYN攻擊
6 會開啟以下共享:C$ D$ IPC$ ADMIN$
7 密碼字典內容:
!@#$",!@#$%",!@#$%^",!@#$%^&",!@#$%^&*",%","0","00","000","0000","00000","000000"
"00000000","007","0wn3d","0wned","1","110","111","111","111111","11111111","11111111"
"12","121","121212","123","123123","1234","12345","123456","1234567","12345678","123456789"
"sql","sqlpass","sa","cisco","dell","compaq","siemens","yellow","pink","xp","control","mass"
"office","blank","winpass","capitol","userpassword","main","hq","headoffice","ctx","nokia","lan"
"internet","intranet","bill","fred","freddy","glen","turnip","afro","user1","student","student1","staff"
"teacher","root""Root""ROOT""CISCO""Cisco"
