名稱
病毒別名:處理時間:2005-09-26
威脅級別:★★
中文名稱:災飛
病毒類型:蠕蟲
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
運行
1.生成檔案:C:\WINNT\system32\02750701425Z.dll
C:\WINNT\system32\07014272175Z.dll
C:\WINNT\system32\07365045125Z.dll
C:\WINNT\system32\10811866075Z.dll
C:\WINNT\system32\12027507015Z.dll
C:\WINNT\system32\17108118665Z.dll
C:\WINNT\system32\36504512025Z.dll
C:\WINNT\system32\50451202755Z.dll
C:\WINNT\system32\66073650455Z.dll
C:\WINNT\system32\72171081185Z.dll
C:\WINNT\system32\75070142725Z.dll
C:\WINNT\system32\Symantec_Update-77443.exe
2.改變檔案,用病毒體替換以下檔案:
"DivX Player 7.0.exe"
"Adobe Acrobat 8.0.exe"
3.添加註冊表,使病毒開機運行:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
__ZF5
Symantec_Update-77443.exe
4.添加以下註冊表:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\__ZF5
gD
5.病毒添加為服務:
Windows Firewall/Internet Connection Sharing (ICS)
6.互斥體:"__ZF5"
7.修改下面的鍵值:
"HKLM\Software\Microsoft\Security Center\Monitoring\%soft%"
"DisableMonitoring"
中%soft%為以下:
KasperskyAntiVirus
McAfeeAntiVirus
PandaAntiVirus
SophosAntiVirus
SymantecAntiVirus
TrendAntiVirus
8。彈出對話框:
"Windows has blocked access to this image."
9。結束以下進程:
'Luall.exe',
'nod32.exe'
'gcasDtServ.exe',
'nod32krn.exe',
'nod32kui.exe',
'AVLTMAIN.EXE',
'mrt.exe',
'gcasServ.exe',
'avginet.exe',
'inetupd.exe'
'fpavupdm.exe',
'Updater.exe',
'pcclient.exe',
'F-StopW.exe',
'drwebupw.exe',
'QH32.EXE',
'QHM32.EXE',
'LIVEUP.exe',
'savmain.exe',
'savprogess.exe',
'nod32.exe',
'bdmcon.exe',
'bdlite.exe',
'McUpdate.exe',
'mcmnhdlr.exe',
'VBInstTmp.exe',
'vbcmserv.exe',
'vbcons.exe',
'fspex.exe',
