病毒簡介
病毒別名:處理時間:2005-08-16
威脅級別:★★★
中文名稱:狙擊波變種C
病毒類型:蠕蟲
影響系統:Win 2000/NT,Win XP,Win 2003
病毒行為
該病毒通過MS05-039漏洞和MS04-007漏洞,以及郵件進行傳播.病毒會向未感染的機器發生漏洞溢出數據包,如果攻擊失敗,受攻擊的機器會發生崩潰,出現倒計時對話框,用戶可以通過網路防火牆關閉445連線埠,以阻止攻擊.用戶一旦感染該病毒,就會通過IRC被病毒傳播者控制.該病毒還會禁止用戶更新安全軟體.
1. 病毒將自身複製到以下目錄:
%system%\per.exe
2. 在註冊表中添加如下鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
"WINDOWS SYSTEM" = "per.exe"
以在每次啟動時運行
3. 修改以下服務
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = 0x00000004
以阻止WinXP自帶的防火牆運行
4.通過MS05-039進行攻擊
// -=PNP=- //transfer complete to ip:
5.通過MS04-007漏洞進行傳播
6.病毒會創建以下互斥量,以保證系統只一個進程運行
B-O-T-Z-O-R
7.病毒檔案中含有以下作者信息
Botzor2005 By DiablO
8.病毒會連結
diabl0.turk*****s.net
網站的IRC頻道,以接受病毒傳播者的控制.
9. 修改Host檔案
Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3
f-secure,sophos ok wait bitchs!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
10. 從以下擴展名的檔案中搜尋電子郵件地址
txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
pl
html
wab
11. 去除含有以下字元的郵件地址
abuse
security
admin
support
contact
webmaster
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
12.郵件主題為
Warning!!
**Warning**
Hello
Confirmed...
Important!
13.郵件內容為以下之一:
looooool
We found a photo of you in ...
That's your photo!!?
hey!!
0K here is it!
14.郵件附屬檔案名為以下之一:
photo
your_photo
image
picture
sample
loool
webcam_photo
15.郵件附屬檔案後綴名為以下之一:
pif
scr
exe
cmd
bat