概述
病毒別名:
處理時間:
威脅級別:★★
中文名稱:破壞之神
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為
這是一個通過郵件,P2P和IRC傳播的蠕蟲病毒,該病毒在被感染的計算機上實施一系列的嚴重的破壞活動,使用戶無法正常使用計算機.1.生成檔案
%Windows%\TASKMANAGER.exe
%Program Files%\Windows Media Player\wmlaunch.exe
%Program Files%\Internet Explorer\Firewall.exe
%Program Files%\Internet Explorer\WWE Divas.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\XPStart.exe
C:\Torrie&Stacy.exe
C:\Program Files\Torrie&Stacy.exe
2.增加啟動項,使病毒開機運行.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
鍵Firewall鍵值 "%Program Files%\Windows Media Player\wmlaunch.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
鍵Protection 鍵值"%Program Files%\Internet Explorer\Firewall.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
鍵SysRes 鍵值 "%Windows%\TASKMANAGER.exe"
3.搜尋Windows地址簿中所有的地址,並傳送郵件
發件人:
[email protected]郵件主題:
WWE Admninistrator
郵件內容:
Free WWE Torrie Wilson and Sable Screan Saver
郵件附屬檔案:
WWE DIVAS.exe
4.P2P傳播方式:
病毒通過把本身拷貝到以下P2P軟體的已分享資料夾,來達到傳播的目的.包括KMD, Kazaa, Morpheus, Grokster, Bearshare and Edonkey2000。
C:\Program Files\BearShare\Shared\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\Edonkey2000\Incoming\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\Grokster\My Grokster\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\KMD\My Shared Folder\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\KaZaA Lite\My Shared Folder\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\Kazaa\My Shared Folder\WWE Torrie and Sable Screan Saver.exe
C:\Program Files\Morpheus\My Shared Folder\WWE Torrie and Sable Screan Saver.exe
5.通過IRC傳播
為了通過IRC傳播,蠕蟲會複製到以下位置:
C:\Program Files\mIRC\Downloads\WWE DIVAS.exe
6.蠕蟲會終止LSASS.exe進程,導致一部分計算機不斷重啟.
7.蠕蟲會終止以下的進程dap.exe
VB6.exe
msgmsgr.exe
ccapp.exe
regedit.com
mdm.exe
iexplore.exe
smss.exe
dllhost.exe
SVCHOST.exe
8.修改Hosts,禁止用戶訪問以下網站:
http://oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
http://services.msn.com/svcs/hotmail/httpmail.asp
http://www.microsoft.com/isapi/redir.dll?prd=ie&;ar=hotmail
messenger.hotmail.com
raw.wwe.com
smackdown.wwe.com
www.about.com
www.alltheweb.com
www.altavista.com
www.download.com
www.emp3finder.com
www.geocities.com
www.google.com
www.guitar-pro.com
www.hdpvidz.com
www.hotmail.com
www.kazaa.com
www.mcafee.com
www.microsoft.com
www.msn.com
www.mysongbook.com
www.nero.com
www.net2phone.com
www.regedit.com
www.rohitab.com
www.roxio.com
www.symantec.com
www.themetsource.com
www.trendmicro.com
www.urbanchaosvideos.com
www.vbcode.com
www.wwe.com
www.yahoo.com
9.刪除檔案:
%Program Files%\common files\symantec shared\Script Blocking\scrblock.dll
10.病毒會通過修改註冊表,破壞用戶使用以下功能:
禁止“運行”選單
禁止“關閉”選單
禁止"查找"命令
禁止系統恢復
禁止使用cmd命令模式
禁止使用註冊表程式regedit.exe
設定計算機名為surconfluge
11.病毒會禁止使用以下100種程式:
notepad.exe,
wordpad.exe,
msnmsgr.exe,
winzip.exe,
CLEAN_NOTEPAD.EXE,
moviemk.exe,
defrag.exe,
netstat.exe,
netstat.exe,
sndvol32.exe,
sndrec32.exe,
CCIMSCN.exe,
shutdown.exe,
sndvol32.exe,
write.exe,
dxdiag.exe,
ntbackup.exe,
dialer.exe,
dllhost.exe,
print.exe,
trendmicro.com,
UPXiT.exe,
vb6.exe,
NMain.exe,
NAVW32.exe,
NAVWNT.exe,
NAVSTUB.exe,
navui.nsi
,MSDEV.exe,
chktrust.exe,
apssm.exe,
SNDSrvc.exe
NMain.exe
Ra2.exe,
vfp6.exe,
setup.exe,
install.exe,
SAVScan.exe,
ad-aware.exe,
remove.exe,
uninstall.exe,
NeroStartSmart.exe,
uninst.exe,
isuninst.exe,
aawsepersonal.exe,
keygen.exe,cmd.exe,
project1.exe,
1.exe,
file.exe,
browser.exe
UNWISE.exe,
play.exe
directcd.exe
bind.exe
VPC32.exe
VPDN_LU.exe,
VPTray.exe
DefWatch.exe
DoScan.exe
Integrator.exe
swdoctor.exe
.exe......
12.蠕蟲會使防病毒,windows升級,防火牆軟體失效.
13.共享C、D、E盤。
14.蠕蟲會生成"C:\Virus Detected.txt"文本檔案,包含以下內容:
"Worm is detected on your computer (W32.surconfluge.A@mm), update your Virus Definition to protect your computer from the lastest viruses and worms."