§ 概述

病毒别名：Backdoor.Agobot.gen【AVP】

处理时间：

威胁级别：★★

中文名称：

病毒类型：黑客程序

影响系统：Win9x/WinNT/Win2K/WinXP/Win2003

病毒行为:

编写工具:

vc编写,upx压缩

传染条件:

通过irc和攻击弱密码的方式传播

发作条件:

发作后会泄漏本机信息并开设后门等待黑客的远程控制

§ 系统修改:

1,拷贝自身到%System%,文件名为下列之一:

Cavapsvc.exe

Csrrs.exe

Cvhost.exe

DIIhost.exe

Dosrun32.exe

Dos32.exe

Lsas.exe

Regloadr.exe

Schost.exe

Scvhost.exe

Service.exe

Servicess.exe

Sochost.exe

Swchost.exe

System.exe

Update.exe

Wdrun32.exe

Winhlpp32.exe

Winreg.exe

Winupdsdgm.exe

2,向注册表添加下列键值之一:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

"Registry Loader"="regloadr.exe"

"Registry Loader"="winhlpp32.exe"

"Update Installer" = "Swchost.exe"

"Windows Explorer" = "Lsas.exe"

"Configuration Loader" = "dosrun32.exe"

"Configuration Loader" = "Service.exe"

"Configuration Loader" = "Winreg.exe"

"Configuration Loader" = "System.exe"

"Automatic Windows Updater" = "Update.exe"

"Microsoft Windows 2000" = "Winupdsdgm.exe"

"Window Loader" = "Dos32.exe"

"iConfigLoader" = "DIIhost.exe"

"Config Loader" = "Scvhost.exe"

"Update Install" ="Schost.exe"

"Startup Update" = "Cvshost.exe"

"Norton Live Updater" = "Cavapsvc.exe"

"Service Controller" = "Csrrs.exe"

"Configuration Loader" = "Servicess.exe"

"Windows Startup" = "Wdrun32.exe"

"Norton Live Updater" = "Sochost.exe"

3,添加下列注册表键值作为标记:

HKEY_LOCAL_MACHINESystemCurrentControlSetenum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemCurrentControlSetservicesA3X

HKEY_LOCAL_MACHINESystemControlSet001enum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemControlSet001servicesA3X

HKEY_LOCAL_MACHINESystemControlSet002enum

ootLEGACY_A3X

HKEY_LOCAL_MACHINESystemControlSet002servicesA3X

4,在随机tcp端口开设后门等待黑客连接.

5,连接到预定irc服务器并等待黑客通过irc发送的命令

6,开设后门,使黑客具有以下能力:

下载并执行蠕虫

升级蠕虫

偷取本机信息

下载并执行文件

发送蠕虫到别的irc用户

添加新的管理员帐号

7,进行弱密码攻击,使用的字典如下:

帐号:

Administrador

Administrateur

Administrator

Default

Dell

Gast

Guest

Inviter

Owner

Standard

Test

User

a

aaa

abc

admin

administrator

asdf

home

mgmt

pc

qwer

temp

test

win

x

xyz

Password:

0

007

000000

00000000

1

110

111

111111

11111111

12

121212

123

123123

1234

12345

123456

1234567

12345678

123456789

1234qwer

123abc

123asd

123qwe

2002

2600

54321

654321

88888888

Internet

Login

Password

a

aaa

abc

abcd

alpha

computer

database

enable

foobar

god

godblessyou

home

ihavenopass

login

love

mypass

mypc

oracle

owner

pass

passwd

password

pat

patrick

pc

pw

pwd

root

secret

server

sex

super

sybase

temp

test

win

xp

xxx

yxcv

zxcv

Administrador

Administrateur

Administrator

Default

Dell

Gast

Guest

Inviter

Owner

Standard

Test

User

a

aaa

abc

admin

administrator

asdf

home

mgmt

pc

qwer

temp

test

win

x

xyz

密码:

0

007

000000

00000000

1

110

111

111111

11111111

12

121212

123

123123

1234

12345

123456

1234567

12345678

123456789

1234qwer

123abc

123asd

123qwe

2002

2600

54321

654321

88888888

Internet

Login

Password

a

aaa

abc

abcd

alpha

computer

database

enable

foobar

god

godblessyou

home

ihavenopass

login

love

mypass

mypc

oracle

owner

pass

passwd

password

pat

patrick

pc

pw

pwd

root

secret

server

sex

super

sybase

temp

test

win

xp

xxx

yxcv

zxcv

9,偷取下列游戏的cd-key:

Soldier of Fortune II - Double Helix

Neverwinter

WestwoodNox

Tiberian Sun

Red Alert 2

Red Alert

Project IGI 2

Command & Conquer Generals

Battlefield 1942 Secret Weapons of WWII

Battlefield 1942 The Road to Rome

Battlefield 1942

Rainbow Six III RavenShield

Nascar Racing 2003

Nascar Racing 2002

NHL 2003

NHL 2002

FIFA 2003

FIFA 2002

Need For Speed Hot Pursuit 2

The Gladiators

Unreal Tournament 2003

Legends of Might and Magic

Counter-Strike

Half-Life

10,结束掉下列进程:

ACKWIN32.EXE

ANTI-TROJAN.EXE

APVXDWIN.EXE

AUTODOWN.EXE

AVCONSOL.EXE

AVE32.EXE

AVGCTRL.EXE

AVKSERV.EXE

AVNT.EXE

AVP.EXE

AVP32.EXE

AVPCC.EXE

AVPDOS32.EXE

AVPM.EXE

AVPTC32.EXE

AVPUPD.EXE

AVSCHED32.EXE

AVWIN95.EXE

AVWUPD32.EXE

BLACKD.EXE

BLACKICE.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLAW95.EXE

CLAW95CF.EXE

CLEANER.EXE

CLEANER3.EXE

DVP95.EXE

DVP95_0.EXE

ECENGINE.EXE

ESAFE.EXE

ESPWATCH.EXE

F-AGNT95.EXE

F-PROT.EXE

F-PROT95.EXE

F-STOPW.EXE

FINDVIRU.EXE

FP-WIN.EXE

FPROT.EXE

FRW.EXE

IAMAPP.EXE

IAMSERV.EXE

IBMASN.EXE

IBMAVSP.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFACE.EXE

IOMON98.EXE

JEDI.EXE

LOCKDOWN2000.EXE

LOOKOUT.EXE

LUALL.EXE

MOOLIVE.EXE

MPFTRAY.EXE

MSCONFIG.EXE

N32SCANW.EXE

NAVAPW32.EXE

NAVLU32.EXE

NAVNT.EXE

NAVW32.EXE

NAVWNT.EXE

NISUM.EXE

NMAIN.EXE

NORMIST.EXE

NUPGRADE.EXE

NVC95.EXE

OUTPOST.EXE

PADMIN.EXE

PAVCL.EXE

dllhost.exe

msblast.exe

mspatch.exe

penis32.exe

scvhosl.exe

tftpd.exe

winppr32.exe

PAVSCHED.EXE

PAVW.EXE

PCCWIN98.EXE

PCFWALLICON.EXE

PERSFW.EXE

RAV7.EXE

RAV7WIN.EXE

RESCUE.EXE

SAFEWEB.EXE

SCAN32.EXE

SCAN95.EXE

SCANPM.EXE

SCRSCAN.EXE

SERV95.EXE

SMC.EXE

SPHINX.EXE

SWEEP95.EXE

TBSCAN.EXE

TCA.EXE

TDS2-98.EXE

TDS2-NT.EXE

VET95.EXE

VETTRAY.EXE

VSCAN40.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSSTAT.EXE

WEBSCANX.EXE

WFINDV32.EXE

ZONEALARM.EXE

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

11,结束掉下列病毒的进程(对手):

dllhost.exe

msblast.exe

mspatch.exe

penis32.exe

scvhosl.exe

tftpd.exe

winppr32.exe

§ 发作现象:

cpu占用率很高,防火墙可能会悄悄退出,在%system%目录可发现下列文件之一:

Cavapsvc.exe

Csrrs.exe

Cvhost.exe

DIIhost.exe

Dosrun32.exe

Dos32.exe

Lsas.exe

Regloadr.exe

Schost.exe

Scvhost.exe

Service.exe

Servicess.exe

Sochost.exe

Swchost.exe

System.exe

Update.exe

Wdrun32.exe

Winhlpp32.exe

Winreg.exe

Winupdsdgm.exe

特别说明:

• 秋词
• 秋谳
• 秋谷智子
• 秋豪
• 秋轴
• 秋还
• 秋道天手々云
• 秋郊饮马图
• 秋里
• 秋闺
• 秋闺思二首
• 秋防
• 秋雕
• 秋霁
• 秋霜
• 秋霭
• 秋霰
• 秋音
• 秋韵
• 秋颖
• 秋颜
• 秋风团扇
• 秋风客
• 秋风拂面谨防面瘫
• 秋风楼