请输入您要查询的百科知识:

 

词条 “五毒虫”变种AE(Worm.Supnot.ae)
释义

§ 名称

“五毒虫”变种AE(Worm.Supnot.ae)

§ 相关资料

病毒信息:

病毒名称: Worm.Supnot.ae

中文名称: 五毒虫

威胁级别: 3B

病毒类型: 邮件蠕虫、漏洞蠕虫、黑客、后门

病毒类型: 木马

受影响系统:Win9x, Windows 2000, Windows XP, Windows 2003

破坏方式:

A、病毒利用邮件、DCOM RPC漏洞、局域网进行疯狂传播,导致网络瘫痪等现象

B、开后门,等待黑客连接,造成泄密等损失

发作现象:

A、局域网传播时可能的副本的文件名:

"MSN Password Hacker and Stealer.exe"

"SIMS FullDownloader.zip.exe"

"Winrar + crack.exe"

"Star Wars II Movie Full Downloader.exe"

"MoviezChannelsInstaler.exe"

"Age of empires 2 crack.exe"

"CloneCD + crack.exe"

"Sex_For_You_Life.JPG.pif"

"AN-YOU-SUCK-IT.txt.pif"

"100 free essays school.pif"

"Mafia Trainer!!!.exe"

"Panda Titanium Crack.zip.exe"

"How To Hack Websites.exe"

"The world of lovers.txt.exe"

"autoexec.bat"

"Are you looking for Love.doc.exe"

B、病毒运行后会搜索本地文件目录,通过收件箱中的邮件地址向外发送带毒邮件传播自身,以及根据收件箱里的邮件内容自动回复邮件,每封邮件的附件中均携带病毒副本。

邮件特征如下:

病毒回附邮件时主题和原始邮件有关,可能邮件正文有:

If you can keep your head when all about you

Are losing theirs and blaming it on you;

If you can trust yourself when all men doubt you,

But make allowance for their doubting too;

If you can wait and not be tired by waiting,

Or, being lied about,don't deal in lies,

Or, being hated, don't give way to hating,

And yet don't look too good, nor talk too wise;

... ... more look to the attachment.

病毒回附邮件时可能的附件名:

"I am For u.doc.exe"

"Britney spears nude.exe.txt.exe"

"joke.pif"

"DSL Modem Uncapper.rar.exe"

"Industry Giant II.exe"

"StarWars2 - CloneAttack.rm.scr"

"dreamweaver MX (crack).exe"

"Shakira.zip.exe"

"SETUP.EXE"

"Macromedia Flash.scr"

"How to Crack all gamez.exe"

"Me_nude.AVI.pif"

"s3msong.MP3.pif"

"Deutsch BloodPatch!.exe"

"Sex in Office.rm.scr"

"the hardcore game-.pif"

发送邮件时可能的主题、正文和附件名称

主题:

"Hi"

"Hi Dear"

"Attached one Gift for u.."

"Help"

"Great"

"for you"

"Last Update"

"Let's Laugh"

"Reply to this!"

正文:

"For further assistance, please contact!"

"Copy of your message, including all the headers is attached."

"This is the last cumulative update."

"Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)"

"Send reply if you want to be official beta tester."

"This message was created automatically by mail delivery software (Exim)."

"It',27h,'s the long-awaited film version of the Broadway hit. Set in the roaring 20',27h,'s, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West)."

"Adult content!!! Use with parental advisory."

"Patrick Ewing will give Knick fans something to cheer about Friday night."

附件名称:

"images.pif"

"README.TXT.pif"

"Interesting.exe"

"Source.exe"

"YOU_are_FAT!.TXT.pif"

"enjoy.exe"

"Doom3 Preview!!!.exe"

"driver.exe"

"About_Me.txt.pif"

D、病毒会开一个进程用于监视病毒主程序,如果病毒主程序被中止,会立即重新装载主程序。

E、病毒会中止一些知名杀毒软件的病毒防火墙和杀毒程序,如:金山毒霸、瑞星、诺顿、天网、Kill等。并且改进的方式更加恶毒,只要程序的进程名中包含"KV"、"KAV"、"Duba"、"NAV"、"kill"、"RavMon.exe"、"Rfw.exe"、"Gate"、"McAfee"、

"Symantec"、"SkyNet"、"rising"就会被病毒中止。

技术特点:

A、在系统目录及系统安装目录下添加以下文件:

%System%\\TkBellExe.exe

%System%\\Update_OB.exe

%System%\\hxdef.exe

%System%\\RAVMOND.exe

%System%\\IEXPLORE.EXE

%System%\\kernel66.dll

%System%\\ODBC16.dll

%System%\\msjdbc.dll

%System%\\MSSIGN30.dll

%System%\etMeeting.exe

%System%\\Spollsv.exe

%System%\\LMMIB20.DLL

%SystemRoot%\\Media\\mmc.exe

%SystemRoot%\\svchost.exe

B、在病毒第一次运行的目录下生成一些RAR和ZIP压缩的文件:

如:bak.exe等

C、在C盘下生成以下文件:

c:\etLog.txt

D、添加以下注册表键值:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows

Run ="RAVMOND.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\runServices

SystemTra ="%SystemRoot%\\SysTra.EXE"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

WinHelp = "%System%\\TkBellExe.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Hardware Profile = "%System%\\hxdef.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Program In Windows = "%System%\\IEXPLORE.EXE"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Shell Extension = "%System%\\spollsv.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

E、病毒感染是WindowsNT、2000、XP的系统后会启动病毒主程序为服务,服务名称为“Windows Management NetWork Service Extensions”等。

F、它会遍历本地网络或随机生成IP,并用枚举密码的方式进行IPC$攻击,攻击成功后,得到管理员权限,拷副本到被攻击机算机的系统目录,文件名为NetManager.exe,并启动一个名为“Windows Management NetWork Service Extensions”的服务。

解决方案:

A、 请使用金山毒霸2004年7月14日的病毒库可完全处理该病毒。

B、查杀完病毒后,请注意打上最新的系统补丁,特别是冲击波、震荡波的补丁

C、修改弱密码,强烈建议致少使用4个字母和4个数字的组合密码

D、养成良好习惯,不轻易打开即时通讯工具传来的网址,不打有附件的邮件

E、打开金山网镖和金山毒霸病毒防火墙,防止病毒进入系统。

随便看

 

百科全书收录594082条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。

 

Copyright © 2004-2023 Cnenc.net All Rights Reserved
更新时间:2024/12/19 5:03:16