| 词条 | SpamTool.Win32.Agent.u |
| 释义 | 该病毒运行后,从某互联网地址下载病毒病毒体到本机运行,并添加注册表自动运行项与系统服务项、修改 LSP ,以达到随系统启动的目的。通过内建的 SMTP 蠕虫程序连接到互联网 SMTP 服务器,获得需要伪造的邮件信息,进而大量发送垃圾邮件,严重占用网络资源。 病毒标签:病毒名称: SpamTool.Win32.Agent.u 中文名称: 派送器 病毒类型:蠕虫类 文件 MD5: F86E61CCF7A06C67736F4B108CE0D1C0 公开范围: 完全公开 危害等级: 5 文件长度: 加壳后 102,916 字节,脱壳后49,664 字节 感染系统: Win95 以上系统 开发工具: Microsoft Visual C++ 6.0 加壳类型: UPX 变形壳 行为分析:1 、衍生下列副本与文件: %System32%\\mfolpnzbz.dll 2 、修改下列驱动文件: %System32%\\mfolpnzbz.dll %System32%\\dirvers\dis.sys 3 、新建注册表键值: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\tldr.sys\\DisplayName Value: Type: REG_EXPAND_SZ Length: 10 (0xa) bytes ntldr.sys. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\tldr.sys\\ImagePath Value: Type: REG_EXPAND_SZ Length: 17 (0x11) bytes C:\tldr.sys . HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\DisplayName Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ImagePath Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes \\SystemRoot\\System32\\drivers\\ws2ifsl.sys. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000012\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000012\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000013\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000013\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000014\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000014\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000015\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000015\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000016\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000016\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000017\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000017\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000018\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000018\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000019\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000019\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000020\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000020\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000021\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000021\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000022\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000022\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000023\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000023\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll 4 、修改下列注册表键值,破坏 LSP 。并可实现检测网络启动自身与搜集用户信息: HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000001\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000002\\PackedCatalogItem C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000003\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000004\\PackedCatalogItem C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000005\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000006\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000007\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000008\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000009\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000010\\PackedCatalogItem C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000011\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\mfolpnzbz.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll 5 、邮件包含一张带有链接的图片,诱使用户点击:链接地址为某男性药品网站首页: 6 、病毒可能发送带有附件的邮件: 7 、向下列搜索引擎地址提交查询信息,从而获得相关邮件信息,进而伪造邮件: 注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 , windows95/98/me 中默认的安装路径是 C:\\Windows\\System , windowsXP 中默认的安装路径是 C:\\Windows\\System32 。 清除方案:1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。 (1) 使用 安天木马防线 “进程管理”关闭病毒进程 删除下列新建项: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ ntldr.sys HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\ ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\ 恢复下列修改项:HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\ PackedCatalogItem ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\0000000000011\\ PackedCatalogItem 恢复键值为:%SystemRoot%\\system32\\mswsock.dll (2) 重新启动计算机 (3) 删除病毒衍生文件: %System32%\\mfolpnzbz.dll %System32%\\dirvers\dis.sys |
| 随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。