病毒简介

病毒行为

病毒简介

病毒别名：

处理时间：2005-08-18

威胁级别：★★

中文名称：

病毒类型：蠕虫

影响系统：Win 2000/NT,Win XP,Win 2003

病毒行为

该病毒是一个恶意的蠕虫病毒, 能通过MS05-039漏洞,P2P软件共享目录,邮件等途径传播自身,当该病毒运行时,它会结束诸多安全软件的进程和服务,并且删除这些安全软件,修改hosts文件,使用户无法正常登录Avp的网站.

1.在%SYSTEMROOT%目录下释放以下文件

msdefr.exe

nb32ext2.exe

services.exe

2.修改Hosts文件,在该文件后增加

avp .com 127.0.0.1

使得用户无法正常登录avp的网站

3.修改注册表

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies DisableRegistryTools dword:00000000

HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer

IEPsdgxc dword:00000001

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer fdfg dword:00000013

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies DisableRegistryTools dword:00000000

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run RPCserv32g "D:\\WINNT\\services.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices helloworld "nb32ext2.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon Userinit "%System32%\\userinit.exe,"%SystemRoot%\\services.exe,"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess

Start dword:00000004

4.关闭以下服务并删除相关文件

NETSKY"

"navapsvc"

"NProtectService"

"Norton Antivirus Server"

"VexiraAntivirus"

"dvpinit"

"dvpapi"

"schscnt"

"BackWeb Client - 7681197"

"F-Secure Gatekeeper Handler Starter"

"FSMA"

"AVPCC"

"KAVMonitorService"

"Norman NJeeves"

"NVCScheduler"

"nvcoas"

"Norman ZANDA"

"PASSRV"

"SweepNet"

"SWEEPSRV.SYS"

"NOD32ControlCenter"

"NOD32Service"

"PCCPFW"

"Tmntsrv"

"AvxIni"

"XCOMM"

"ravmon8"

"SmcService"

"BlackICE"

"PersFW"

"McAfee Firewall"

"OutpostFirewall"

"NWService"

"NISUM"

"NISSERV"

"vsmon"

5.结束以下进程并删除相关文件

"Lien Van de Kelderrr.exe"

"winshost.exe"

"msnmsgr.exe"

"wfdmgr.exe"

"OUTPOST.EXE"

"IAOIN.EXE"

"RB.EXE"

"b055262c.dll"

"backdoor.rbot.gen.exe"

"backdoor.rbot.gen_(17).exe"

"msssss.exe"

"rasmngr.exe"

"dailin.exe"

"wowpos32.exe"

"wuamgrd.exe"

"taskmanagr.exe"

"wuamga.exe"

"ATUPDATER.EXE"

"AVWUPD32.EXE"

"AVPUPD.EXE"

"LUALL.EXE"

"DRWEBUPW.EXE"

"ICSSUPPNT.EXE"

"ICSUPP95.EXE"

"UPDATE.EXE"

"NUPGRADE.EXE"

"ATUPDATER.EXE"

"AUPDATE.EXE"

"AUTODOWN.EXE"

"AUTOTRACE.EXE"

"AUTOUPDATE.EXE"

"AVXQUAR.EXE"

"CFIAUDIT.EXE"

"MCUPDATE.EXE"

"NUPGRADE.EXE"

"Systra.exe"

"RAVMOND.exe"

"GfxAcc.exe"

"VisualGuard.exe"

"WIN-BUGSFIX.EXE"

"WIN32.EXE"

"WIN32US.EXE"

"WINACTIVE.EXE"

"WINDOW.EXE"

"WINDOWS.EXE"

"WININETD.EXE"

"WININIT.EXE"

"WININITX.EXE"

"WINLOGIN.EXE"

"WINMAIN.EXE"

"WINPPR32.EXE"

"WINRECON.EXE"

"WINSSK32.EXE"

"WINSTART.EXE"

"WINSTART001.EXE"

"WINTSK32.EXE"

"WINUPDATE.EXE"

"WKUFIND.EXE"

"WNAD.EXE"

"WNT.EXE"

"WRADMIN.EXE"

"WRCTRL.EXE"

"WUPDATER.EXE"

"WUPDT.EXE"

"WYVERNWORKSFIREWALL.EXE"

"XPF202EN.EXE"

"ZAPRO.EXE"

"ZAPSETUP3001.EXE"

"ZATUTOR.EXE"

"ZONALM2601.EXE"

"ZONEALARM.EXE"

"_AVP32.EXE"

"_AVPCC.EXE"

"_AVPM.EXE"

"HIJACKTHIS.EXE"

"F-AGOBOT.EXE"

6.向好友发送带毒邮件

7.通过MS05-039漏洞攻击网络上的其它主机,攻击成功,则被攻击主机感染上该病毒