科技时代新浪首页 > 科技时代 > 滚动新闻 > 正文

光华反病毒资讯:4月4日--4月10日


http://www.sina.com.cn 2005年04月05日 18:30 新浪科技

  光华反病毒研究中心近日进行病毒特征码更新,请用户尽快到光华网站www.viruschina.com下载升级包,以下是几个重要病毒的简介:

  一、邮件病毒:W32.Chod.B@mm危害级别:★★★★☆

  根据光华反病毒研究中心专家介绍,该病毒长度152,204 字节,感染Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统。它是一个复合型邮件病毒,能够通过MSN传播,在计算机里设置后门,使用IRC通信工具远程控制,重写Hosts文件,屏蔽一些安全网站访问,当收到、打开此病毒时,有以下危害:

  A 显示以下信息

  • Run-time Error

  • Run-time error #7: Out of memory

  B 创建以下文件到系统目录:

  • cpu.dll

  • [随机目录]\csrss.dat

  • [随机目录]\csrss.exe

  • [随机目录]\csrss.ini

  C 创建快捷方式Programs\Startup\csrss.lnk到启动文件夹,使得每次开机病毒自动执行取得控制权。

  D 每次执行时,病毒创建以下注册表项

  使得每次开机病毒自动执行取得控制权。

  E病毒创建以下注册表项,作为自身识别感染标志

  HKEY_CLASSES_ROOT\Chode"Installed" = "1"

  HKEY_CURRENT_USER\Software\Chode"Installed" = "1"

  F每次开机时,删除以下注册表项关闭反病毒软等软件的执行:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAISafe

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccProxy

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPwdSvc

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccSetMgr

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISSVC

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\navapsvc

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutpostFirewall

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcCtlCom

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAVScan

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBService

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPBBCSvc

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsmon

  H 从注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\里删除以下值:

  TmPfw

  tmproxy

  Tmntsrv

  net stop

  sc config

  start

  CleanUp

  MCUpdateExe

  VirusScan Online

  VSOCheckTask

  ccApp

  Symantec NetDriver Monitor

  Outpost Firewall

  gcasServ

  pccguide.exe

  KAVPersonal50

  Zone Labs Client

  services

  microsoft antispyware

  hijackthis

  K 从以下扩展名的文件中搜寻邮件地址:

  .adb

  .asp

  .cgi

  .ctt

  .dbx

  .dhtm

  .doc

  .eml

  .htm

  .html

  .msg

  .oft

  .php

  .pl

  .rtf

  .sht

  .shtm

  .sql

  .tbb

  .txt

  .uin

  .vbs

  .wab

  .xml

  邮件地址中包括以下内容时,不作处理,以便避开防毒软件等:

  .gov

  .mil

  abuse

  antivirus

  avp

  bitdefender

  f-pro

  f-secure

  fbi

  kaspersky

  mcafee

  messagelabs

  microsoft

  norton

  spam

  Symantec

  L 发送以下内容的电子邮件传播自身:

  From: (以下三种)

  security@microsoft.com

  security@trendmicro.com

  securityresponse@symantec.com

  Subject: (以下两种)

  Warning - you have been infected!

  Your computer may have been infected

  Message:

  Your message was undeliverable due to the following reason(s):

  Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

  Your original message has been attached.

  Attachment: (以下四种)

  netsky_removal.exe

  removal_tool.exe

  message.pif

  message.scr

  M 通过MSN发送如下的消息:

  内容:(以下11种)

  check out what I just found on some stupid website

  dude check this out, it's awesome! :D

  haha you have to see this, I almost couldn't believe it! :O

  holy shit you have to see this... :|

  I just found this on a CD... you won't believe it! :|

  LOL! look at this, I can't explain it it in words..

  naked lesbian twister

  omg check this out, it's just wrong :O

  ROFL!! you have to see this... wtf...

  you have to see this, it freaked me out :S

  you have to see this, it's amazing!

  复制自身为以下文件名:(9种)

  check this out

  gross

  my sister's webcam

  mypic

  paris hilton

  picture

  rofl

  us together

  wtf

  使用的扩展名(2种)

  .pif

  .scr

  N 重写Hosts文件,屏蔽以下网站访问

  avp.com

  ca.com

  customer.symantec.com

  dispatch.mcafee.com

  download.mcafee.com

  f-secure.com

  fastclick.net

  ftp.f-secure.com

  ftp.sophos.com

  grisoft.com

  housecall.trendmicro.com

  kaspersky.com

  liveupdate.symantec.com

  mast.mcafee.com

  mcafee.com

  merijn.org

  my-etrust.com

  nai.com

  networkassociates.com

  pandasoftware.com

  phpbb.com

  rads.mcafee.com

  secure.nai.com

  securityresponse.symantec.com

  service1.symantec.com

  sophos.com

  spywareinfo.com

  support.microsoft.com

  symantec.com

  trendmicro.com

  update.symantec.com

  updates.symantec.com

  us.mcafee.com

  vil.nai.com

  viruslist.com

  www.avp.com

  www.awaps.net

  www.ca.com

  www.f-secure.com

  www.fastclick.net

  www.grisoft.com

  www.kaspersky.com

  www.mcafee.com

  www.merijn.org

  www.microsoft.com

  www.my-etrust.com

  www.nai.com

  www.networkassociates.com

  www.pandasoftware.com

  www.phpbb.com

  www.sophos.com

  www.spywareinfo.com

  www.symantec.com

  www.trendmicro.com

  www.viruslist.com

  www.zonelabs.com

  www3.ca.com

  zonelabs.com

  O 结束以下名称的内存进程,对数为反病毒软件:

  bbeagle.exe

  ccapp.exe

  ccevtmgr.exe

  ccproxy.exe

  ccsetmgr.exe

  d3dupdate.exe

  enterprise.exe

  gcasdtserv.exe

  gcasserv.exe

  hijackthis.exe

  i11r54n4.exe

  irun4.exe

  isafe.exe

  issvc.exe

  kav.exe

  kavsvc.exe

  mcagent.exe

  mcdash.exe

  mcinfo.exe

  mcmnhdlr.exe

  mcshield.exe

  mcvsescn.exe

  mcvsftsn.exe

  mcvsrte.exe

  mcvsshld.exe

  mpfagent.exe

  mpfservice.exe

  mpftray.exe

  msblast.exe

  msconfig.exe

  mscvb32.exe

  mskagent.exe

  mwincfg32.exe

  navapsvc.exe

  navapw32.exe

  navw32.exe

  npfmntor.exe

  outpost.exe

  pandaavengine.exe

  pccguide.exe

  pcclient.exe

  pcctlcom.exe

  penis32.exe

  regedit.exe

  smc.exe

  sndsrvc.exe

  spbbcsvc.exe

  symlcsvc.exe

  sysinfo.exe

  sysmonxp.exe

  teekids.exe

  tmntsrv.exe

  tmpfw.exe

  tmproxy.exe

  usrprmpt.exe

  vsmon.exe

  wincfg32.exe

  winsys.exe

  winupd.exe

  zapro.exe

  zlclient.exe

  P 打开后门,让攻击的黑客远程连接进来,对计算机进行以下操作:

  下载执行任意文件

  安装卸载IRCD

  对指定计算机进行ping, TCP, UDP拒绝服务攻击

  发送任意邮件

  关闭和重启计算机

  用邮件传播自身

  用MSN传播自身

  Q 盗窃以下软件的口令

  AOL Instant Messenger (in old versions)

  AOL Instant Messenger/Netscape 7

  GAIM

  ICQ Lite 4.x/2003

  Miranda

  MSN Messenger

  Trillian

  Windows Messenger (on Windows XP)

  Yahoo Messenger (Versions 5.x and 6.x)

  R 使用以下软件记录窃取口令

  Intelligent TCPIP.SYS patcher

  MessenPass

  Protected Storage PassView

  S 修改Win.ini文件

  光华反病毒软件已经对这种病毒进行了处理,请用户升级后,使用光华反病毒软件清除。

  二、木马病毒Trojan.Pim危害级别:★★★☆☆

  根据光华反病毒研究中心专家介绍,Trojan.Pim是一个木马病毒,下载和发送邮件,当收到、打开此病毒时,有以下危害:

  A 尝试连接到一个预设的URL

  B 从服务器中下载一个邮件,内容包括:

  标题

  邮件内容

  一个假的邮件地址

  C 产生随机的地址发送这封邮件

  北京日月光华软件公司网站每日进行病毒特征码更新,光华反病毒研究中心专家提醒您:请尽快到光华安全网站在线订购光华反病毒软件来防范病毒的入侵,时刻保护您的电脑安全。光华反病毒软件用户升级到4月4日的病毒库就可以完全查杀这些病毒。



评论】【推荐】【 】【打印】【下载点点通】【关闭
 

 
新 闻 查 询
关键词



缤 纷 专 题
春意融融
绿色春天身临其境
水蓝幸福
水蓝幸福海洋爱情
请输入歌曲/歌手名:
更多专题 缤纷俱乐部
 
 



科技时代意见反馈留言板 电话:010-82628888-5828   欢迎批评指正

新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

Copyright © 1996 - 2005 SINA Inc. All Rights Reserved

版权所有 新浪网