光华反病毒资讯:4月4日--4月10日 | ||||||||
---|---|---|---|---|---|---|---|---|
http://www.sina.com.cn 2005年04月05日 18:30 新浪科技 | ||||||||
光华反病毒研究中心近日进行病毒特征码更新,请用户尽快到光华网站www.viruschina.com下载升级包,以下是几个重要病毒的简介: 一、邮件病毒:W32.Chod.B@mm危害级别:★★★★☆ 根据光华反病毒研究中心专家介绍,该病毒长度152,204 字节,感染Windows 2000,
A 显示以下信息 • Run-time Error • Run-time error #7: Out of memory B 创建以下文件到系统目录: • cpu.dll • [随机目录]\csrss.dat • [随机目录]\csrss.exe • [随机目录]\csrss.ini C 创建快捷方式Programs\Startup\csrss.lnk到启动文件夹,使得每次开机病毒自动执行取得控制权。 D 每次执行时,病毒创建以下注册表项 使得每次开机病毒自动执行取得控制权。 E病毒创建以下注册表项,作为自身识别感染标志 HKEY_CLASSES_ROOT\Chode"Installed" = "1" HKEY_CURRENT_USER\Software\Chode"Installed" = "1" F每次开机时,删除以下注册表项关闭反病毒软等软件的执行: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAISafe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccProxy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPwdSvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccSetMgr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISSVC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\navapsvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutpostFirewall HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcCtlCom HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAVScan HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBService HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPBBCSvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsmon H 从注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\里删除以下值: TmPfw tmproxy Tmntsrv net stop sc config start CleanUp MCUpdateExe VirusScan Online VSOCheckTask ccApp Symantec NetDriver Monitor Outpost Firewall gcasServ pccguide.exe KAVPersonal50 Zone Labs Client services microsoft antispyware hijackthis K 从以下扩展名的文件中搜寻邮件地址: .adb .asp .cgi .ctt .dbx .dhtm .doc .eml .htm .html .msg .oft .php .pl .rtf .sht .shtm .sql .tbb .txt .uin .vbs .wab .xml 邮件地址中包括以下内容时,不作处理,以便避开防毒软件等: .gov .mil abuse antivirus avp bitdefender f-pro f-secure fbi kaspersky mcafee messagelabs microsoft norton spam Symantec L 发送以下内容的电子邮件传播自身: From: (以下三种) security@microsoft.com security@trendmicro.com securityresponse@symantec.com Subject: (以下两种) Warning - you have been infected! Your computer may have been infected Message: Your message was undeliverable due to the following reason(s): Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your original message has been attached. Attachment: (以下四种) netsky_removal.exe removal_tool.exe message.pif message.scr M 通过MSN发送如下的消息: 内容:(以下11种) check out what I just found on some stupid website dude check this out, it's awesome! :D haha you have to see this, I almost couldn't believe it! :O holy shit you have to see this... :| I just found this on a CD... you won't believe it! :| LOL! look at this, I can't explain it it in words.. naked lesbian twister omg check this out, it's just wrong :O ROFL!! you have to see this... wtf... you have to see this, it freaked me out :S you have to see this, it's amazing! 复制自身为以下文件名:(9种) check this out gross my sister's webcam mypic paris hilton picture rofl us together wtf 使用的扩展名(2种) .pif .scr N 重写Hosts文件,屏蔽以下网站访问 avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com fastclick.net ftp.f-secure.com ftp.sophos.com grisoft.com housecall.trendmicro.com kaspersky.com liveupdate.symantec.com mast.mcafee.com mcafee.com merijn.org my-etrust.com nai.com networkassociates.com pandasoftware.com phpbb.com rads.mcafee.com secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spywareinfo.com support.microsoft.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.com www.avp.com www.awaps.net www.ca.com www.f-secure.com www.fastclick.net www.grisoft.com www.kaspersky.com www.mcafee.com www.merijn.org www.microsoft.com www.my-etrust.com www.nai.com www.networkassociates.com www.pandasoftware.com www.phpbb.com www.sophos.com www.spywareinfo.com www.symantec.com www.trendmicro.com www.viruslist.com www.zonelabs.com www3.ca.com zonelabs.com O 结束以下名称的内存进程,对数为反病毒软件: bbeagle.exe ccapp.exe ccevtmgr.exe ccproxy.exe ccsetmgr.exe d3dupdate.exe enterprise.exe gcasdtserv.exe gcasserv.exe hijackthis.exe i11r54n4.exe irun4.exe isafe.exe issvc.exe kav.exe kavsvc.exe mcagent.exe mcdash.exe mcinfo.exe mcmnhdlr.exe mcshield.exe mcvsescn.exe mcvsftsn.exe mcvsrte.exe mcvsshld.exe mpfagent.exe mpfservice.exe mpftray.exe msblast.exe msconfig.exe mscvb32.exe mskagent.exe mwincfg32.exe navapsvc.exe navapw32.exe navw32.exe npfmntor.exe outpost.exe pandaavengine.exe pccguide.exe pcclient.exe pcctlcom.exe penis32.exe regedit.exe smc.exe sndsrvc.exe spbbcsvc.exe symlcsvc.exe sysinfo.exe sysmonxp.exe teekids.exe tmntsrv.exe tmpfw.exe tmproxy.exe usrprmpt.exe vsmon.exe wincfg32.exe winsys.exe winupd.exe zapro.exe zlclient.exe P 打开后门,让攻击的黑客远程连接进来,对计算机进行以下操作: 下载执行任意文件 安装卸载IRCD 对指定计算机进行ping, TCP, UDP拒绝服务攻击 发送任意邮件 关闭和重启计算机 用邮件传播自身 用MSN传播自身 Q 盗窃以下软件的口令 AOL Instant Messenger (in old versions) AOL Instant Messenger/Netscape 7 GAIM ICQ Lite 4.x/2003 Miranda MSN Messenger Trillian Windows Messenger (on Windows XP) Yahoo Messenger (Versions 5.x and 6.x) R 使用以下软件记录窃取口令 Intelligent TCPIP.SYS patcher MessenPass Protected Storage PassView S 修改Win.ini文件 光华反病毒软件已经对这种病毒进行了处理,请用户升级后,使用光华反病毒软件清除。 二、木马病毒Trojan.Pim危害级别:★★★☆☆ 根据光华反病毒研究中心专家介绍,Trojan.Pim是一个木马病毒,下载和发送邮件,当收到、打开此病毒时,有以下危害: A 尝试连接到一个预设的URL B 从服务器中下载一个邮件,内容包括: 标题 邮件内容 一个假的邮件地址 C 产生随机的地址发送这封邮件 北京日月光华软件公司网站每日进行病毒特征码更新,光华反病毒研究中心专家提醒您:请尽快到光华安全网站在线订购光华反病毒软件来防范病毒的入侵,时刻保护您的电脑安全。光华反病毒软件用户升级到4月4日的病毒库就可以完全查杀这些病毒。 |