荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: gordonlot (非典型病毒), 信区: Virus
标 题: "恶邮差(Supnot.127488.h)" 新变种分析报告
发信站: 荔园晨风BBS站 (Fri May 16 16:57:11 2003), 站内信件
病毒名称:Wrom.Supnot.127488.h
病毒类型:蠕虫
病毒长度:127488
危害级别:高
传播速度:高
技术特征:
该病毒是蠕虫“恶邮差”(Worm.Supnot)的最新变种,病毒使用ASPack压缩,病毒改
进了在宿主计算机上的存活能力和对杀毒软件的“追杀”能力。
病毒运行后会搜索本地文件目录,通过收件箱中的邮件地址向外发送带毒邮件传播自
身,以及根据收件箱里的邮件内容自动回复邮件,每封邮件的附件中均携带病毒副本。
病毒激活后会复制自身到系统目录,文件名可能为Wingate.exe、WinHelp.exe、
Winrpc.exe、IEXPORE.EXE、RAVMOND.exe、DRWTSN16.EXEwinrpc.exe。病毒可能还会在系
统目录生成111.dll、ily.dll、Task.dll、reg.dll等文件。病毒还会修改注册表中系统启
动项,txt文件和exe文件打开的关联等。病毒会以困绑的方式感染EXE文件,将病毒添加到
可执行程序的头部。
病毒感染Windows95、98、ME的系统后修改win.ini文件,在其winsows节的run项中添
加自身。病毒会试图生成木马文件(如111.dll、ily.dll、Task.dll、reg.dll)到系统目
录下,会修改注册表,搜寻网络共享目录,向可写的目录中写入病毒副本。监听端口,允许
黑客控制被感染的计算机。
病毒感染是WindowsNT、2000、XP的系统后会复制病毒副本到系统目录,启动病毒主
程序为服务,服务名称为“Windows Management Instrumentation Driver Extension”等
。遍历本地网络或随机生成IP,并用枚举密码的方式进行IPC$攻击,攻击成功后,得到管
理员权限,拷副本到被攻击机算机的系统目录,文件名为Net_Services.exe,并伪装成“
Microsoft NetWork FireWall Services” 来启动一个名为“Windows Management
Instrumentation Driver Extension”的服务。
该病毒定时会向一个163的信箱发送邮件,邮件内容为被感染PC的IP地址。
病毒激活后会利用HOOK函数盗取用户的密码。
病毒会开一个进程用于监视病毒主程序,如果病毒主程序被中止,会立即重新装载主
程序。
病毒会中止一些知名杀毒软件的病毒防火墙和杀毒程序,如:金山毒霸、瑞星、诺顿
、天网、Kill等。并且改进的方式更加恶毒,只要程序的进程名中包含"KV"、"KAV"、
"Duba"、"NAV"、"kill"、"RavMon.exe"、"Rfw.exe"、"Gate"、"McAfee"、
"Symantec"、"SkyNet"、"rising"就会被病毒中止。
带毒邮件的特征:
毒回附邮件时主题和原始邮件有关,可能邮件正文有:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
病毒回附邮件时可能的附件名:
"I am For u.doc.exe"
"Britney spears nude.exe.txt.exe"
"joke.pif"
"DSL Modem Uncapper.rar.exe"
"Industry Giant II.exe"
"StarWars2 - CloneAttack.rm.scr"
"dreamweaver MX (crack).exe"
"Shakira.zip.exe"
"SETUP.EXE"
"Macromedia Flash.scr"
"How to Crack all gamez.exe"
"Me_nude.AVI.pif"
"s3msong.MP3.pif"
"Deutsch BloodPatch!.exe"
"Sex in Office.rm.scr"
"the hardcore game-.pif"
发送邮件时可能的主题、正文和附件名称
主题:
"Hi"
"Hi Dear"
"Attached one Gift for u.."
"Help"
"Great"
"for you"
"Last Update"
"Let's Laugh"
"Reply to this!"
正文:
"For further assistance, please contact!"
"Copy of your message, including all the headers is attached."
"This is the last cumulative update."
"Tiger Woods had two eagles Friday during his victory over Stephen Leaney.
(AP Photo/Denis Poroy)"
"Send reply if you want to be official beta tester."
"This message was created automatically by mail delivery software (Exim).
"
"It',27h,'s the long-awaited film version of the Broadway hit. Set in
the roaring 20',27h,'s, this is the story of Chicago chorus girl Roxie Hart
(Zellweger), who shoots her unfaithful lover (West)."
"Adult content!!! Use with parental advisory."
"Patrick Ewing will give Knick fans something to cheer about Friday
night."
附件名称:
"images.pif"
"README.TXT.pif"
"Interesting.exe"
"Source.exe"
"YOU_are_FAT!.TXT.pif"
"enjoy.exe"
"Doom3 Preview!!!.exe"
"driver.exe"
"About_Me.txt.pif"
局域网传播时可能的副本的文件名:
"MSN Password Hacker and Stealer.exe"
"SIMS FullDownloader.zip.exe"
"Winrar + crack.exe"
"Star Wars II Movie Full Downloader.exe"
"MoviezChannelsInstaler.exe"
"Age of empires 2 crack.exe"
"CloneCD + crack.exe"
"Sex_For_You_Life.JPG.pif"
"AN-YOU-SUCK-IT.txt.pif"
"100 free essays school.pif"
"Mafia Trainer!!!.exe"
"Panda Titanium Crack.zip.exe"
"How To Hack Websites.exe"
"The world of lovers.txt.exe"
"autoexec.bat"
"Are you looking for Love.doc.exe"
--
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.48.22]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店