一个用Agobot修改成的蠕虫病毒
病毒形为:
病毒运行后将自己复制到%system%目录下,文件名为:csrsss.exe
并在注册表:
1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
"Bcvsrv32" : CSRSSS.EXE
2 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunServices
"Bcvsrv32" : CSRSSS.EXE
中加入自己的键值,达到随系统启动的目的
病毒驻留内存后实现如下功能:
1.病毒修改hosts文件
在hosts文件中加入以下网站以使用户不能对其进行正常访问.
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
..
2.局域网传播
病毒对局域网中其它系统进行ms4011漏洞攻击.一但成功,将自己复制过去达到传播目的.
3.杀死黑名单进程.病毒将遍历系统进程列表,杀死和体内黑名单中相符的进程.
GBPOLL.EXE
FSMB32.EXE
FSMA32.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV.EXE
FP-WIN_TRIAL.EXE
FP-WIN.EXE
FLOWPROTECTOR.EXE
FIH32.EXE
FCH32.EXE
F-PROT95.EXE
EXPERT.EXE
AVXW.EXE
EXANTIVIRUS-CNET.EXE
ICSUPP95.EXE
ESCANH95.EXE
DVP95_0.EXE
DVP95.EXE
AVGCC32.EXE
ATRO55EN.EXE
...
4.Mirc后门
病毒以特定昵称登录mirc特定频道,以方便病毒作者对其进行控制.
|
|
