病毒名称: Worm.Mydoom.AB
中文名称: 诺维格变种AB
威胁级别: 二级
病毒别名: I-Worm.Mydoom.y[AVP]
发现日期: 2004.09.17
病毒简介:
A、该病毒会把自身复制到windows目录下并以服务的形式随计算机启动而运行.;
B、通过修改注册表禁止使用注册表工具(regedit);
C、修改hosts文件使用户无法登录一些安全或反病毒公司主页;
D、通过ICQ发送带毒链接来传播自身;
E、从指定的网站下载后门木马到用户机器上;
F、结束用户机器上的反病毒软件的进程;
G、向外发送大量的带毒邮件,而造成网络堵塞。
技术特点:
1、把自己复制到%SystemRoot%services.exe
2、修改注册表:
A.Win9x:
在注册表主键"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"下,
添加如下键值:"serv"="%SystemRoot%services.exe"
B.Win2000/xp:
创建服务:
服务名: NetBios Ext
显示名称: NetBios Ext
执行路径: %Windir%\services.exe serv
启动类型: Automatic
增加HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Type = "0x10"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Start = "0x2"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ErrorControl = "0x1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ImagePath =
"%SystemRoot%\services.exe serv"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\DisplayName = "NetBios Ext"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Security\Security
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ObjectName = "LocalSystem"
3、修改注册表项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\DisableRegistryTools = "0x0"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\DisableRegistryTools = "0x0"
4、修改%System%\drivers\etc\hosts文件,使用户不能正常登录反病毒相关网站
127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com
5、通过ICQ发送带毒链接来传播自身
funn http:/ /*******/icon/game.exe :-):-):-)
http:/ /******/icon/game.exe :-):-)
http:/ /******/icon/game.exe funny :-);-)
http:/ /******50/icon/game.exe ;-);-);-);-)
best game http:/ /******/icon/game.exe ;-);-);-)
http:/ /******/icon/game.exe LOL!! ;-);-);-)
http:/ /www.******/claroline142/photo.exe i cried :-)
http:/ /www.******/claroline142/photo.exe lol :-):-)
my photos (archived) http:/ /www.******/claroline142/photo.exe
i now play in game http://www.******.com/ajr/game.exe :-):-)
funy game http:/ /www.******.com/ajr/game.exe ;-);-);-)
fun game http:/ /www.******.com/ajr/game.exe :-):-):-)
6、从以下网站下载一后门木马:
http:/ /www.******.com/heyyo/wassup/00000008.cgi
http:/ /www.*******.com/adclik/click.dat
http:/ /www.*******.it/forumBB/postmsg.gif
http:/ /www.*******.de/html/content/guestbook/data/data2.dat
http:/ /www.*******.unibo.it/claroline142/claroline/index.gif
http:/ /www.*******.com/grafix/cover_v3.jpg
http:/ /*******/manual/images/apache.gif
7、查找反病毒软件和其它蠕虫病毒(结束并删除),如下:
F-AGOBOT.EXE
HIJACKTHIS.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WYVERNWORKSFIREWALL.EXE
WUPDT.EXE
WUPDATER.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WNAD.EXE
WKUFIND.EXE
WINUPDATE.EXE
WINTSK32.EXE
WINSTART001.EXE
WINSTART.EXE
WINSSK32.EXE
WINRECON.EXE
WINPPR32.EXE
WINMAIN.EXE
WINLOGIN.EXE
WININITX.EXE
WININIT.EXE
WININETD.EXE
WINDOWS.EXE
WINDOW.EXE
WINACTIVE.EXE
WIN32US.EXE
WIN32.EXE
WIN-BUGSFIX.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WGFE95.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WEBDAV.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCHED.EXE
VSCENU6.02D30.EXE
VSCAN40.EXE
VPTRAY.EXE
VPFW30S.EXE
VPC42.EXE
VPC32.EXE
VNPC3000.EXE
VNLAN300.EXE
VIRUSMDPERSONALFIREWALL.EXE
VIR-HELP.EXE
VFSETUP.EXE
VETTRAY.EXE
VET95.EXE
VET32.EXE
VCSETUP.EXE
VBWINNTW.EXE
VBWIN9X.EXE
VBUST.EXE
VBCONS.EXE
VBCMSERV.EXE
UTPOST.EXE
UPGRAD.EXE
UPDAT.EXE
UNDOBOOT.EXE
TVTMD.EXE
TVMD.EXE
TSADBOT.EXE
TROJANTRAP3.EXE
TRJSETUP.EXE
TRJSCAN.EXE
TRICKLER.EXE
TRACERT.EXE
TITANINXP.EXE
TITANIN.EXE
TGBOB.EXE
TFAK5.EXE
TFAK.EXE
TEEKIDS.EXE
TDS2-NT.EXE
TDS2-98.EXE
TDS-3.EXE
TCM.EXE
TCA.EXE
TC.EXE
TBSCAN.EXE
TAUMON.EXE
TASKMON.EXE
TASKMO.EXE
SYSUPD.EXE
SYSTEM32.EXE
SYSTEM.EXE
SYSEDIT.EXE
SYMTRAY.EXE
SYMPROXYSVC.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SWEEP95.EXE
SVCHOSTC.EXE
SVC.EXE
SUPPORTER5.EXE
SUPPORT.EXE
SUPFTRL.EXE
STCLOADER.EXE
START.EXE
ST2.EXE
SSG_4104.EXE
SSGRATE.EXE
SS3EDIT.EXE
SRNG.EXE
SREXE.EXE
SPYXX.EXE
SPOOLSV32.EXE
SPOOLCV.EXE
SPHINX.EXE
SPF.EXE
SPERM.EXE
SOFI.EXE
SOAP.EXE
SMSS32.EXE
SMS.EXE
SMC.EXE
SHOWBEHIND.EXE
SHN.EXE
SHELLSPYINSTALL.EXE
SH.EXE
SGSSFW32.EXE
SFC.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SERVLCES.EXE
SERVLCE.EXE
SERV95.EXE
SD.EXE
<
您当前的位置:
《Windows木马清道夫》是一款专门查杀并可辅助查杀木马的专业级反木马信息安全产品,是全新一代的木马克星!《Windows木马清道夫》可自动查杀数十万种木马,拥有海量木马病毒库,配合手动分析可近100%对未知木马进行查杀!它不仅可以查木马,还可以分析出后门程序,黑客程序等等。它专业的分析功能,完美的升级功能,使您不再惧怕木马,让您远离木马的困扰
卡巴斯基单机版(Kaspersky Anti-Virus Personal)是俄罗斯著名数据安全厂商Kaspersky Labs专为我国个人用户度身定制的反病毒产品。这款产品功能包括:病毒扫描、驻留后台的病毒防护程序、脚本病毒拦截器以及邮件检测程序,时刻监控一切病毒可能入侵的途径。产品采用第二代启发式代码分析技术、iChecker实时监控技术和独特的脚本病毒拦截技术等多种最尖端的反病毒技术