病毒名称: Worm.Mydoom.AB

中文名称: 诺维格变种AB

威胁级别: 二级

病毒别名: I-Worm.Mydoom.y[AVP]

发现日期: 2004.09.17

病毒简介:

A、该病毒会把自身复制到windows目录下并以服务的形式随计算机启动而运行.；

B、通过修改注册表禁止使用注册表工具(regedit)；

C、修改hosts文件使用户无法登录一些安全或反病毒公司主页；

D、通过ICQ发送带毒链接来传播自身；

E、从指定的网站下载后门木马到用户机器上；

F、结束用户机器上的反病毒软件的进程；

G、向外发送大量的带毒邮件,而造成网络堵塞。

技术特点：

1、把自己复制到%SystemRoot%services.exe

2、修改注册表:

A.Win9x:

在注册表主键"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"下，

添加如下键值："serv"="%SystemRoot%services.exe"

B.Win2000/xp:

创建服务:

服务名: NetBios Ext

显示名称: NetBios Ext

执行路径: %Windir%\services.exe serv

启动类型: Automatic

增加HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Type = "0x10"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Start = "0x2"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ErrorControl = "0x1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ImagePath =

"%SystemRoot%\services.exe serv"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\DisplayName = "NetBios Ext"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\Security\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBios Ext\ObjectName = "LocalSystem"



3、修改注册表项

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

\DisableRegistryTools = "0x0"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

\DisableRegistryTools = "0x0"

4、修改%System%\drivers\etc\hosts文件,使用户不能正常登录反病毒相关网站

127.0.0.1 www.avp.com

127.0.0.1 www.viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 www.symantec.com

127.0.0.1 networkassociates.com

127.0.0.1 secure.nai.com

127.0.0.1 downloads1.kaspersky-labs.com

127.0.0.1 downloads2.kaspersky-labs.com

127.0.0.1 downloads3.kaspersky-labs.com

127.0.0.1 downloads4.kaspersky-labs.com

127.0.0.1 downloads-us1.kaspersky-labs.com

127.0.0.1 downloads-eu1.kaspersky-labs.com

127.0.0.1 kaspersky-labs.com

127.0.0.1 www.networkassociates.com

127.0.0.1 us.mcafee.com

127.0.0.1 f-secure.com

127.0.0.1 avp.com

127.0.0.1 www.sophos.com

127.0.0.1 sophos.com

127.0.0.1 www.ca.com

127.0.0.1 ca.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 symantec.com

127.0.0.1 mast.mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 update.symantec.com

127.0.0.1 nai.com

127.0.0.1 www.nai.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 customer.symantec.com

127.0.0.1 rads.mcafee.com

127.0.0.1 trendmicro.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.mcafee.com

127.0.0.1 mcafee.com

127.0.0.1 viruslist.com

127.0.0.1 www.my-etrust.com

127.0.0.1 download.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 kaspersky.com

127.0.0.1 www.trendmicro.com

5、通过ICQ发送带毒链接来传播自身

funn http:/ /*******/icon/game.exe :-):-):-)

http:/ /******/icon/game.exe :-):-)

http:/ /******/icon/game.exe funny :-);-)

http:/ /******50/icon/game.exe ;-);-);-);-)

best game http:/ /******/icon/game.exe ;-);-);-)

http:/ /******/icon/game.exe LOL!! ;-);-);-)

http:/ /www.******/claroline142/photo.exe i cried :-)

http:/ /www.******/claroline142/photo.exe lol :-):-)

my photos (archived) http:/ /www.******/claroline142/photo.exe

i now play in game http://www.******.com/ajr/game.exe :-):-)

funy game http:/ /www.******.com/ajr/game.exe ;-);-);-)

fun game http:/ /www.******.com/ajr/game.exe :-):-):-)

6、从以下网站下载一后门木马:

http:/ /www.******.com/heyyo/wassup/00000008.cgi

http:/ /www.*******.com/adclik/click.dat

http:/ /www.*******.it/forumBB/postmsg.gif

http:/ /www.*******.de/html/content/guestbook/data/data2.dat

http:/ /www.*******.unibo.it/claroline142/claroline/index.gif

http:/ /www.*******.com/grafix/cover_v3.jpg

http:/ /*******/manual/images/apache.gif

7、查找反病毒软件和其它蠕虫病毒(结束并删除),如下:

F-AGOBOT.EXE

HIJACKTHIS.EXE

_AVPM.EXE

_AVPCC.EXE

_AVP32.EXE

ZONEALARM.EXE

ZONALM2601.EXE

ZATUTOR.EXE

ZAPSETUP3001.EXE

ZAPRO.EXE

XPF202EN.EXE

WYVERNWORKSFIREWALL.EXE

WUPDT.EXE

WUPDATER.EXE

WRCTRL.EXE

WRADMIN.EXE

WNT.EXE

WNAD.EXE

WKUFIND.EXE

WINUPDATE.EXE

WINTSK32.EXE

WINSTART001.EXE

WINSTART.EXE

WINSSK32.EXE

WINRECON.EXE

WINPPR32.EXE

WINMAIN.EXE

WINLOGIN.EXE

WININITX.EXE

WININIT.EXE

WININETD.EXE

WINDOWS.EXE

WINDOW.EXE

WINACTIVE.EXE

WIN32US.EXE

WIN32.EXE

WIN-BUGSFIX.EXE

WIMMUN32.EXE

WHOSWATCHINGME.EXE

WGFE95.EXE

WFINDV32.EXE

WEBTRAP.EXE

WEBSCANX.EXE

WEBDAV.EXE

WATCHDOG.EXE

W9X.EXE

W32DSM89.EXE

VSWINPERSE.EXE

VSWINNTSE.EXE

VSWIN9XE.EXE

VSSTAT.EXE

VSMON.EXE

VSMAIN.EXE

VSISETUP.EXE

VSHWIN32.EXE

VSECOMR.EXE

VSCHED.EXE

VSCENU6.02D30.EXE

VSCAN40.EXE

VPTRAY.EXE

VPFW30S.EXE

VPC42.EXE

VPC32.EXE

VNPC3000.EXE

VNLAN300.EXE

VIRUSMDPERSONALFIREWALL.EXE

VIR-HELP.EXE

VFSETUP.EXE

VETTRAY.EXE

VET95.EXE

VET32.EXE

VCSETUP.EXE

VBWINNTW.EXE

VBWIN9X.EXE

VBUST.EXE

VBCONS.EXE

VBCMSERV.EXE

UTPOST.EXE

UPGRAD.EXE

UPDAT.EXE

UNDOBOOT.EXE

TVTMD.EXE

TVMD.EXE

TSADBOT.EXE

TROJANTRAP3.EXE

TRJSETUP.EXE

TRJSCAN.EXE

TRICKLER.EXE

TRACERT.EXE

TITANINXP.EXE

TITANIN.EXE

TGBOB.EXE

TFAK5.EXE

TFAK.EXE

TEEKIDS.EXE

TDS2-NT.EXE

TDS2-98.EXE

TDS-3.EXE

TCM.EXE

TCA.EXE

TC.EXE

TBSCAN.EXE

TAUMON.EXE

TASKMON.EXE

TASKMO.EXE

SYSUPD.EXE

SYSTEM32.EXE

SYSTEM.EXE

SYSEDIT.EXE

SYMTRAY.EXE

SYMPROXYSVC.EXE

SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE

SWEEP95.EXE

SVCHOSTC.EXE

SVC.EXE

SUPPORTER5.EXE

SUPPORT.EXE

SUPFTRL.EXE

STCLOADER.EXE

START.EXE

ST2.EXE

SSG_4104.EXE

SSGRATE.EXE

SS3EDIT.EXE

SRNG.EXE

SREXE.EXE

SPYXX.EXE

SPOOLSV32.EXE

SPOOLCV.EXE

SPHINX.EXE

SPF.EXE

SPERM.EXE

SOFI.EXE

SOAP.EXE

SMSS32.EXE

SMS.EXE

SMC.EXE

SHOWBEHIND.EXE

SHN.EXE

SHELLSPYINSTALL.EXE

SH.EXE

SGSSFW32.EXE

SFC.EXE

SETUP_FLOWPROTECTOR_US.EXE

SETUPVAMEEVAL.EXE

SERVLCES.EXE

SERVLCE.EXE

SERV95.EXE

SD.EXE

SCRSVR.EXE

SCRSCAN.EXE

SCANPM.EXE

SCAN95.EXE

SCAN32.EXE

SCAM32.EXE

SC.EXE

SBSERV.EXE

SAVENOW.EXE

SAVE.EXE

SAHAGENT.EXE

SAFEWEB.EXE

RUXDLL32.EXE

RUNDLL16.EXE

RUNDLL.EXE

RULAUNCH.EXE

RTVSCN95.EXE

RTVSCAN.EXE

RSHELL.EXE

RRGUARD.EXE

RESCUE32.EXE

RESCUE.EXE

REGED.EXE

REALMON.EXE

RCSYNC.EXE

RB32.EXE

RAY.EXE

RAV8WIN32ENG.EXE

RAV7WIN.EXE

RAV7.EXE

RAPAPP.EXE

QSERVER.EXE

QCONSOLE.EXE

PVIEW95.EXE

PUSSY.EXE

PURGE.EXE

PSPF.EXE

PROTECTX.EXE

PROPORT.EXE

PROGRAMAUDITOR.EXE

PROCEXPLORERV1.0.EXE

PROCESSMONITOR.EXE

PROCDUMP.EXE

PRMVR.EXE

PRMT.EXE

PRIZESURFER.EXE

PPVSTOP.EXE

PPTBC.EXE

PPINUPDT.EXE

POWERSCAN.EXE

PORTMONITOR.EXE

PORTDETECTIVE.EXE

POPSCAN.EXE

POPROXY.EXE

POP3TRAP.EXE

PLATIN.EXE

PINGSCAN.EXE

PGMONITR.EXE

PFWADMIN.EXE

PF2.EXE

PERSWF.EXE

PERSFW.EXE

PERISCOPE.EXE

PENIS.EXE

PDSETUP.EXE

PCSCAN.EXE

PCIP10117_0.EXE

PCFWALLICON.EXE

PCDSETUP.EXE

PCCWIN98.EXE

PCCWIN97.EXE

PCCNTMON.EXE

PCCIOMON.EXE

PCC2K_76_1436.EXE

PCC2002S902.EXE

PAVW.EXE

PAVSCHED.EXE

PAVPROXY.EXE

PAVCL.EXE

PATCH.EXE

PANIXK.EXE

PADMIN.EXE

OUTPOSTPROINSTALL.EXE

OUTPOSTINSTALL.EXE

OTFIX.EXE

OSTRONET.EXE

OPTIMIZE.EXE

ONSRVR.EXE

OLLYDBG.EXE

NWTOOL16.EXE

NWSERVICE.EXE

NWINST4.EXE

NVC95.EXE

NVARCH16.EXE

NUI.EXE

NTXconfig.EXE

NTRTSCAN.EXE

NT.EXE

NSUPDATE.EXE

NSTASK32.EXE

NSSYS32.EXE

NSCHED32.EXE

NPSSVC.EXE

N

[1] [2] [3] [4] 下一页  

频道声明：本频道的文章除部分特别声明禁止转载的专稿外，可以自由转载.但请务必注明出出处和原始作者 文章版权归本频道与文章作者所有.对于被频道转载文章的个人和网站,我们表示深深的谢意。 原始作者:佚名 录入时间:2006-10-13 信息来源:不详 投稿信箱:itqoo@126.com