光华反病毒研究中心近日进行病毒特征码更新,特此公告以下重要病毒信息:
一、W32病毒:W32.Spybot.AKKC 危害级别:★★★★☆
根据光华反病毒研究中心专家介绍,这是一个W32网络蠕虫病毒,长度 101,376 字节,感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 系统,它打开后门,收集信息,破解口令,进行破坏,利用网络漏洞传播。当收到、打开此病毒后,有以下现象:
A 在系统目录下生成文件 winsock32.exeB 增加注册表项"Microsoft Winsock32 System" = "winsock32.exe" 到 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 使得病毒每次开机后自动执行C 增加注册表项"Microsoft Winsock32 System" = "winsock32.exe" 到 HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa HKEY_CURRENT_USER\Software\Microsoft\OLE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OleD 修改主机文件,破坏以下网站访问 127.0.0.1 virustotal.com 127.0.0.1 www.virustotal.com 127.0.0.1 microsoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.pandasoftware.com 127.0.0.1 pandasoftware.com 127.0.0.1 trendmicro.com 127.0.0.1 rads.mcafee.com 127.0.0.1 customer.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 updates.symantec.com# 127.0.0.1 update.symantec.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 secure.nai.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 mast.mcafee.com 127.0.0.1 ca.com 127.0.0.1 www.ca.com 127.0.0.1 networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 kaspersky.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 viruslist.com 127.0.0.1 www.viruslist.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 www.symantec.comE 打开后门连接 IRC 服务器 ratpack.akfighters.net 的 TCP 端口 21972F 执行远程黑客的以下命令 下载执行文件 列出,停止,启动进程或线程 执行 ACK、SYN、UDP和 ICMP 拒绝式服务攻击 执行端口重定向 通过 IRC 发送文件 通过自带的 SMTP 引擎发送邮件(病毒自身) 开始本地 HTTP、FTP或 TFTP 服务 搜索文件 记录键盘操作 搜索网络共享并将自身写入可写共享 通过端口扫描搜索“肉鸡” 截屏,截裁剪板,截摄像头,截浏览网址 截获本地网数据包 清除 DNS 和 ARP 缓存 打开命令行窗口 启动 SOCKSv4 代理服务器 增减删除网络共享目录 关闭 DCOM 重启计算机G 通过以下漏洞传播 http://www.microsoft.com/technethttp://security.chinaitlab.com/bulletin/ms04-011.mspx http://www.microsoft.com/technethttp://security.chinaitlab.com/bulletin/MS03-026.mspx http://www.microsoft.com/technethttp://security.chinaitlab.com/bulletin/MS03-049.mspx http://www.microsoft.com/technethttp://security.chinaitlab.com/bulletin/MS03-043.mspxH 通过以下弱口令破解所有搜索到的计算机intranet lan main winpass blank office control nokia siemens compaq dell cisco ibm orainstall sqlpassoainstall sql db1234 db1 databasepassword data databasepass dbpassword dbpass access domainpassword domainpass domain hello hell god sex slut bitch fuck exchange backup technical loginpass login mary katie kate george eric chris ian neil lee brian susan sue sam luke peter john mike bill fred joe jen bob qwe zxc asd qaz win2000 winnt winxp win2k win98 windows oeminstall oemuser oem user homeuser home accounting accounts internet www web outlook mail qwerty null server system changeme linux unix demo none test 2004 2002 2001 2000 1234567890 123456789 12345678 1234567 123456 12345 1234 123 007 pwd pass pass1234 passwd password password1 adm db2 oracle dba database default guest wwwadmin teacher student owner computer staff admins administrat administrateur administrador administrator
I 结束以下进程(部分为安全程序)TASKLIST.EXE TASKKILL.EXE NEC.EXE TASKMGR.EXE CMD.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE ZONEALARM.EXE ZONALM2601.EXE ZATUTOR.EXE ZAPSETUP3001.EXE ZAPRO.EXE XPF202EN.EXE WYVERNWORKSFIREWALL.EXE WUPDT.EXE WUPDATER.EXE WSBGATE.EXE WRCTRL.EXE WRADMIN.EXE WNT.EXE WNAD.EXE WKUFIND.EXE WINUPDATE.EXE WINTSK32.EXE WINSTART001.EXE WINSTART.EXE WINSSK32.EXE WINSERVN.EXE WINRECON.EXE WINPPR32.EXE WINNET.EXE WINMAIN.EXE WINLOGIN.EXE WININITX.EXE WININIT.EXE WININETD.EXE WINDOWS.EXE WINDOW.EXE WINACTIVE.EXE WIN32US.EXE WIN32.EXE WIN-BUGSFIX.EXE WIMMUN32.EXE WHOSWATCHINGME.EXE WFINDV32.EXE WEBTRAP.EXE WEBSCANX.EXE WEBDAV.EXE WATCHDOG.EXE W9X.EXE W32DSM89.EXE VSWINPERSE.EXE VSWINNTSE.EXE VSWIN9XE.EXE VSSTAT.EXE VSMON.EXE VSMAIN.EXE VSISETUP.EXE VSHWIN32.EXE VSECOMR.EXE VSCHED.EXE VSCENU6.02D30.EXE VSCAN40.EXE VPTRAY.EXE VPFW30S.EXE VPC42.EXE VPC32.EXE VNPC3000.EXE VNLAN300.EXE VIRUSMDPERSONALFIREWALL.EXE VIR-HELP.EXE VFSETUP.EXE VETTRAY.EXE VET95.EXE VET32.EXE VCSETUP.EXE VBWINNTW.EXE VBWIN9X.EXE VBUST.EXE VBCONS.EXE VBCMSERV.EXE UTPOST.EXE UPGRAD.EXE UPDATE.EXE UPDAT.EXE UNDOBOOT.EXE TVTMD.EXE TVMD.EXE TSADBOT.EXE TROJANTRAP3.EXE TRJSETUP.EXE TRJSCAN.EXE TRICKLER.EXE TRACERT.EXE TITANINXP.EXE TITANIN.EXE TGBOB.EXE TFAK5.EXE TFAK.EXE TEEKIDS.EXE TDS2-NT.EXE TDS-3.EXE TCM.EXE TCA.EXE TC.EXE TBSCAN.EXE TAUMON.EXE TASKMON.EXE TASKMO.EXE TASKMG.EXE SYSUPD.EXE SYSTEM32.EXE SYSTEM.EXE SYSEDIT.EXE SYMTRAY.EXE SYMPROXYSVC.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SWEEP95.EXE SVSHOST.EXE SVCHOSTS.EXE SVCHOSTC.EXE SVC.EXE SUPPORTER5.EXE SUPPORT.EXE SUPFTRL.EXE STCLOADER.EXE START.EXE ST2.EXE SSG_4104.EXE SSGRATE.EXE SS3EDIT.EXE SRNG.EXE SREXE.EXE SPYXX.EXE SPOOLSV32.EXE SPOOLCV.EXE SPOLER.EXE SPHINX.EXE SPF.EXE SPERM.EXE SOFI.EXE SOAP.EXE SMSS32.EXE SMS.EXE SMC.EXE SHOWBEHIND.EXE SHN.EXE SHELLSPYINSTALL.EXE SH.EXE SGSSFW32.EXE SFC.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SCAM32.EXE SC.EXE SBSERV.EXE SAVENOW.EXE SAVE.EXE SAHAGENT.EXE SAFEWEB.EXE RUXDLL32.EXE RUNDLL16.EXE RUNDLL.EXE RUN32DLL.EXE RULAUNCH.EXE RTVSCN95.EXE RTVSCAN.EXE RSHELL.EXE RRGUARD.EXE RESCUE32.EXE RESCUE.EXE REGEDT32.EXE REGEDIT.EXE REGED.EXE REALMON.EXE RCSYNC.EXE RB32.EXE RAY.EXE RAV8WIN32ENG.EXE RAV7WIN.EXE RAV7.EXE RAPAPP.EXE QSERVER.EXE QCONSOLE.EXE PURGE.EXE PSPF.EXE PROTECTX.EXE PROPORT.EXE PROGRAMAUDITOR.EXE PROCEXPLORERV1.0.EXE PROCESSMONITOR.EXE PROCDUMP.EXE PRMVR.EXE PRMT.EXE PRIZESURFER.EXE PPVSTOP.EXE PPTBC.EXE PPINUPDT.EXE POWERSCAN.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE POPSCAN.EXE POPROXY.EXE POP3TRAP.EXE PLATIN.EXE PINGSCAN.EXE PGMONITR.EXE PFWADMIN.EXE PF2.EXE PERSWF.EXE PERSFW.EXE PERISCOPE.EXE PDSETUP.EXE PCSCAN.EXE PCIP10117_0.EXE PCFWALLICON.EXE PAVW.EXE PAVSCHED.EXE PAVPROXY.EXE PAVCL.EXE PATCH.EXE PANIXK.EXE PADMIN.EXE OUTPOSTPROINSTALL.EXE OUTPOSTINSTALL.EXE OUTPOST.EXE OTFIX.EXE OSTRONET.EXE OPTIMIZE.EXE ONSRVR.EXE OLLYDBG.EXE NWTOOL16.EXE NWSERVICE.EXE NWINST4.EXE NVSVC32.EXE NVC95.EXE NVARCH16.EXE NUPGRADE.EXE NUI.EXE NTXconfig.EXE NTVDM.EXE NTRTSCAN.EXE NT.EXE NSUPDATE.EXE NSTASK32.EXE NSSYS32.EXE NSCHED32.EXE NPSSVC.EXE NPSCHECK.EXE NPROTECT.EXE NPFMESSENGER.EXE NPF40_TW_98_NT_ME_2K.EXE NOTSTART.EXE NORTON_INTERNET_SECU_3.0_407.EXE NORMIST.EXE NOD32.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE NETUTILS.EXE NETSTAT.EXE NETSPYHUNTER-1.2.EXE NETSCANPRO.EXE NETMON.EXE NETINFO.EXE NETD32.EXE NETARMOR.EXE NEOWATCHLOG.EXE NEOMONITOR.EXE NDD32.EXE NCINST4.EXE NC2000.EXE NAVWNT.EXE NAVW32.EXE NAVSTUB.EXE NAVNT.EXE NAVLU32.EXE NAVDX.EXE NAVAPW32.EXE NAVAPSVC.EXE NAVAP.NAVAPSVC.EXE AUTO-PROTECT.NAV80TRY.EXE NAV.EXE N32SCANW.EXE MWATCH.EXE MU0311AD.EXE MSVXD.EXE MSSYS.EXE MSSMMC32.EXE MSMSGRI32.EXE MSMGT.EXE MSLAUGH.EXE MSINFO32.EXE MSIEXEC16.EXE MSDOS.EXE MSDM.EXE MSCONFIG.EXE MSCMAN.EXE MSCCN32.EXE MSCACHE.EXE MSBLAST.EXE MSBB.EXE MSAPP.EXE MRFLUX.EXE MPFTRAY.EXE MPFSERVICE.EXE MPFAGENT.EXE MOSTAT.EXE MOOLIVE.EXE MONITOR.EXE MMOD.EXE MINILOG.EXE MGUI.EXE MGHTML.EXE MGAVRTE.EXE MGAVRTCL.EXE MFWENG3.02D30.EXE MFW2EN.EXE MFIN32.EXE MD.EXE MCVSSHLD.EXE MCVSRTE.EXE MCUPDATE.EXE MCTOOL.EXE MCSHIELD.EXE MCMNHDLR.EXE MCAGENT.EXE MAPISVC32.EXE
LUSPT.EXE LUINIT.EXE LUCOMSERVER.EXE LUAU.EXE LUALL.EXE LSETUP.EXE LORDPE.EXE LOOKOUT.EXE LOCKDOWN2000.EXE LOCKDOWN.EXE LOCALNET.EXE LOADER.EXE LNETINFO.EXE LDSCAN.EXE LDPROMENU.EXE LDPRO.EXE LDNETMON.EXE LAUNCHER.EXE KILLPROCESSSETUP161.EXE KERNEL32.EXE KERIO-WRP-421-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-PF-213-EN-WIN.EXE KEENVALUE.EXE KAZZA.EXE KAVPF.EXE KAVPERS40ENG.EXE KAVLITE40ENG.EXE JEDI.EXE JDBGMRG.EXE JAMMER.EXE ISTSVC.EXE IOMON98.EXE INTREN.EXE INTDEL.EXE INIT.EXE INFWIN.EXE INFUS.EXE INETLNFO.EXE IFW2000.EXE IFACE.EXE IEXPLORER.EXE IEDRIVER.EXE IEDLL.EXE IDLE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE IBMAVSP.EXE IBMASN.EXE IAMSTATS.EXE IAMSERV.EXE IAMAPP.EXE HXIUL.EXE HXDL.EXE HWPE.EXE HTPATCH.EXE HTLOG.EXE HOTPATCH.EXE HOTACTIO.EXE HBSRV.EXE HBINST.EXE HACKTRACERSETUP.EXE GUARDDOG.EXE GUARD.EXE GMT.EXE GENERICS.EXE GBPOLL.EXE GBMENU.EXE GATOR.EXE FSMB32.EXE FSMA32.EXE FSM32.EXE FSGK32.EXE FSAV95.EXE FSAV530WTBYB.EXE FSAV530STBYB.EXE FSAV32.EXE FSAV.EXE FSAA.EXE FRW.EXE FPROT.EXE FP-WIN_TRIAL.EXE FP-WIN.EXE FNRB32.EXE FIREWALL.EXE FINDVIRU.EXE FIH32.EXE FCH32.EXE FAST.EXE FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE EXPLORE.EXE EXPERT.EXE EXE.AVXW.EXE EXANTIVIRUS-CNET.EXE EVPN.EXE ETRUSTCIPE.EXE ETHEREAL.EXE ESPWATCH.EXE ESCANV95.EXE ESCANHNT.EXE ESAFE.EXE ENT.EXE EMSW.EXE EFPEADM.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE DSSAGENT.EXE DRWEBUPW.EXE DRWEB32.EXE DRWATSON.EXE DPPS2.EXE DPFSETUP.EXE DPF.EXE DOORS.EXE DLLREG.EXE DLLCACHE.EXE DIVX.EXE DEPUTY.EXE DEFWATCH.EXE DEFSCANGUI.EXE DEFALERT.EXE DCOMX.EXE DATEMANAGER.EXE CLAW95CF.EXE CWNTDWMO.EXE CWNB181.EXE CV.EXE CTRL.EXE CPFNT206.EXE CPF9X206.EXE CPD.EXE CONNECTIONMONITOR.EXE CMON016.EXE CMGRDIAN.EXE CMESYS.EXE CMD32.EXE CLICK.EXE CLEANPC.EXE CLEANER3.EXE CLEANER.EXE CLEAN.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE CFGWIZ.EXE CFD.EXE CDP.EXE CCPXYSVC.EXE CCEVTMGR.EXE CCAPP.EXE BVT.EXE BUNDLE.EXE BS120.EXE BRASIL.EXE BPC.EXE BORG2.EXE BOOTWARN.EXE BOOTCONF.EXE BLSS.EXE BLACKICE.EXE BLACKD.EXE BISP.EXE BIPCPEVALSETUP.EXE BIPCP.EXE BIDSERVER.EXE BIDEF.EXE BELT.EXE BEAGLE.EXE BD_PROFESSIONAL.EXE BARGAINS.EXE BACKWEB.EXE AVXQUAR.EXE AVXMONITORNT.EXE AVXMONITOR9X.EXE AVWUPSRV.EXE AVWUPD32.EXE AVWUPD.EXE AVWINNT.EXE AVSYNMGR.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVLTMAIN.EXE AVKWCTl9.EXE AVKSERVICE.EXE AVKSERV.EXE AVKPOP.EXE AVGW.EXE AVGUARD.EXE AVGSERV9.EXE AVGSERV.EXE AVGNT.EXE AVGCTRL.EXE AVGCC32.EXE AVE32.EXE AVCONSOL.EXE AUTOUPDATE.EXE AUTOTRACE.EXE AUTODOWN.EXE AUPDATE.EXE AU.EXE ATWATCH.EXE ATUPDATER.EXE ATRO55EN.EXE ATGUARD.EXE ATCON.EXE ARR.EXE APVXDWIN.EXE APLICA32.EXE APIMONITOR.EXE ANTS.EXE ANTIVIRUS.EXE ANTI-TROJAN.EXE AMON9X.EXE ALOGSERV.EXE ALEVIR.EXE ALERTSVC.EXE AGENTW.EXE AGENTSVR.EXE ADVXDWIN.EXE ADAWARE.EXE ACKWIN32.EXE
二 后门病毒 Backdoor.Lassrv.B 危害级别:★★☆☆☆
根据光华反病毒研究中心专家介绍,这是一个后门病毒,通过修改LSASS.EXE允许远程存取,感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 系统,当打开含有此病毒的文档后,有以下现象:
A 在系统目录下创建以下文件 lsasrv32.dll CMIB870U.DLL CMIB129U.DLLB 修改LSASS.EXE文件,在下次启动时强制加载lsasrv32.dllC 连接 81.31.36.242 下载病毒执行D 打开后门,允许非法远程存取