|
您的位置:首页 > 病毒专栏 > 毒霸升级报告 > 正文 |
免费在线查毒 |
 |
| 金山毒霸紧急升级 查杀"MSN性感鸡"最新变种 |
| 2005年03月07日 16:22 金山毒霸信息安全网 |
金山毒霸病毒库2005年03月07日紧急升级,可查杀一个MSN性感鸡最新变种病毒,请用户立刻升级。
1. Worm.MSNLoveme.e.17429
该病毒最大的特点会终止大量用于反病毒研究的工具软件,如:进程管理程序、系统工具、Microsoft Visual C++、W32DASM反汇编工具等,可见病毒此次的目标不仅是普通用户,而是直接与反病毒工作者挑战。该病毒除了继承以前版本传播的途径外,还添加了用P2P软件进行传播的特性。用户运行后,反病毒软件会被停止运行,机器速度变慢导致死机,并且无法升级病毒库。病毒为了保护自身,加入了终止用于病毒研究的工具软件,对手动查杀和清除该病毒的难度提高了。
(1).复制自身到系统目录%System32%下:
serbw.exe
formatsys.exe
(2).复制自身到%SystemRoot%下:
msmbw.exe
(3).在系统盘根目录下创建以下文件:
Crazy-Frog.Html
lspt.exe
Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
LOL that ur pic!.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt! lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr
Message to n00b LARISSA.txt
(4).修改注册表使自身随计算机启而自动运行
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
serpe = "%System32%\serbw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
serpe = "%System32%\serbw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
serpe = "%System32%\serbw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
serpe = "%System32%\serbw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
serpe = "%System32%\serbw.exe"
(5).修改hosts文件,使众多安全及反病毒公司网站重定向一个固定的IP,导致无法正常下列公司的网站:
64.233.167.104 symantec.com
64.233.167.104 sophos.com
64.233.167.104 mcafee.com
64.233.167.104 viruslist.com
64.233.167.104 f-secure.com
64.233.167.104 avp.com
64.233.167.104 kaspersky.com
64.233.167.104 networkassociates.com
64.233.167.104 ca.com
64.233.167.104 my-etrust.com
64.233.167.104 nai.com
64.233.167.104 trendmicro.com
64.233.167.104 grisoft.com
64.233.167.104 securityresponse.symantec.com
64.233.167.104 symantec.com
64.233.167.104 sophos.com
64.233.167.104 mcafee.com
64.233.167.104 liveupdate.symantecliveupdate.com
64.233.167.104 viruslist.com
64.233.167.104 f-secure.com
64.233.167.104 kaspersky.com
64.233.167.104 kaspersky-labs.com
64.233.167.104 avp.com
64.233.167.104 networkassociates.com
64.233.167.104 ca.com
64.233.167.104 mast.mcafee.com
64.233.167.104 my-etrust.com
64.233.167.104 download.mcafee.com
64.233.167.104 dispatch.mcafee.com
64.233.167.104 secure.nai.com
64.233.167.104 nai.com
64.233.167.104 update.symantec.com
64.233.167.104 updates.symantec.com
64.233.167.104 us.mcafee.com
64.233.167.104 liveupdate.symantec.com
64.233.167.104 customer.symantec.com
64.233.167.104 rads.mcafee.com
64.233.167.104 trendmicro.com
64.233.167.104 grisoft.com
64.233.167.104 sandbox.norman.no
64.233.167.104 pandasoftware.com
64.233.167.104 uk.trendmicro-europe.com
(6).结束安全软件和禁止运行一些系统程序(如:任务管理器,msconfig.exe等)。
(7).通网络共享目录(如eMule)传播自身,可能的文件名如下:
Messenger Plus! 3.50.exe
MSN all version polygamy.exe
MSN nudge bomb.exe
|
| 【责任编辑:sky】 |
|
|
|
[an error occurred while processing this directive]
|
