|
光华反病毒研究中心近日进行病毒特征码更新,请用户尽快到光华网站www.viruschina.com下载升级包,以下是几个重要病毒的简介:
一、邮件病毒:W32.Netsky.BG@mm 危害级别:★★★★★
根据光华反病毒研究中心专家介绍,W32.Netsky.BG@mm 是一个邮件病毒,长度 200,704 或 204,800 或 208,896 字节,感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP 系统。它通过可执行文件传播,发送病毒邮件,并感染网络共享目录。当收到、打开此病毒时,有以下危害:
A 创建系统互斥量 ~~~Bloodred~~~owns~~~you~~~xoxo~~~2004 使得病毒仅执行一份
B 在系统目录下生成文件
bloodred.exe
% Windows_kernel32.exe
C 创建注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Kernel" = "%Windir%\system32\Windows_kernel32.exe"
使得病毒每次开机后自动执行
D 生成以下病毒文件
系统目录base64exe.sys
系统目录base64zip.sys
Win目录\bloodred.zip
临时目录\inf4D2.tmp
E 生成文件 system32\frun.txt
F 有时显示以下出错对话框
标题: Error
内容: Windows encountered an error reading the file
G 收集从c盘到x盘以下扩展名文件中的邮件地址
.adb
.asp
.dbx
.doc
.htm
.html
.jsp
.jsp
.rtf
.txt
.xml
H 使用自带的smtp引擎发送以下特性的病毒邮件
发件人(以下之一):
administration@[邮件服务器]
management@[邮件服务器]
server@[邮件服务器]
service@[邮件服务器]
userhelp@[邮件服务器]
邮件服务器指的是发件人服务器例如sina.com 或 263.com
主题(以下之一):
Email Account Information
Server Error
URGENT PLEASE READ!
Urgent Update!
User Info
User Information
内容(以下之一):
There is urgent information in the attachment regarding your Email account
Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment
We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.
Our Email system has received reports of your account flooding email servers. There is more information on this matter in the attachment
Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details"
Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.
附件(以下之一):
Account_Information
Details
Gift
Information
Update
Word_Document
附件扩展名(以下之一):
.cmd
.pif
.scr
I 病毒还将自身打包成zip文件发送
J 病毒避免发送到如下服务器的邮箱
@avp
@fsecure
@hotmail
@microsoft
@mm
@msn
@noreply
@norman
@norton
@panda
@sopho
@symantec
@virusli
K 病毒感染c盘下的所有exe可执行文件
L 病毒复制自身到所有网络可写共享目录和从c盘到x盘中含有"shar"字符串的目录,复制的文件名称为以下之一:
Adobe Photoshop Full Version.exe
Battlefield 1942.exe
Brianna banks and jenna jameson.mpeg[24 SPACES].exe
Britney spears naked.jpeg[43 SPACES].exe
Cisco source code.zip[23 SPACES].exe
DVD Xcopy xpress.exe
Kazaa Lite.zip[34 SPACES].exe
NETSKY SOURCE CODE.zip[35 SPACES].exe
Norton AntiVirus 2004.exe
Opera Registered version.exe
Snood new version.exe
Teen Porn.mpeg[45 SPACES].exe
Visual Studio.NET.zip[51 SPACES].exe
WINDOWS SOURCE CODE.zip[28 SPACES].exe
WinAmp 6.exe
WinRAR.exe
Windows Longhorn Beta.exe
Windows crack.zip[46 SPACES].exe
jenna jameson screensaver.scr
M 病毒打开后门在TCP端口2345,等待黑客发送命令和病毒文件,收到的病毒文件保存在:
Win目录\system32\[3 到12 随机小写字母].exe
N 病毒在2004年11月15日后发送分布式拒绝服务攻击到www.kazaa.com
O 病毒监控任务管理器,一旦发现立即关闭
P 病毒关闭对以下地址的访问,使得很多杀毒软件无法访问和更新
www.norton.com
norton.com
yahoo.com
www.yahoo.com
microsoft.com
www.microsoft.com
windowsupdate.com
www.windowsupdate.com
www.mcafee.com
mcafee.com
www.nai.com
nai.com
www.ca.com
ca.com
liveupdate.symantec.com
www.sophos.com
www.google.com
google.com
Q 病毒关闭以下程序(很多杀毒软件)
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
Au.exe
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVLTMAIN.EXE
AVprotect9x.exe
AVPUPD.EXE
avserve2.exe
AVSYNMGR.EXE
AVWUPD32.EXE
AVXQUAR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
BORG2.EXE
BS120.EXE
CCAPP.exe
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
D3dupdate.exe
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
DRWEBUPW.EXE
ENT.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
LUALL.EXE
LUCOMSERVER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NUPGRADE.EXE
NVARCH16.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
UPDATE.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
R 病毒创建以下系统信号量,使得系统对很多其他病毒具有免疫能力(还做好事)
’D’r’o’p’p’e’d’S’k’y’N’e’t’
(S)(k)(y)(N)(e)(t)
89845848594808308439858307378280987074387498739847
AdmMoodownJKIS003
AdmSkynetJKIS003
Bgl_*L*o*o*s*e*
Jobaka3
Jobaka3l
JumpallsNlsTillt
KO[SkyNet.cz]SystemsMutex
LK[SkyNet.cz]SystemsMutex
MI[SkyNet.cz]SystemsMutex
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
NetDy_Mutex_Psycho
NetDy_Mutex_Psycho
Netsky AV Guard
Protect_USUkUyUnUeUtU_Mutex
Rabbo
Rabbo_Mutex
S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m
SkYnEt_AVP
SkyNet-Sasser
SkynetNotice
SkynetSasserVersionWithPingFast
SyncMutex_USUkUyUnUeUtU
SyncMutex_USUkUyUnUeUtUU
[SkyNet.cz]SystemsMutex
_-=oOOSOkOyONOeOtOo=-_
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--____
光华反病毒软件已经对这种病毒进行了处理,请用户升级后,使用光华反病毒软件清除。
二 W32病毒 W32.Cassel 危害级别:★★☆☆☆
根据光华反病毒研究中心专家介绍,W32.Cassel 是一个W32病毒,长度 208,923 字节,感染 Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 系统。它复制自身到移动盘,打开后门。当收到、打开此病毒时,主要有以下危害:
A 复制自身到
系统目录\Lcass.exe
B 创建注册表项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Lcass" = "%System%\Lcass.exe"
使得病毒每次开机后自动执行
C 生成文件 系统目录\mswinsck.ocx
D 复制自身到移动盘
[盘符]\RECYCLER\Lcass.exe
[盘符]:\autorun.inf
E 在HTTP 的端口 88 打开后门,等待黑客访问
F 连接到 tzhen.3322.org,发送计算机名、ip地址、后门端口号等其他收集到的信息
北京日月光华软件公司网站(www.viruschina.com)每日进行病毒特征码更新,光华反病毒研究中心专家提醒您:请尽快到光华安全网站在线订购光华反病毒软件来防范病毒的入侵,时刻保护您的电脑安全。光华反病毒软件用户升级到7月9日的病毒库(免费下载地址为:http://www.viruschina.com/html/update.asp)就可以完全查杀这些病毒。
| 
