Worm.MSNLoveme.i
病毒名称(中文):
性感鸡变种i
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
23476
影响系统:
Win9xWinNT
病毒行为:
该病毒为性感鸡变种i,它通过MSN传播,当用户感染该病毒后,该病毒会修改hosts文件,使众多安全及反病毒公司网站地址重定位到BBC网站,有可能导致对BBC网站的DDos攻击,且无法正常这些安全公司的网站;禁止运行一些系统程序(如:任务治理器,msconfig.exe等);禁止系统还原;禁止Windows资源治理器的"文件夹选项"等;关闭MSN接收文件查毒选项,严重影响用户的正常工作.
调用IE打开的html如下:
1.复制自身到系统目录%System32%下:
csnss.exe
mcsv.com
2.复制自身到%SystemRoot%下:
svhost.exe
LARISSAyoumuppet.txt
3.在系统盘根目录下创建以下文件:
D:\l0ser.Html
D:\Deathofcrazyfrog!.pif
D:\Hotbabe!.pif
D:\ReallyCute.pif
D:\Mypiccy.pif24KB
D:\Bungee-Fuck.pif
D:\I_love_you.123greetings.com.com
D:\ParisHiltonSexTape.pif
D:\ShootBillGates!.exe
D:\Best_Friend.scr
D:\lolBustedAreGay!.pif
D:\SaddamSong!.pif
D:\MeattheBeach!.pif
4.修改注册表使自身随计算机启而自动运行
NDAv="%System32%\csnss.exe"
SDAv="%System32%\mcsv.com.exe"
HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Userinit="%System32%\userinit.exe,D:\WINNT\system32\mcsv.com"
5.在系统注册表中添加(禁止系统还原):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore
DisableConfig=00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore
DisableSR=00000001
6.修改MSN接收文件查毒选项
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
AVEnbl=00000000
7.修改hosts文件,使众多安全及反病毒公司网站重定向到BBC网站,导致无法正常下列公司的网站:
212.58.240.33www.symantec.com
212.58.240.33www.sophos.com
212.58.240.33www.mcafee.com
212.58.240.33www.viruslist.com
212.58.240.33www.f-secure.com
212.58.240.33www.avp.com
212.58.240.33www.kaspersky.com
212.58.240.33www.networkassociates.com
212.58.240.33www.ca.com
212.58.240.33www.my-etrust.com
212.58.240.33www.nai.com
212.58.240.33www.trendmicro.com
212.58.240.33www.grisoft.com
212.58.240.33securityresponse.symantec.com
212.58.240.33symantec.com
212.58.240.33sophos.com
212.58.240.33mcafee.com
212.58.240.33liveupdate.symantecliveupdate.com
212.58.240.33viruslist.com
212.58.240.33f-secure.com
212.58.240.33kaspersky.com
212.58.240.33kaspersky-labs.com
212.58.240.33avp.com
212.58.240.33networkassociates.com
212.58.240.33ca.com
212.58.240.33mast.mcafee.com
212.58.240.33my-etrust.com
212.58.240.33download.mcafee.com
212.58.240.33dispatch.mcafee.com
212.58.240.33secure.nai.com
212.58.240.33nai.com
212.58.240.33update.symantec.com
212.58.240.33updates.symantec.com
212.58.240.33us.mcafee.com
212.58.240.33liveupdate.symantec.com
212.58.240.33customer.symantec.com
212.58.240.33rads.mcafee.com
212.58.240.33trendmicro.com
212.58.240.33grisoft.com
212.58.240.33sandbox.norman.no
212.58.240.33www.pandasoftware.com
212.58.240.33uk.trendmicro-europe.com
8.结束安全软件和禁止运行一些系统程序(如:任务治理器,msconfig.exe等):
9.向MSN好友发送病毒文件
10.通网络共享目录(如eMule)传播自身,可能的文件名如下:
MSNMessenger7patch!.exe
CE/DPStealer2.exe
MSNAvatarDisplayPack1.0.exe
