Worm.MSNLoveme.i

王朝other·作者佚名 2008-08-14

宽屏版字体: 小|中|大|超大

病毒名称(中文):

性感鸡变种i

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

23476

影响系统:

Win9xWinNT

病毒行为:

该病毒为性感鸡变种i,它通过MSN传播,当用户感染该病毒后,该病毒会修改hosts文件,使众多安全及反病毒公司网站地址重定位到BBC网站,有可能导致对BBC网站的DDos攻击,且无法正常这些安全公司的网站;禁止运行一些系统程序(如:任务治理器,msconfig.exe等);禁止系统还原;禁止Windows资源治理器的"文件夹选项"等;关闭MSN接收文件查毒选项,严重影响用户的正常工作.

调用IE打开的html如下:

1.复制自身到系统目录%System32%下:

csnss.exe

mcsv.com

2.复制自身到%SystemRoot%下:

svhost.exe

LARISSAyoumuppet.txt

3.在系统盘根目录下创建以下文件:

D:\l0ser.Html

D:\Deathofcrazyfrog!.pif

D:\Hotbabe!.pif

D:\ReallyCute.pif

D:\Mypiccy.pif24KB

D:\Bungee-Fuck.pif

D:\I_love_you.123greetings.com.com

D:\ParisHiltonSexTape.pif

D:\ShootBillGates!.exe

D:\Best_Friend.scr

D:\lolBustedAreGay!.pif

D:\SaddamSong!.pif

D:\MeattheBeach!.pif

4.修改注册表使自身随计算机启而自动运行

NDAv="%System32%\csnss.exe"

SDAv="%System32%\mcsv.com.exe"

HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Userinit="%System32%\userinit.exe,D:\WINNT\system32\mcsv.com"

5.在系统注册表中添加(禁止系统还原):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore

DisableConfig=00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore

DisableSR=00000001

6.修改MSN接收文件查毒选项

HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger

AVEnbl=00000000

7.修改hosts文件,使众多安全及反病毒公司网站重定向到BBC网站,导致无法正常下列公司的网站:

212.58.240.33www.symantec.com

212.58.240.33www.sophos.com

212.58.240.33www.mcafee.com

212.58.240.33www.viruslist.com

212.58.240.33www.f-secure.com

212.58.240.33www.avp.com

212.58.240.33www.kaspersky.com

212.58.240.33www.networkassociates.com

212.58.240.33www.ca.com

212.58.240.33www.my-etrust.com

212.58.240.33www.nai.com

212.58.240.33www.trendmicro.com

212.58.240.33www.grisoft.com

212.58.240.33securityresponse.symantec.com

212.58.240.33symantec.com

212.58.240.33sophos.com

212.58.240.33mcafee.com

212.58.240.33liveupdate.symantecliveupdate.com

212.58.240.33viruslist.com

212.58.240.33f-secure.com

212.58.240.33kaspersky.com

212.58.240.33kaspersky-labs.com

212.58.240.33avp.com

212.58.240.33networkassociates.com

212.58.240.33ca.com

212.58.240.33mast.mcafee.com

212.58.240.33my-etrust.com

212.58.240.33download.mcafee.com

212.58.240.33dispatch.mcafee.com

212.58.240.33secure.nai.com

212.58.240.33nai.com

212.58.240.33update.symantec.com

212.58.240.33updates.symantec.com

212.58.240.33us.mcafee.com

212.58.240.33liveupdate.symantec.com

212.58.240.33customer.symantec.com

212.58.240.33rads.mcafee.com

212.58.240.33trendmicro.com

212.58.240.33grisoft.com

212.58.240.33sandbox.norman.no

212.58.240.33www.pandasoftware.com

212.58.240.33uk.trendmicro-europe.com

8.结束安全软件和禁止运行一些系统程序(如:任务治理器,msconfig.exe等):

9.向MSN好友发送病毒文件

10.通网络共享目录(如eMule)传播自身,可能的文件名如下:

MSNMessenger7patch!.exe

CE/DPStealer2.exe

MSNAvatarDisplayPack1.0.exe