Worm.Kidala.f
病毒名称(中文):
卡迪拉
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
139416
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个可以通过共享和邮件传播的蠕虫病毒,该病毒会尝试结束大量的安全软件进程,并且在被感染的机器上开启ftp,irc等后门接受黑客控制,在局域网内尝试使用漏洞传播,对固定的地址进行SYN和ICMP攻击。在被感染机器上修改zip压缩包。搜索邮件地址,尝试把自己发送出去。
1.生成文件:
%SystemRoot%\syscom.exe
2.添加注册表项起始项,使病毒开机启动:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
com+
syscom.exe
3.尝试结束一下进程:
AVPCC.EXE
AVPM.EXE
ACKWIN32.EXE
ALOGSERV.EXE
AMON.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ATGUARD.EXE
AVE32.EXE
AVKSERV.EXE
AVNT.EXE
AVPCC.EXE
AVPM.EXE
AVWIN95.EXE
BLACKICE.EXE
CLAW95CF.EXE
CMGRDIAN.EXE
ECENGINE.EXE
ESAFE.EXE
F-PROT95.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
GUARDDOG.EXE
IAMAPP.EXE
IOMON98.EXE
KAVPF.EXE
LOOKOUT.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NOD32.EXE
NSPLUGIN.EXE
OGRC.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
RAV7.EXE
RULAUNCH.EXE
SCAN32.EXE
SPIDER.EXE
VET95.EXE
VETTRAY.EXE
VSMAIN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALARM.EXE
ZONALM2601.EXE
ZONEALARM.EXE
4.在用户机器上搜索到的邮件地址,得到邮件域名。和一下的添加组合起来生成发件人地址:
adam
alex
alice
andrew
anna
bill
brenda
brent
brian
claudia
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jimmy
john
jose
julie
kevin
linda
maria
mary
matt
michael
mike
peter
robert
sandra
serg
smith
stan
steve
并且避免发送到以下的域名:
.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin
be_loyal
berkeley
borlan
bugs
certific
contact
example
fcnz
feste
fido
foo
fsf
gold-certs
gov
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc
isi
kernel
linux
listserv
math
mit
mozilla
msn
mydomai
nobody
nodomai
noone
nothing
ntivi
page
panda
postmaster
privacy
rating
rfc-ed
ripe
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.
the
unix
usenet
utgers
webmaster
your
math
unix
berkeley
foo
mil
gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
hotmail
msn
icrosof
syma
avp
邮件的附件是由以下两部分组合成;
body
message
test
data
file
text
doc
readme
document
后缀:
.bat
.cmd
.exe
.scr
.pif
.zip
5.搜索以下P2P软件信息:
HKEY_CURRENT_USER\Software\WarezP2P
HKEY_CURRENT_USER\Software\iMesh\Client
HKEY_CURRENT_USER\Software\Morpheus
HKEY_CURRENT_USER\Software\KAZAA\LocalContent
HKEY_CURRENT_USER\Software\Kazaa\Transfer
C:\ProgramFiles\LimeWire\Shared
C:\ProgramFiles\eDonkey2000\Incoming
C:\ProgramFiles\Morpheus\MySharedFolder
C:\ProgramFiles\Files\KazaaLite\MySharedFolder
C:\programfiles\kazaa\mysharedfolder
然后把自己添加到软件共享里面,并且改名为以下的一种:
nice_big_asshole_fuck_Jennifer_Lopez.scrMadonna_the_most_sexiest_girl_in_the_world.comBritney_Spears_sucks_someones_dick.scr
Mariah_Carey_showering_in_bathroom.com
Angilina_Jolie_Sucks_a_Dick
JenniferLopez_Film_Sexy_Enough
BritneySpears_SoSexyDAP7.4.x.x_crack
NortonAV2006_Crack
DownloadsLocation
YahooMessenger_Loader
MSN7.0UniversalPatch
MSN7.0Loader
KAV2006_Crack
ZoneAlarmPro6.xx_Crack
TaskCatcher
Opera8
notepad++
lcc-win32_update
RealPlayerv10.xx_crack
nuke2006
office_crack
rootkitXP
dcom_patch
strip-girl-3.0
activation_crack
icq2006-final
winamp6
6.利用以下的漏洞;
MS01-059(UncheckedBufferinUniversalPlugandPlay)
MS02-018(PatchforInternetInformationService)
MS02-061(ElevationofPrivilegeinSQLServerWeb)
MS03-007(UncheckedBufferinWindowsComponent)
MS03-026(BufferOverruninRPCInterface)
MS03-049(BufferOverrunintheWorkstationService)
MS04-007(ASN.1Vulnerability)
MS04-011(LSASSVulnerability)
MS05-039(VulnerabilityinPlugandPlay)
7.尝试修改exe关联项:
HKLM\exefile\shell\open\Command
