概述
病毒別名:
處理時間:
威脅級別:★★
中文名稱:飛蟲間諜
病毒類型:蠕蟲
影響系統:Win9x/WinNT/Win2K/WinXP/Win2003
病毒行為:
編寫工具:
LCC Win32 1.03
傳染條件:
發作條件:
系統修改:
A、將自製複製到:
%SYSTEM%Explorer.exe
%SYSTEM%kazaabackupfiles
%SYSTEM%kazaabackupfileszoneallarm_pro_crack.exe
%SYSTEM%kazaabackupfilesAVP_Crack.exe
%SYSTEM%kazaabackupfilesPorn.exe
%SYSTEM%kazaabackupfilesBattlefield1942_bloodpatch.exe
%SYSTEM%kazaabackupfilesUnreal2_bloodpatch.exe
%SYSTEM%kazaabackupfilesUT2003_bloodpatch.exe
%SYSTEM%kazaabackupfilesAquaNox2 Crack.exe
%SYSTEM%kazaabackupfilesNBA2003_crack.exe
%SYSTEM%kazaabackupfilesFIFA2003 crack.exe
%SYSTEM%kazaabackupfilesC&C Generals_crack.exe
%SYSTEM%kazaabackupfilesporn.exe
%SYSTEM%kazaabackupfilesPORNO.exe
%SYSTEM%kazaabackupfilesADULT.exe
%SYSTEM%kazaabackupfilesSEX.exe
%SYSTEM%kazaabackupfilesMATRIX.exe
%SYSTEM%kazaabackupfilesMATRIX2.exe
%SYSTEM%kazaabackupfilesPORNO.exe
%SYSTEM%kazaabackupfilesPoRN.exe
%SYSTEM%kazaabackupfilesAdult.exe
%SYSTEM%kazaabackupfilesXXX.exe
%SYSTEM%kazaabackupfilesSEX.exe
%SYSTEM%kazaabackupfileshack_yahoo.exe
%SYSTEM%kazaabackupfileshack.exe
%SYSTEM%kazaabackupfileshack_hotmail.exe
%SYSTEM%kazaabackupfileshacking.exe
%SYSTEM%kazaabackupfilesCounter-strike.exe
%SYSTEM%kazaabackupfilesFuck.exe
%SYSTEM%kazaabackupfilesfucking.exe
同時如果程式不是以如上路徑及檔案名稱運行,則刪除自身。
B、在註冊表主鍵HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce下添加鍵值:
"Winsock2 driver" = "Explorer.exe"
在註冊表主鍵HKEY_LOCAL_MATIONSOFTWAREMicrosoftWindowsCurrentVersionRun下添加鍵值:
"Winsock2 driver" = "EXPLORER.EXE"
在註冊表主鍵HKEY_CURRENT_USERSOFTWARE下新建兩級子鍵"KAZAALocalContent",
在註冊表主鍵HKEY_CURRENT_USERSOFTWAREKAZAALocalContent下新建鍵值:
"Dir0" = "012345:%SYSTEM%kazaabackupfiles"
C、開放113連線埠作為後門,等待連線。
發作現象:
A、因為病毒遠行後會啟動資源管理器,所以電腦啟動會自動打開兩個資源管理器
B、禁止如下進程運行(包括了註冊表編輯器、系統配置實用程式、病毒防火牆):
"REGEDIT.EXE"
"MSCONFIG.EXE"
"NETSTAT.EXE"
"ccapp.exe"
"NAVASPSVC.EXE"
"ccevtmgr.exe"
"ccregvfy.exe"
"RAVTRAY8.EXE"
"RAVWIN8.EXE"
"RAVTRAY7.EXE"
"RAVWIN7.EXE"
"RAVMON.EXE"
"apvxdwin.exe"
"UPGRADER.EXE"
"IFACE.EXE"
"PAVJOBS.EXE"
"flashget.exe"
"AVP32.EXE"
"AVP32.EXE"
"KAVI.EXE"
"avpcc.exe"
"AVRESCUE.EXE"
"AVPM.EXE"
"NAV.EXE"
"FP-WIN.EXE"
"CV.EXE"
"SETUP.EXE"
"NAV9_15D.EXE"
"NAV9.EXE"
由於禁止了setup.exe的運行,許多軟體將無法安裝。
特別說明:
這個程式開放的後門可以使遠程控制者完全控制用戶的電腦:獲取用戶信息,修改檔案甚至以之為據點攻擊其他機器。
