Worm.Zotob.c

   

     

病毒别名：
处理时间：2005-08-16
威胁级别：★★★
中文名称：狙击波变种C
病毒类型：蠕虫
影响系统：Win 2000/NT,Win XP,Win 2003
病毒行为:
该病毒通过MS05-039漏洞和MS04-007漏洞,以及邮件进行传播.病毒会向未感染的机器发生漏洞溢出数据包,如果攻击失败,受攻击的机器会发生崩溃,出现倒计时对话框,用户可以通过网络防火墙关闭445端口,以阻止攻击.用户一旦感染该病毒,就会通过IRC被病毒传播者控制.该病毒还会禁止用户更新安全软件.


1. 病毒将自身复制到以下目录：
%system%\per.exe

2. 在注册表中添加如下键值：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
"WINDOWS SYSTEM" = "per.exe"
以在每次启动时运行

3. 修改以下服务
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = 0x00000004
以阻止WinXP自带的防火墙运行

4.通过MS05-039进行攻击
// -=PNP=- //transfer complete to ip:

5.通过MS04-007漏洞进行传播

6.病毒会创建以下互斥量,以保证系统只一个进程运行
B-O-T-Z-O-R

7.病毒文件中含有以下作者信息
Botzor2005 By DiablO

8.病毒会链接
diabl0.turk*****s.net
网站的IRC频道,以接受病毒传播者的控制.

9. 修改Host文件
Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3
f-secure,sophos ok wait bitchs!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

10. 从以下扩展名的文件中搜索电子邮件地址
txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
pl
html
wab
11. 去除含有以下字符的邮件地址
abuse
security
admin
support
contact
webmaster
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun

12.邮件主题为
Warning!!
**Warning**
Hello
Confirmed...
Important!

13.邮件内容为以下之一：
looooool
We found a photo of you in ...
That&＃39;&＃39;s your photo!!?
hey!!
0K here is it!

14.邮件附件名为以下之一：
photo
your_photo
image
picture
sample
loool
webcam_photo

15.邮件附件后缀名为以下之一：
pif
scr
exe
cmd
bat