廣告廣告
  加入我的最愛 設為首頁 風格修改
首頁 首尾
 手機版   訂閱   地圖  簡體 
您是第 2090 個閱讀者
 
發表文章 發表投票 回覆文章
  可列印版   加為IE收藏   收藏主題   上一主題 | 下一主題   
upside 手機 葫蘆墩家族
個人頭像
個人文章 個人相簿 個人日記 個人地圖
特殊貢獻獎 社區建設獎 優秀管理員勳章
頭銜:反病毒 反詐騙 反虐犬   反病毒 反詐騙 反虐犬  
版主
分享: 轉寄此文章 Facebook Plurk Twitter 複製連結到剪貼簿 轉換為繁體 轉換為簡體 載入圖片
推文 x1
[病毒蠕蟲] 2008-01-15 傳送訊息給 mIRC使用者的 W32.Fishinflu@mm蠕蟲
2008-01-15 傳送訊息給 mIRC使用者的 W32.Fishinflu@mm蠕蟲             病毒型態:        蠕蟲               影響平台:        Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP               概述:        W32.Fishinflu@mm 是會大量寄發電子郵件、傳送訊息給 mIRC使用者並透過行動裝置散播的蠕蟲。                 說明:        當 W32.Fishinflu@mm執行時,會產生下列動作:
1.復製本身成下列檔案:
 %System%\G76T71I84L.exe
 %System%\Z76V90L86L.exe
 %System%\Z82Y90M89R.exe
 %System%\P65Z80O90A.exe
 %Windir%\SysDevils.exe
 %SystemDrive%\script.ini
2.建立下列清潔檔:
 %System%\FluIkan
 %System%\Flu-Ikan.htm
 %UserProfile%\MyDocuments\Flu-Ikan.htm
 %SystemDrive%\aliases.ini
3.覆寫下列檔案:
 %ProgramFiles%\mIRC\aliases.ini
4.建立下列登錄機碼:
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Lokasi" = "%System%"
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master1" = "%System%\P84K80W75T.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master2" = "%System%\G76T71I84L.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master3" = "%System%\Z76V90L86L.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master4" = "%System%\Z82Y90M89R.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master5" = "%System%\P65Z80O90A.exe"
 HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\"DefCompany" = "Malware"
 HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\"DefName" = "Flu-Ikan"
5.建立下列登錄機碼,讓windows每次開機時,執行該蠕蟲:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 "pemalas" = "%System%\G76T71I84L.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 "mulut_besar" = "%System%\Z76V90L86L.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 "otak_udang" = "%System%\Z82Y90M89R.exe"
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 "kebodohan" = "%System%\P84K80W75T.exe"
6.刪除下列子登錄機碼:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
7.修改下列登錄機碼,讓windows每次開機時,執行該蠕蟲:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
 "Shell" = "Explorer.exe %System%\P65Z80O90A.exe"
8.修改下列登錄機碼,變更桌布:
 HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%System%\FluIkan"
9.修改下列登錄機碼,變更IE首頁:
 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" =
 [http://]/www.al3ez.net/aashour/arabia_map/[REMOVED]
10.修改下列登錄機碼,使Windows Registry Editor、Task Manager與command shell失效:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
 "DisableTaskMgr" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
 "DisableRegistryTools" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
 "DisableCMD" = "1"
11.修改下列登錄機碼,隱藏開始選單中的選項:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoFind" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoRun" = "1"
12.修改下列登錄機碼,變更電腦登記的擁有人與公司資料:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 "RegisteredOwner" = "Flu-Ikan"
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 "RegisteredOrganization" = "Malware"
13.修改下列登錄機碼:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoFolderOptions" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoRecentDocsMenu" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoViewContextMenu" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoTrayContextMenu" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 "NoSetFolders" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 "Hidden" = "2"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 "ShowSuperHidden" = "0"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 "SuperHidden" = "1"
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 "HideFileExt" = "1"
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 Folder\Hidden\"Type" = " "
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 Folder\HideFileExt\"Type" = " "
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 Folder\SuperHidden\"Type" = " "
14.定期檢查執行中的視窗標題,並復製本身成下列檔案:
 %SystemDrive%\[WINDOW TITLE].exe
15.如果標題包含下列字串,關閉視窗:
 SUPERDAT
 PROCESS
 REGISTRY EDITOR
 SETUP
 NORMAN
 WINDOWS TASK MANAGER
 TASK MANAGER
 TUNEUP
 SYSTUNER
 RESOURCE HACKER
 HEX WORKSHOP
 URSOFT W32DASM
 CMD.EXE
 COMMAND PROMPT
 SYSTEM RESTORE
 EASYRECOVERY
 PEID
 EXESCOPE
 IDA
 XREFS
 POWERQUEST
 ZONEALARM
 NVC
 CONFIRM FILE DELETE
 CONFIRM MULTIPLE FILE DELETE
 INTERNET OPTIONS
 SHOW/KILL RUNNING PROCESS
 SYSTEM MECHANIC
 DISPLAY PROPERTIES
 HIJACKTHIS
 KILLBOX
 POCKET KILLBOX
16.搜尋本機文件夾並復製本身成下列檔案:
 %SystemDrive%\[FOLDER NAME].exe
17.使用Microsoft Outlook寄送含有蠕蟲的電子郵件。此電子郵件包含下列特性:
 Title:Very Important!
 Message Body:Hi: Please view this file, it's very important.
18.修改 %ProgramFiles%\mIRC\script.ini 檔,以透過 mIRC傳送下列任一個訊息給所有相關的使用者:
 aloo [USER NICK NAME] , free picture indonesia sex double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 aloo [USER NICK NAME] Ada info baru ne Marshanda, Agnes Monica, Dian Sastro,
 Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 aloo [USER NICK NAME] Ada info baru ne Marshanda, Agnes Monica, Dian Sastro,
 Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url:
 [http://]www.tid.org.tr/documents/indo_pX[REMOVED]
 aloo [USER NICK NAME] mo liat artis-artis indonesia nude, double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 aloo [USER NICK NAME] , indo artis majalah playboy double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 aloo [USER NICK NAME] mo liat artis majalah playboy indo?, double klik url:
 [http://]www.tid.org.tr/documents/indo_pX[REMOVED]
 aloo [USER NICK NAME] indonesia free porn, double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 aloo [USER NICK NAME] mo liat karya ce-ce bangsa indo, double klik url:
 [http://]www.tid.org.tr/documents/indo_p[REMOVED]
 註: 本文發表時,上述URL已失效。               解決方案:        1.暫時關閉系統還原功能 (Windows Me/XP)
 系統還原功能能夠使系統回復到預設狀態,假如電腦的資料毀損,則可以用來復原資料。
 系統還原功能也會記錄下病毒、蠕蟲或是木馬的感染。Windows 預防任何外部程式來修改
 系統還原功能,當然也包括了防毒軟體。因此防毒軟體或是工具無法移除系統還原資料夾
 中的威脅。即使已經在其他的資料夾清除了感染的檔案還是有可能經由系統還原來回復受感染的檔案。
 關閉系統還原功能的方法可以閱讀Windows 的文件或是參考以下網頁:
 關閉Windows Me還原功能
 關閉Windows XP還原功能
2.更新病毒定義檔
 至所使用防毒軟體之公司網站下載最新的病毒定義檔
 賽門鐵克
 趨勢科技
3.執行全系統掃描
 (a)執行防毒軟體,並設定為執行全系統掃描
 (b)如果偵測到病毒,則採取防毒軟體所建議的步驟
 (註1)如果沒有防毒軟體,可以到以下網站線上掃毒:
 http://www.kaspersky.co...scanner/#
 http://www3.ca.com/securityad...fo/scan.aspx
 http://housecall.t...ro.com/
 (註2)如果防毒軟體無法刪除病毒,則需重新啟動至安全模式,
    依防毒軟體指示刪除病毒,再進行下一步驟。
 (註3)如果出現檔案遺失的訊息,在完全移除病毒後便不會再出現,請點選「確定」略過訊息。
 (註4)如何開啟安全模式請參考。
 http://service1.symantec.com/S...nfo.nsf/docid
 /2001052409420406?OpenDocument&src=sec_doc_nam
 (c)如果掃描出任何病毒,請刪除病毒
 (註)假如防毒產品無法移除受感染的檔案,請以安全模式開啟,並再次執行掃毒程序,
   移除受感染的檔案後再重新開機至正常模式。重新開機時會有警告訊息
   (Warning messages),因為此時威脅仍未完全解除,可忽略此警訊點選OK,
   指令完全移除後,重新開機便不會再出現警訊,警告訊息呈現如下列所示:
   Title: [FILE PATH]
   Message body: Windows cannot find [FILE NAME].
   Make sure you typed the name correctly, and then try again.
   To search for a file, click the Start button, and then click Search.
4.刪除登入檔內的值(value):
 (a)滑鼠左鍵點選 開始\執行
 (b)鍵入 regedit
 (c)滑鼠左鍵點選 確定
 (d)刪除下列登錄項目:
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Lokasi" = "%System%"
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master1" = "%System%\P84K80W75T.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master2" = "%System%\G76T71I84L.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master3" = "%System%\Z76V90L86L.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master4" = "%System%\Z82Y90M89R.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Flu-Ikan\"Master5" = "%System%\P65Z80O90A.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  "kebodohan" = "%System%\P84K80W75T.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  "pemalas" = "%System%\G76T71I84L.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  "mulut_besar" = "%System%\Z76V90L86L.exe"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  "otak_udang" = "%System%\Z82Y90M89R.exe"
  HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\"DefCompany" = "Malware"
  HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\"DefName" = "Flu-Ikan"
 (e)如有需要,恢復下列子登錄項目初始值:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
 (f)如有需要,恢復下列登錄項目初始值:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  "Shell" = "Explorer.exe %System%\P65Z80O90A.exe"
  HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%System%\FluIkan"
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" =
  "http://www.al3ez.net/aash...map/"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoFolderOptions" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoRecentDocsMenu" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoViewContextMenu" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoTrayContextMenu" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoSetFolders" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoFind" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  Explorer\"NoRun" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\"Hidden" = "2"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\"ShowSuperHidden" = "0"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\"SuperHidden" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  System\"DisableRegistryTools" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\"HideFileExt" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  System\"DisableTaskMgr" = "1"
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
  System\"DisableCMD" = "1"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
  "RegisteredOwner" = "Flu-Ikan"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  "RegisteredOrganization" = "Malware"
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\Folder\Hidden\"Type" = " "
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\Folder\HideFileExt\"Type" = " "
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Advanced\Folder\SuperHidden\"Type" = " "
 (g)離開登錄檔編輯器               參考資料:        http://www.symantec.com/business/security_resp...d=2008-011507-0108-99               資料來源:賽門鐵克公司



爸爸 你一路好走
獻花 x0 回到頂端 [樓 主] From:臺灣 | Posted:2008-01-18 10:27 |

首頁  發表文章 發表投票 回覆文章
Powered by PHPWind v1.3.6
Copyright © 2003-04 PHPWind
Processed in 0.056837 second(s),query:15 Gzip disabled
本站由 瀛睿律師事務所 擔任常年法律顧問 | 免責聲明 | 本網站已依台灣網站內容分級規定處理 | 連絡我們 | 訪客留言