引用 | 編輯
flyjun
2006-10-25 17:31 |
樓主
▼ |
||
x0
原文是:http://bbs.kill.com.cn/viewthread.php?tid=164&extra=page%3D1 病毒特性: Win32/Stration是一族发送大量邮件的蠕虫,它会下载并运行其它程序。 感染方式: Win32/Stration以.EXE到达,它会生成几个其它程序,很多是DLL文件。这些DLL可能通过添加它们的文件名到以下注册表而被安装: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 这个注册表中引用的任一DLL都会被自动加载,通过实际程序运行。 Stration的DLL和它主要的EXE文件可能通过以下注册表被安装: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 后期的变体还会复制到Windows目录,并在以下注册表设置一个值,为了在每次系统启动时运行这个副本: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 例如,Win32/Stration.E生成以下文件: %System%\acac.dll %System%\apphavif.dll %System%\crswrich.dll %System%\msobxpob.dll %System%\mswemste.exe 它通过将名字添加到AppInit_DLLs注册表键值来安装2个DLL,例如: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "apphavif.dll msobxpob.dll" 蠕虫的主要的EXE文件和第三个DLL通过设置以下注册表来安装: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\DllName = "%System%\acac.dll" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Image = "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Shutdown = "WlxShutdownEvent" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Startup = "WlxStartupEvent" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Impersonate = 0x0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Asynchronous = 0x0 Win32/Stration.CA复制自身到%Windows%\t2serve.exe,并设置以下键值: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\t2serv = "%Windows%\t2serve.exe s" 它还会生成这些文件: %System%\e1.dll %System%\fsusvcde.exe %System%\mstle100.dll %System%\p2psmsih.dll %Windows%\t2serv.dll Stration.CA添加"p2psmsih.dll"到AppInit_DLLs注册表键值,例如: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "p2psmsih.dll" Stration的一些变体利用以下键值,将它们的原始EXE文件设置为重启后删除: HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations 一些变体在第一次运行时,显示一个包含"Update successfully installed"内容的信息框: 注:'%System%'是一个可变的路径。病毒通过查询操作系统来决定当前系统文件夹的位置。Windows 2000 and NT默认的系统安装路径是C:\Winnt\System32; 95,98 和 ME 的是C:\Windows\System; XP 的是C:\Windows\System32。 传播方式: 通过邮件传播 为了获取发送病毒邮件的邮件地址,Win32/Stration在本地系统查找文件。它使用伪装的发件地址,从它内部代码列表获取。蠕虫生成的邮件内容有不同的形式。以下是一些示例: Possible Subjects: Error Good day hello Mail Delivery System Mail server report. Mail Transaction Failed picture Server Report Status Possible Message Bodies: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment -------------------- The message contains Unicode characters and has been sent as a binary attachment. -------------------- Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service -------------------- Mail transaction failed. Partial message is available. -------------------- Possible Attachment names: body.elm.pif body.log.exe body.txt.bat body.zip data.msg.bat test.dat.scr test.log.scr text.elm.exe Update-KB1289-x86.exe Update-KB5230-x86.zip 收集邮件地址的过程中,蠕虫可能生成一个无害的文件,例如"t2serv.wax"。 危害: 下载并运行任意文件 Win32/Stration变体一般通过HTTP下载一个或两个文件,并运行它们。近期的变体从以下URL下载: http://www4.vertionkdaseliplim.com/*******/lt.exe http://www6.vertionkdaseliplim.com/*******/nt.exe Stration还可能访问其它的网页,为了通知某些人关于被感染机器的信息。 x0
|