光华反病毒研究中心近日进行病毒特征码更新,请用户尽快到光华网站www.viruschina.com下载升级包,以下是几个重要病毒的简介:
一、W32病毒:W32.Dbit 危害级别:★★★★☆
根据光华反病毒研究中心专家介绍,这是一个W32病毒,感染 Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 系统。 当收到、打开此病毒后,有以下现象:
A 创建服务
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IrMon
服务描述为 "Portable Media Serial Number Service"
B 生成文件
系统目录\msjet62.dll
用户目录\Local Settings\Temp\NEW[RANDOM NUMBER].tmp
当前目录[感染过的主机文件]\i\i
C 插入dll到运行的进程,并隐藏病毒代码
D 终止以下进程
ethereal.exe
aports.exe
tcpview
windump.exe
iris.exe
CV.exe
sniffer.exe
E 发送收集到的信息到 211.99.117.202:80
F 供远程黑客进行以下操作
隐藏网络流量
上传文件
删除文件
搜索文件
截屏
启动代理
检查网络连接
创建 Autorun.inf 文件
感染文件
下载文件
执行程序
窃取用户口令
窃取聊天口令
收集上网信息
记录键盘操作
二 邮件病毒 W32.Amirecivel.H@mm 危害级别:★★☆☆☆
根据光华反病毒研究中心专家介绍,这是一个邮件病毒,感染 WWindows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统,它进行拒绝服务式攻击,当打开含有此病毒的网页后,有以下现象:
A 创建文件到系统目录
AcroTray32.exe
drivers\etc\hosts.File
B 创建信号量"AmirCivil"
C 增加注册表项 "AmirCivil" = %System%\AcroTray32.exe" 到
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
使得病毒每次开机后自动执行
D 收集
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
C:\windows
中的以下扩展名文件中的邮件地址
txt
html
xml
adb
asp
cfg
cgi
dbx
eml
pl
shtm
wab
E 发送以下特征的邮件
发信人(以下之一)
irvirus@yahoo.com
imen@yahoo.com
iransare@yahoo.com
panda@yahoo.com
simorg@yahoo.com
symntec@yahoo.com
john@yahoo.com
mary@yahoo.com
Reply@yahoo.com
shima@yahoo.com
nastaran@yahoo.com
stan@yahoo.com
IRANSARE20008@yahoo.com
iranvig@yahoo.com
mohammad@yahoo.com
irna@yahoo.com
irib@yahoo.com
taktaz@yahoo.com
bia2@yahoo.com
mozilla@yahoo.com
主题(以下之一)
irvirus
symantec
FBI
irvanvig
NOD32
IranSare2008
Announcement
password
simorgh-ev
Your IP was logged
Read it immediately!
Attention
E-mail account disabling warning
Returned Mail
Soccer funs in public place
IHS
IRNA
hello
ANTI VIRUS
内容(以下之一)
salam dooste aziz...golchini az behtarinaxhaye iran sare
anti virus imen
salam dooste aziz baraye rahaty az daste virus ha anti virus rayegane maara downlod konid
behtarin screen saver az axhaye iransare2008
noron anti virus
passworde user haye iranvig
passworde user haye simorgh
salam..site irvirus hack shode va inam passworde admine sit hastesh
salam lotfan forme nazar sanji ra ke hamrahe file peivast hast ra por konid
one of the files is a virus... can you tell me which one is it? hehehe, i'm only joking... your friend, paul..
Six Soccer funs fucked one girl in public place. Mad images. View it.
I find my husband. If you saw his report me please. His photos in attach.
i hope thats not true!
three files for you to keep... always remember that i'm into deep... i don't know you but i think i'm in love...
fun file
Ioana, sex in grup in camin. Cred ca o stii si
another pic, have fun! ... :->
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele din Irak anul acesta?Deschideti programul Vot, alegeti votul dvs. si vedeti rezultatele.Parerea dvs. conteaza!
the information is wrong!
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele din Irak anul acesta?Deschideti programul Vot, alegeti votul dvs. si vedeti rezultatele.Parerea dvs. conteaza!
F 搜索以下扩展名的文件,生成伴随病毒(同名并带有exe扩展名)
.wav
.jpg
.jpeg
.avi
.bmp
.c
.cpp
.vbp
.vbw
.frm
.ocx
.DAT
.doc
.pdf
.zip
.sig
.Tif
.scr
G 删除注册表项
HKEY_CURRENT_USER\Printers
破坏用户打印操作
H 结束以下进程(多为反病毒软件)
ACKWIN32
AD-AWARE
ADAWARE
ADVXDWIN
AGENTSVR
AGENTW
ANTIVIR
ANTIVIRUS
APIMONITOR
APLICA32
AUPDATE
AUTODOWN
AUTOTRACE
AVGCC32
AVGCTRL
AVKSERV
Babylon
CFINET
CLEANPC
DATEMANAGER
DPFSETUP
F-AGNT95
FNRB32
GhostTray
IOMON98
mcvsshld
NAVAP32
navapsvc
navapw32
NAVW32
NETD32
NETMON
NORMIST
notepad
NPROTECT
NPROTECTED
NUPGRADE
OUTPOST
PavFires
pavProxy
pavsrv50
POP3TRAP
POWERPNT
realplay
regedit
Rtvscan
RuLaunch
SAVScan
SCAN32
SHSTAT
SNDSrvc
symlcsvc
taskmgr
UPDATE
UpdaterUI
Vshwin32
VsStat
VsTskMgr
WINWORD
ZONEALARM
I 添加以下内容到主机文件(HOSTS),使得这些网站不能访问(多为安全网站)
avg.com
google.com
iranvig.com
irvirus.com
mcafee.com
pandasoftware.com
simorgh-ev.org
symantec.com
www.24-7-transportation.com
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.AmirCivil.com
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.avg.com
www.aviation-center.de
www.avizoon.com
www.bbc.com
www.bbsh.org
www.bga-gsm.ru
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.bueroservice-it.de
www.calderwoodinn.com
www.capri-frames.de
www.celula.com.mx
www.ceskyhosting.cz
www.chinasenfa.com
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.DarrkSydebaby.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.dragcar.com
www.ecofotos.com.br
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.FritoPie.NET
www.google.com
www.iran3ex.com
www.iranvig
www.iranxiran.com
www.irna.com
www.irvirus.com
www.mcafee.com
www.microsoftoft.com
www.pandasoftware.com
www.simorgh-ev.org
www.symantec.com
www.xlxx.com
www.xnxx.com
www.xxx.com
www.yahoo.com
yahoo.com
J 在随机的TCP端口号上打开后门
北京日月光华软件公司网站(https://www.viruschina.com)每日进行病毒特征码更新,光华反病毒研究中心专家提醒您:请尽快到光华安全网站在线订购光华反病毒软件来防范病毒的入侵,时刻保护您的电脑安全。光华反病毒软件用户升级到7月31日的病毒库(免费下载地址为:https://www.viruschina.com/html/update.asp)就可以完全查杀这些病毒。 (责任编辑:韩建光) | 
精彩生活 
