主页

Worm.Brontok.e

病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
81920
影响系统:
Win9x WinMe WinNT Win2000 WinXP Win2003

病毒行为:

这是一个通过邮件传播的蠕虫病毒,该病毒会在感染机器上搜索邮件地址,把自己发送到这个地址,还会修改大量IE设置。

1.生成文件:
%Windows%\ShellNew\ElnorB.exe

%Documents and Settings%\%User%\Local Settings\Application Data\csrss.exe
%Documents and Settings%\%User%\Local Settings\Application Data\inetinfo.exe
%Documents and Settings%\%User%\Local Settings\Application Data\lsass.exe
%Documents and Settings%\%User%\Local Settings\Application Data\services.exe
%Documents and Settings%\%User%\Local Settings\Application Data\smss.exe
%Documents and Settings%\%User%\Local Settings\Application Data\winlogon.exe
%Documents and Settings%\%User%\Templates\bararontok.com
%Documents and Settings%\%User%\「开始」菜单\程序\启动\Empty.pif
%System%\%user name%"s Setting.scr
%windows%\Tasks\At1.job

2.添加注册表起始项,使病毒开机运行:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
%Systemroot%\ShellNew\ElnorB.exe

3.计划任务At1.job
内容为每天17:08启动病毒%Documents and Settings%\%User%\Templates\bararontok.com
注释为: 由NetScheduleJobAdd 创建

4.修改以下键值:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

5,从感染机器中搜索以下后缀的文件,来寻找邮件地址
asp
cfm
csv
doc
eml
html
php
txt
wab

6,过滤包含下列字符串的邮件地址
ADMIN
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
ASSOCIATE
AVAST
AVIRA
BILLING@
BUILDER
CILLIN
CONTOH
CRACK
DATABASE
DEVELOP
ESAFE
ESAVE
ESCAN
EXAMPLE
GRISOFT
HAURI
INFO@
LINUX
MASTER
MICROSOFT
NETWORK
NOD32
NORMAN
NORTON
PANDA
PROGRAM
PROLAND
PROTECT
ROBOT
SECURITY
SOURCE
SYBARI
SYMANTEC
TRUST
UPDATE
VAKSIN
VAKSIN
VIRUS