病毒大百科

这是IRCBot黑客后门病毒的新变种。该病毒利用MS06-040漏洞进行传播。该病毒的主要危害是通过IRC聊天频道是系统接受黑客的控制，沦为“肉鸡”，可能导致RPC服务崩溃，用户无法上网。

1，生成文件
%system%\wgareg.exe

2，添加服务，通过服务启动
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgareg
"ImagePath" = "%system%\wgareg.exe"

3，通过修改下列注册表信息降低系统安全等级
software\policies\microsoft\windowsfirewall\standardprofile
"enablefirewall" = 0

software\policies\microsoft\windowsfirewall\domainprofile
"enablefirewall" = 0

software\microsoft\security center
"firewalldisableoverride" = 1
"firewalldisablenotify" = 1
"antivirusoverride" = 1
"antivirusdisablenotify" = 1

system\currentcontrolset\services\lanmanserver\parameters
"autosharewks" = 0
"autoshareserver" = 0

system\currentcontrolset\control\lsa
"restrictanonymoussam" = 1
"restrictanonymous" = 1

software\microsoft\ole
"enabledcom" = "n"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = 4

4，使用下列命令进行远程控制
NiCK %.24s
USeR l l l l
PRiVMSG %.16s :%.480s
JOiN %.16s %.16s
USeRHOST %.16s
001
302
332
NiCK %.24s
433
PRIVMSG
PoNG %.500s
PING
[exec] :(
[exec] :)
[ni] %.16s %.16s
QUiT
USER
PASS
OPER
JOIN

5，连接下列IRC服务器接受黑客控制
ypgw.wallloan.com
bniu.househot.com

6，会通过Windows系统服务缓冲区溢出漏洞（MS06-040）进行主动攻击，造成系统崩溃、网络瘫痪。