病毒大百科

这是一个利用Irc来控制机器的蠕从病毒，该病毒通过搜索被感染机器上的邮件地址，并且把自己发送出去，达到传播的目的。被感染机器会接受irc控制端的命令，使被感染机器沦为僵尸机器。

1.生成文件:
%system%plugnplay32.exe

2.添加注册表起始项，使病毒开机启动:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Plug and Play
"plugnplay32.exe"

3.添加服务:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Plug and Play
"plugnplay32.exe"

4.建立互斥变量;

H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H

5.修改注册表,禁止Windows防火墙:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start = "dword:00000004"

6.搜索被感染机器上的以下文件后缀，获取邮件地址:
.txt
.htmb
.shtl
.cgil
.jspl
.xmls
.phpq
.aspd
.dbxn
.tbbg
.adbh
.wab
.pl

7.发送邮件
主题:
Account closure
ACCOUNT TERMINATION
email support
Enduser termination
staff

内容:
Dear {随机},

Your account has been flagged for suspicious behavior by our antispam mail relay
Read the attachment for instructions on how to clear your account, failure to comply will result in account termination.

Thank you for using {Random}!

The {Random} Support Team

+++Scanned with AVG - Attachment Clean
+++[Random] Antivirus - www.{Random}

附件:
avoxpmw.zip
enaqny.zip
erbgwcrejlvwjrvcg.zip
euldl.zip
gehfwufqufsuo.zip
gewhutswqsut.zip
hra.zip
ntz.zip
pae.zip
password.zip
penvtr.zip
ptd.zip
qeuaswstutsu.zip
qguwqrelelt.zip
qlureltusqtuqft.zip
qsuqluergtqswzx.zip
reulqurelretl.zip
swfutust.zip
tsauwstureg.zip
wnd.zip
wxstwqstuqt.zip
yeinlhm.zip

8.结束以下进程;
AVPCC.EXE
AVPM.EXE
ACKWIN32.EXE
ALOGSERV.EXE
AMON.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ATGUARD.EXE
AVE32.EXE
AVKSERV.EXE
AVNT.EXE
AVPCC.EXE
AVPM.EXE
AVWIN95.EXE
BLACKICE.EXE
CLAW95CF.EXE
CMGRDIAN.EXE
ECENGINE.EXE
ESAFE.EXE
F-PROT95.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
GUARDDOG.EXE
IAMAPP.EXE
IOMON98.EXE
KAVPF.EXE
LOOKOUT.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NOD32.EXE
NSPLUGIN.EXE
OGRC.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
RAV7.EXE
RULAUNCH.EXE
SCAN32.EXE
SPIDER.EXE
VET95.EXE
VETTRAY.EXE
VSMAIN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALARM.EXE
ZONALM2601.EXE
ZONEALARM.EXE