Worm.VB.jw.372736

  病毒名称(中文):
  土匪虫71682
  病毒别名:
  
  
  威胁级别:
  ★★☆☆☆
  病毒类型:
  蠕虫病毒
  病毒长度:
  71682
  影响系统:
  Win9xWinMeWinNTWin2000WinXPWin2003
  
  病毒行为:
  该蠕虫运行后,复制自身到系统文件夹,在注册表中添加相关项,影响劫持大多数安全软件,使安全软件无法正常
  运行。该蠕虫会查找当前可用的网络连接和共享,通过写入共享目录进行传播。
  1.复制文件:
  %sys32dir%\alcwzrd.exe
  %sys32dir%\ineters.exe
  %sys32dir%\notepd.exe
  %sys32dir%\SoundMan.exe
  %sys32dir%\ttzhh.ini
  %sys32dir%\zjhz1.ini
  2.添加到到注册表:
  添加以下注册表项,映像劫持大多数安全软件:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\CCenter.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ccEvtMgr.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ccSetApp.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ccSetMgr.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\DefWatch.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVStart.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KMaiMon.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPfwSvc.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kvsrvxp.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVWSC.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KWatch.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\McAgent.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mctskshd.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mcupdmgr.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32krn.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ras.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMON.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ravmond.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavStub.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavTask.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RfwMain.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rtvscan.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe
  以上注册表项均指向"svchost.exe"。
  3.破坏方式
  该蠕虫运行后,复制自身到系统文件夹,在注册表中添加相关项,映像劫持大多数安全软件,使安全软件无法正常
  运行。该蠕虫会查找当前可用的网络连接和共享,假如发现当前计算机有共享目录,则会复制自身到共享目录,通
  过该方式传播。