Worm.Clepa

王朝百科·作者佚名 2009-12-26

宽屏版字体: 小|中|大|超大

病毒别名：

处理时间：2005-08-01

威胁级别：★★

中文名称：

病毒类型：蠕虫

影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

这是一个通过电子邮件传播的蠕虫病毒．

自动搜索用户机器上的电子邮件地址，自建SMTP引擎,把自身伪装成windows的更新程序，作为邮件附件发送出去．还能删除用户的系统文件，导致系统不稳定．能造成DoS攻击．

1,释放312个文件到下面目录:

'c:programmignucleusdownloadsincomingPC Booster.exe'

'c:programmignucleusdownloadsPC Booster.exe'

'c:programmiKMDmy shared folderPC Booster.exe'

'c:programmiBearShareSharedPC Booster.exe'

'c:programmiKaZaa LiteMy Shared FolderPC Booster.exe'

'c:programmiKaZaaMy Shared FolderPC Booster.exe'

'c:programmiMorpheusmy shared folderPC Booster.exe'

'c:programmieDonkey2000incomingPC Booster.exe'

'c:programmidirect connect

eceived filesPC Booster.exe'

'c:programmigrokstermy groksterPC Booster.exe'

'c:programmilimeWiresharedPC Booster.exe'

'c:programmiicqshared filesWindows Remote Password Stealer.exe'

'c:programmignucleusdownloadsincomingmIRC Nuker 2003.exe'

'c:programmidirect connect

eceived filesmIRC Nuker 2003.exe'

'c:programmiKaZaaMy Shared FolderMatrix Code Emulator.exe'

'c:programmilimeWiresharedMatrix Code Emulator.exe'

'c:programmiBearShareSharedNero Burning ROM Keygen.exe'

'c:programmilimeWiresharedNero Burning ROM Keygen.exe'

'c:programmiKaZaaMy Shared FolderMatrix make Sex.scr'

'c:programmiBearShareSharedHotmail Password Stealer.exe'

'c:program filesgrokstermy groksterWindows Remote Password Stealer.exe'

'c:program fileslimeWiresharedWindows Remote Password Stealer.exe'

'c:program filesicqshared filesWindows Remote Password Stealer.exe'

'c:program filesgnucleusdownloadsincomingmIRC Nuker 2003.exe'

'c:program filesKaZaaMy Shared FoldermIRC Nuker 2003.exe'

等等

2,释放下列文件到系统目录:

'%system32%svchost.ocx'

'%system32%services.acm'

'%system32%sol.dat'

'%system32%winmine.dat'

'%system32%freecell.vxd'

'%system32%chimera.zip'

'%system32%spoolmgr.exe'

'%system32%update.exe'

3,增加注册表项

'HKLMSoftwareMicrosoftWindowsCurrentVersionRun'

'Spooler Manager'= 'update.exe'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000000'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000001'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000002'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000003'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000004'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000005'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000006'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000007'

'HKLMSoftwaremicrosoftInternet Account ManagerAccounts0000008'

"SMTP Server"='update.exe'

"HKLMSoftware\Microsoft\Windows"

"Explorer" = 'update.exe'

4,每隔0.5秒就向www.google.com发送请求,可能造成DoS

5,开放5822端口,接受远程命令后会删除文件:

'%root%config.sys'

'%root%command.com'

'%root%io.sys'

'%root%oot.ini'

'%windows%

egedit.exe'

'%windows%win.ini'

'%windows%system.ini'

'%windows%win.com'

'%system%win.com'

'%system%winsock.dll'

然后,病毒运行后弹出对话框

标题:'W32.Chimera'

内容:'!Bad Luck!'

'Today it',27h,'s a bad day for your computer:'

'Importants files had been deleted from your drive'

6,建立 SMTP 引擎,发送电子邮件.

7,搜索用户outlook中的电子邮件,把病毒作为附件，发送到以@yahoo.com和@hotmail.com结尾的电子邮箱中.

8,邮件以下面的形式出现:

MAIL FROM: security@microsoft.com

RCPT TO: *@yahoo.com或者*@hotmail.com

Subject: Internet Security Update

Content: Why We Are Issuing This Update:

A security issue has been identified that could allow an attacker to compromise

a computer running Microsoft Windowsand gain control over it.

You can protect your computer by installing the attached update.

Severity Level: Critical

附件名称:update.exe

9,用户打开附件后,病毒运行,弹出下列对话框

标题:'Windows Security Update'

内容:'System updated. Thank you for your interest in Windows Update'

或者

标题:"Explorer"

内容:"This is not a valid Win32 application"