Worm.Bobax.af

病毒别名：

处理时间：2005-08-18

威胁级别：★★

中文名称：

病毒类型：蠕虫

影响系统：Win 2000/NT,Win XP,Win 2003

病毒行为:

该病毒是一个恶意的蠕虫病毒, 能通过MS05-039漏洞,P2P软件共享目录,邮件等途径传播自身,当该病毒运行时,它会结束诸多安全软件的进程和服务,并且删除这些安全软件,修改hosts文件,使用户无法正常登录Avp的网站.

1.在%SYSTEMROOT%目录下释放以下文件

msdefr.exe

nb32ext2.exe

services.exe

2.修改Hosts文件,在该文件后增加

avp.com 127.0.0.1

使得用户无法正常登录avp的网站

3.修改注册表

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies DisableRegistryTools dword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer

IEPsdgxc dword:00000001

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer fdfg dword:00000013

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpolicies DisableRegistryTools dword:00000000

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun RPCserv32g "D:WINNTservices.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices helloworld "nb32ext2.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Userinit "%System32%userinit.exe,"%SystemRoot%services.exe,"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess

Start dword:00000004

4.关闭以下服务并删除相关文件

NETSKY"

"navapsvc"

"NProtectService"

"Norton Antivirus Server"

"VexiraAntivirus"

"dvpinit"

"dvpapi"

"schscnt"

"BackWeb Client - 7681197"

"F-Secure Gatekeeper Handler Starter"

"FSMA"

"AVPCC"

"KAVMonitorService"

"Norman NJeeves"

"NVCScheduler"

"nvcoas"

"Norman ZANDA"

"PASSRV"

"SweepNet"

"SWEEPSRV.SYS"

"NOD32ControlCenter"

"NOD32Service"

"PCCPFW"

"Tmntsrv"

"AvxIni"

"XCOMM"

"ravmon8"

"SmcService"

"BlackICE"

"PersFW"

"McAfee Firewall"

"OutpostFirewall"

"NWService"

"NISUM"

"NISSERV"

"vsmon"

5.结束以下进程并删除相关文件

"Lien Van de Kelderrr.exe"

"winshost.exe"

"msnmsgr.exe"

"wfdmgr.exe"

"OUTPOST.EXE"

"IAOIN.EXE"

"RB.EXE"

"b055262c.dll"

"backdoor.rbot.gen.exe"

"backdoor.rbot.gen_(17).exe"

"msssss.exe"

"rasmngr.exe"

"dailin.exe"

"wowpos32.exe"

"wuamgrd.exe"

"taskmanagr.exe"

"wuamga.exe"

"ATUPDATER.EXE"

"AVWUPD32.EXE"

"AVPUPD.EXE"

"LUALL.EXE"

"DRWEBUPW.EXE"

"ICSSUPPNT.EXE"

"ICSUPP95.EXE"

"UPDATE.EXE"

"NUPGRADE.EXE"

"ATUPDATER.EXE"

"AUPDATE.EXE"

"AUTODOWN.EXE"

"AUTOTRACE.EXE"

"AUTOUPDATE.EXE"

"AVXQUAR.EXE"

"CFIAUDIT.EXE"

"MCUPDATE.EXE"

"NUPGRADE.EXE"

"Systra.exe"

"RAVMOND.exe"

"GfxAcc.exe"

"VisualGuard.exe"

"WIN-BUGSFIX.EXE"

"WIN32.EXE"

"WIN32US.EXE"

"WINACTIVE.EXE"

"WINDOW.EXE"

"WINDOWS.EXE"

"WININETD.EXE"

"WININIT.EXE"

"WININITX.EXE"

"WINLOGIN.EXE"

"WINMAIN.EXE"

"WINPPR32.EXE"

"WINRECON.EXE"

"WINSSK32.EXE"

"WINSTART.EXE"

"WINSTART001.EXE"

"WINTSK32.EXE"

"WINUPDATE.EXE"

"WKUFIND.EXE"

"WNAD.EXE"

"WNT.EXE"

"WRADMIN.EXE"

"WRCTRL.EXE"

"WUPDATER.EXE"

"WUPDT.EXE"

"WYVERNWORKSFIREWALL.EXE"

"XPF202EN.EXE"

"ZAPRO.EXE"

"ZAPSETUP3001.EXE"

"ZATUTOR.EXE"

"ZONALM2601.EXE"

"ZONEALARM.EXE"

"_AVP32.EXE"

"_AVPCC.EXE"

"_AVPM.EXE"

"HIJACKTHIS.EXE"

"F-AGOBOT.EXE"

6.向好友发送带毒邮件

7.通过MS05-039漏洞攻击网络上的其它主机,攻击成功,则被攻击主机感染上该病毒