Worm.IRC.WargBot.b
病毒别名: 处理时间:2006-08-14 威胁级别:★★★★
中文名称:魔鬼波 病毒类型:蠕虫 影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个利用MS06-040漏洞进行传播的蠕虫病毒,该变种在变种a的基础上进行了加密处理。该病毒的主要危害是通过IRC聊天频道是系统接受黑客的控制,沦为“肉鸡”,可能导致RPC服务崩溃,用户无法上网。
1,生成文件
%system%wgavm.exe
2,添加服务,通过服务启动
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswgavm
"ImagePath" = "%system%wgavm.exe"
3,通过修改下列注册表信息降低系统安全等级
softwarepoliciesmicrosoftwindowsfirewallstandardprofile
"enablefirewall" = 0
softwarepoliciesmicrosoftwindowsfirewalldomainprofile
"enablefirewall" = 0
softwaremicrosoftsecurity center
"firewalldisableoverride" = 1
"firewalldisablenotify" = 1
"antivirusoverride" = 1
"antivirusdisablenotify" = 1
systemcurrentcontrolsetserviceslanmanserverparameters
"autosharewks" = 0
"autoshareserver" = 0
systemcurrentcontrolsetcontrollsa
"restrictanonymoussam" = 1
"restrictanonymous" = 1
softwaremicrosoftole
"enabledcom" = "n"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
"Start" = 4
4,使用下列命令进行远程控制
NiCK %.24s
USeR l l l l
PRiVMSG %.16s :%.480s
JOiN %.16s %.16s
USeRHOST %.16s
001
302
332
NiCK %.24s
433
PRIVMSG
PoNG %.500s
PING
[exec] :(
[exec] :)
[ni] %.16s %.16s
QUiT
USER
PASS
OPER
JOIN
5,连接下列IRC服务器接受黑客控制
ypgw.wallloan.com
bniu.househot.com
6,注入explorer.exe进程