“五毒蟲”變種AE(Worm.Supnot.ae):病毒信息,破壞方式,發作現象,

“五毒蟲”變種AE(Worm.Supnot.ae)，破壞方式有病毒利用郵件、DCOM RPC漏洞、區域網路進行瘋狂傳播，導致網路癱瘓等現象，開後門，等待黑客連線，造成泄密等損失等。

病毒信息,破壞方式,發作現象,技術特點,解決方案,

病毒信息

病毒名稱: Worm.Supnot.ae

中文名稱: 五毒蟲

威脅級別: 3B

病毒類型: 郵件蠕蟲、漏洞蠕蟲、黑客、後門

病毒類型: 木馬

受影響系統:Win9x, Windows 2000, Windows XP, Windows 2003

破壞方式

A、病毒利用郵件、DCOM RPC漏洞、區域網路進行瘋狂傳播，導致網路癱瘓等現象

B、開後門，等待黑客連線，造成泄密等損失

發作現象

A、區域網路傳播時可能的副本的檔案名稱：

"MSN Password Hacker and Stealer.exe"

"SIMS FullDownloader.zip.exe"

"Winrar + crack.exe"

"Star Wars II Movie Full Downloader.exe"

"MoviezChannelsInstaler.exe"

"Age of empires 2 crack.exe"

"CloneCD + crack.exe"

"Sex_For_You_Life.JPG.pif"

"AN-YOU-SUCK-IT.txt.pif"

"100 free essays school.pif"

"Mafia Trainer!!!.exe"

"Panda Titanium Crack.zip.exe"

"How To Hack Websites.exe"

"The world of lovers.txt.exe"

"autoexec.bat"

"Are you looking for Love.doc.exe"

B、病毒運行後會搜尋本地檔案目錄，通過收件箱中的郵件地址向外傳送帶毒郵件傳播自身，以及根據收件箱裡的郵件內容自動回覆郵件，每封郵件的附屬檔案中均攜帶病毒副本。

郵件特徵如下：

病毒回附郵件時主題和原始郵件有關，可能郵件正文有：

If you can keep your head when all about you

Are losing theirs and blaming it on you;

If you can trust yourself when all men doubt you,

But make allowance for their doubting too;

If you can wait and not be tired by waiting,

Or, being lied about,don't deal in lies,

Or, being hated, don't give way to hating,

And yet don't look too good, nor talk too wise;

... ... more look to the attachment.

病毒回附郵件時可能的附屬檔案名：

"I am For u.doc.exe"

"Britney spears nude.exe.txt.exe"

"joke.pif"

"DSL Modem Uncapper.rar.exe"

"Industry Giant II.exe"

"StarWars2 - CloneAttack.rm.scr"

"dreamweaver MX (crack).exe"

"Shakira.zip.exe"

"SETUP.EXE"

"Macromedia Flash.scr"

"How to Crack all gamez.exe"

"Me_nude.AVI.pif"

"s3msong.MP3.pif"

"Deutsch BloodPatch!.exe"

"Sex in Office.rm.scr"

"the hardcore game-.pif"

傳送郵件時可能的主題、正文和附屬檔案名稱

主題：

"Hi"

"Hi Dear"

"Attached one Gift for u.."

"Help"

"Great"

"for you"

"Last Update"

"Let's Laugh"

"Reply to this!"

正文：

"For further assistance, please contact!"

"Copy of your message, including all the headers is attached."

"This is the last cumulative update."

"Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)"

"Send reply if you want to be official beta tester."

"This message was created automatically by mail delivery software (Exim)."

"It',27h,'s the long-awaited film version of the Broadway hit. Set in the roaring 20',27h,'s, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West)."

"Adult content!!! Use with parental advisory."

"Patrick Ewing will give Knick fans something to cheer about Friday night."

附屬檔案名稱：

"images.pif"

"README.TXT.pif"

"Interesting.exe"

"Source.exe"

"YOU_are_FAT!.TXT.pif"

"enjoy.exe"

"Doom3 Preview!!!.exe"

"driver.exe"

"About_Me.txt.pif"

D、病毒會開一個進程用於監視病毒主程式，如果病毒主程式被中止，會立即重新裝載主程式。

E、病毒會中止一些知名防毒軟體的病毒防火牆和防毒程式，如：金山毒霸、瑞星、諾頓、天網、Kill等。並且改進的方式更加惡毒，只要程式的進程名中包含"KV"、"KAV"、"Duba"、"NAV"、"kill"、"RavMon.exe"、"Rfw.exe"、"Gate"、"McAfee"、

"Symantec"、"SkyNet"、"rising"就會被病毒中止。

技術特點

A、在系統目錄及系統安裝目錄下添加以下檔案：

%System%\TkBellExe.exe

%System%\Update_OB.exe

%System%\hxdef.exe

%System%\RAVMOND.exe

%System%\IEXPLORE.EXE

%System%\kernel66.dll

%System%\ODBC16.dll

%System%\msjdbc.dll

%System%\MSSIGN30.dll

%System%\NetMeeting.exe

%System%\Spollsv.exe

%System%\LMMIB20.DLL

%SystemRoot%\Media\mmc.exe

%SystemRoot%\svchost.exe

B、在病毒第一次運行的目錄下生成一些RAR和ZIP壓縮的檔案:

如:bak.exe等

C、在C糟下生成以下檔案：

c:\NetLog.txt

D、添加以下註冊表鍵值：

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Run ="RAVMOND.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices

SystemTra ="%SystemRoot%\SysTra.EXE"