Win32.Hack.Agobot.ag

病毒別名:Backdoor.Agobot.gen(AVP),中文名也稱"安哥",威脅級別:★★,該病毒通過IRC和攻擊弱密碼的方式進行傳播,運行後會關掉一些安全軟體的運行,該病毒盜取用戶部分遊戲的cd-key,並將所得信息傳送到攻擊者指定信箱.而且發作時cpu占用率極高,導致系統速度極速下降,病毒為保證將盜取的信息發給atfm者,還悄悄關閉網路防火牆

基本介紹

  • 外文名:Win32.Hack.Agobot.ag
  • 威脅級別:★★
  • 傳染條件:通過irc和攻擊弱密碼的方式傳播
  • 發作條件:開設後門等待黑客的遠程控制
編寫工具,病毒行為,系統修改:,帳號:,發作現象:,

編寫工具

vc編寫,upx壓縮

病毒行為

系統修改:

1,拷貝自身到%System%,檔案名稱為下列之一:
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
2,向註冊表添加下列鍵值之一:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
"Registry Loader"="regloadr.exe"
"Registry Loader"="winhlpp32.exe"
"Update Installer" = "Swchost.exe"
"Windows Explorer" = "Lsas.exe"
"Configuration Loader" = "dosrun32.exe"
"Configuration Loader" = "Service.exe"
"Configuration Loader" = "Winreg.exe"
"Configuration Loader" = "System.exe"
"Automatic Windows Updater" = "Update.exe"
"Microsoft Windows 2000" = "Winupdsdgm.exe"
"Window Loader" = "Dos32.exe"
"iConfigLoader" = "DIIhost.exe"
"Config Loader" = "Scvhost.exe"
"Update Install" ="Schost.exe"
"Startup Update" = "Cvshost.exe"
"Norton Live Updater" = "Cavapsvc.exe"
"Service Controller" = "Csrrs.exe"
"Configuration Loader" = "Servicess.exe"
"Windows Startup" = "Wdrun32.exe"
"Norton Live Updater" = "Sochost.exe"
3,添加下列註冊表鍵值作為標記:
HKEY_LOCAL_MACHINESystemCurrentControlSetenum
ootLEGACY_A3X
HKEY_LOCAL_MACHINESystemCurrentControlSetservicesA3X
HKEY_LOCAL_MACHINESystemControlSet001enum
ootLEGACY_A3X
HKEY_LOCAL_MACHINESystemControlSet001servicesA3X
HKEY_LOCAL_MACHINESystemControlSet002enum
ootLEGACY_A3X
HKEY_LOCAL_MACHINESystemControlSet002servicesA3X
4,在隨機tcp連線埠開設後門等待黑客連線.
5,連線到預定irc伺服器並等待黑客通過irc傳送的命令
6,開設後門,使黑客具有以下能力:
下載並執行蠕蟲
升級蠕蟲
偷取本機信息
下載並執行檔案
傳送蠕蟲到別的irc用戶
添加新的管理員帳號
7,進行弱密碼攻擊,使用的字典如下:

帳號:

Administrador
Administrateur
Administrator
Default
Dell
Gast
Guest
Inviter
Owner
Standard
Test
User
a
aaa
abc
admin
administrator
asdf
home
mgmt
pc
qwer
temp
test
win
x
xyz
Password:
0
007
000000
00000000
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
2600
54321
654321
88888888
Internet
Login
Password
a
aaa
abc
abcd
alpha
computer
database
enable
foobar
god
godblessyou
home
ihavenopass
login
love
mypass
mypc
oracle
owner
pass
passwd
password
pat
patrick
pc
pw
pwd
root
secret
server
sex
super
sybase
temp
test
win
xp
xxx
yxcv
zxcv
Administrador
Administrateur
Administrator
Default
Dell
Gast
Guest
Inviter
Owner
Standard
Test
User
a
aaa
abc
admin
administrator
asdf
home
mgmt
pc
qwer
temp
test
win
x
xyz
密碼:
0
007
000000
00000000
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
2600
54321
654321
88888888
Internet
Login
Password
a
aaa
abc
abcd
alpha
computer
database
enable
foobar
god
godblessyou
home
ihavenopass
login
love
mypass
mypc
oracle
owner
pass
passwd
password
pat
patrick
pc
pw
pwd
root
secret
server
sex
super
sybase
temp
test
win
xp
xxx
yxcv
zxcv
9,偷取下列遊戲的cd-key:
Soldier of Fortune II - Double Helix
Neverwinter
WestwoodNox
Tiberian Sun
Red Alert 2
Red Alert
Project IGI 2
Command & Conquer Generals
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Battlefield 1942
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Need For Speed Hot Pursuit 2
The Gladiators
Unreal Tournament 2003
Legends of Might and Magic
Counter-Strike
Half-Life
10,結束掉下列進程:
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSCONFIG.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
dllhost.exe
msblast.exe
mspatch.exe
penis32.exe
scvhosl.exe
tftpd.exe
winppr32.exe
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
11,結束掉下列病毒的進程(對手):
dllhost.exe
msblast.exe
mspatch.exe
penis32.exe
scvhosl.exe
tftpd.exe
winppr32.exe

發作現象:

cpu占用率很高,防火牆可能會悄悄退出,在%system%目錄可發現下列檔案之一:
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

相關詞條

熱門詞條

聯絡我們