基本介紹
- 中文名:魔鬼波
- 外文名:Worm.IRC.WargBot.b
- 處理時間:2006-08-14
- 威脅級別:★★★★
病毒別名,病毒行為,
病毒別名
病毒類型:蠕蟲 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
1,生成檔案
%system%\wgavm.exe
2,添加服務,通過服務啟動
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgavm
"ImagePath" = "%system%\wgavm.exe"
3,通過修改下列註冊表信息降低系統安全等級
software\policies\microsoft\windowsfirewall\standardprofile
"enablefirewall" = 0
software\policies\microsoft\windowsfirewall\domainprofile
"enablefirewall" = 0
software\microsoft\security center
"firewalldisableoverride" = 1
"firewalldisablenotify" = 1
"antivirusoverride" = 1
"antivirusdisablenotify" = 1
system\currentcontrolset\services\lanmanserver\parameters
"autosharewks" = 0
"autoshareserver" = 0
system\currentcontrolset\control\lsa
"restrictanonymoussam" = 1
"restrictanonymous" = 1
software\microsoft\ole
"enabledcom" = "n"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = 4
4,使用下列命令進行遠程控制
NiCK %.24s
USeR l l l l
PRiVMSG %.16s :%.480s
JOiN %.16s %.16s
USeRHOST %.16s
001
302
332
NiCK %.24s
433
PRIVMSG
PoNG %.500s
PING
[exec] :(
[exec] :)
[ni] %.16s %.16s
QUiT
USER
PASS
OPER
JOIN
5,連線下列IRC伺服器接受黑客控制
ypgw
bniu
6,注入explorer.exe進程
