Worm.surconfluge

1.生成檔案

%Windows%\TASKMANAGER.exe

%Program Files%\Windows Media Player\wmlaunch.exe

%Program Files%\Internet Explorer\Firewall.exe

%Program Files%\Internet Explorer\WWE Divas.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\XPStart.exe

C:\Torrie&Stacy.exe

C:\Program Files\Torrie&Stacy.exe

2.增加啟動項,使病毒開機運行.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

鍵Firewall鍵值 "%Program Files%\Windows Media Player\wmlaunch.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

鍵Protection 鍵值"%Program Files%\Internet Explorer\Firewall.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

鍵SysRes 鍵值 "%Windows%\TASKMANAGER.exe"

3.搜尋Windows地址簿中所有的地址,並傳送郵件

郵件主題：

WWE Admninistrator

郵件內容：

Free WWE Torrie Wilson and Sable Screan Saver

郵件附屬檔案：

WWE DIVAS.exe

1.P2P傳播方式:

病毒通過把本身拷貝到以下P2P軟體的已分享資料夾,來達到傳播的目的.包括KMD, Kazaa, Morpheus, Grokster, Bearshare and Edonkey2000。

C:\Program Files\BearShare\Shared\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\Edonkey2000\Incoming\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\Grokster\My Grokster\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\KMD\My Shared Folder\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\KaZaA Lite\My Shared Folder\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\Kazaa\My Shared Folder\WWE Torrie and Sable Screan Saver.exe

C:\Program Files\Morpheus\My Shared Folder\WWE Torrie and Sable Screan Saver.exe

2.通過IRC傳播

為了通過IRC傳播，蠕蟲會複製到以下位置：

C:\Program Files\mIRC\Downloads\WWE DIVAS.exe

1.蠕蟲會終止LSASS.exe進程,導致一部分計算機不斷重啟.

2.蠕蟲會終止以下的進程

DAP.exe

VB6.exe

msgmsgr.exe

ccapp.exe

regedit.com

mdm.exe

iexplore.exe

smss.exe

dllhost.exe

SVCHOST.exe

3.刪除檔案：

%Program Files%\common files\symantec shared\Script Blocking\scrblock.dll

4.病毒會通過修改註冊表,破壞用戶使用以下功能:

禁止“運行”選單

禁止“關閉”選單

禁止"查找"命令

禁止系統恢復

禁止使用cmd命令模式

禁止使用註冊表程式regedit.exe

設定計算機名為surconfluge

5.病毒會禁止使用以下100種程式:

notepad.exe,

wordpad.exe,

msnmsgr.exe,

winzip.exe,

CLEAN_NOTEPAD.EXE,

moviemk.exe,

defrag.exe,

netstat.exe,

netstat.exe,

sndvol32.exe,

sndrec32.exe,

CCIMSCN.exe,

shutdown.exe,

sndvol32.exe,

write.exe,

dxdiag.exe,

ntbackup.exe,

dialer.exe,

dllhost.exe,

print.exe,

trendmicro.com,

UPXiT.exe,

vb6.exe,

NMain.exe,

NAVW32.exe,

NAVWNT.exe,

NAVSTUB.exe,

navui.nsi

,MSDEV.exe,

chktrust.exe,

apssm.exe,

SNDSrvc.exe

NMain.exe

Ra2.exe,

vfp6.exe,

setup.exe,

install.exe,

savscan.exe,

ad-aware.exe,

remove.exe,

uninstall.exe,

NeroStartSmart.exe,

uninst.exe,

isuninst.exe,

aawsepersonal.exe,

keygen.exe,cmd.exe,

project1.exe,

1.exe,

file.exe,

browser.exe

UNWISE.exe,

play.exe

directcd.exe

VPC32.exe

VPDN_LU.exe,

VPTray.exe

DefWatch.exe

DoScan.exe

Integrator.exe

.exe......

6.蠕蟲會使防病毒,windows升級,防火牆軟體失效.

7.共享C、D、E盤。

8.蠕蟲會生成"C:\Virus Detected.txt"文本檔案，包含以下內容：

"Worm is detected on your computer (W32.surconfluge.A@mm), update your Virus Definition to protect your computer from the lastest viruses and worms."