Win32.Hack.Agobot.bv

影響系統:Win9x/WinNT/Win2K/WinXP/Win2003

病毒行為:

安哥家族

編寫工具:

vc編寫,upx壓縮

傳染條件:

利用了DCOM RPC 漏洞和RPC溢出兩個漏洞進行傳播,同時也利用弱密碼攻擊進行傳播·

發作條件:

運行後將在本機開設後門等待黑客的遠程連線和控制·

基本介紹

  • 中文名:安哥變種BV
  • 外文名:Win32.Hack.Agobot.bv
  • 病毒別名:Backdoor.Agobot.v[AVP]
  • 威脅級別:★★
  • 病毒類型黑客程式
  • 影響系統:Win9x/WinNT/Win2K/WinXP等
系統修改:,發作現象:,

系統修改:

1,拷貝自身到
%System%spoolsrv32.exe.
2,添加下列註冊表鍵值:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
"MS Security Hotfix"="spoolsrv32.exe"
3,在隨機連線埠開設後門,等待黑客的連線.
4,連線預定的IRc頻道,等待黑客通過irc命令進行遠程控制.
5,通過TCP 135連線埠進行DCOM RPC(同衝擊波病毒)攻擊遠程的其它機器,或者通過TCP 445連線埠進行RPC locator(同震盪波病毒)溢出攻擊進行傳播.
6,對區域網路機器進行弱密碼攻擊,進而傳播
用戶名:
Admin
admin
Administrateur
Administrador
administrator
Administrator
qwer
asdf
win
temp
test
home
Dell
x
xyz
a
abc
aaa
Inviter
Gast
Guest
Test
Owner
owner
User
Standard
mgmt
Default
login
pc
密碼:
admin
Admin
mypass
mypc
love
pwd
xxx
zxcv
yxcv
secret
foobar
god
sex
root
pat
patrick
alpha
007
123abc
1234qwer
123123
121212
111111
110
2600
2002
2003
enable
godblessyou
ihavenopass
123asd
super
Internet
computer
server
123qwe
sybase
oracle
abcd
database
passwd
pass
88888888
11111111
00000000
000000
111
54321
654321
123456789
12345678
1234567
123456
12345
1234
123
Password
password
7,偷取下列遊戲的cd-key:
Warcraft III
Soldier of Fortune II - Double Helix
Neverwinter
WestwoodNox
Tiberian Sun
Red Alert 2
Red Alert
Project IGI 2
Command & Conquer Generals
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Battlefield 1942
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Need For Speed Hot Pursuit 2
The Gladiators
Unreal Tournament 2003
LoMaM
Counter-Strike
Half-Life
8,結束掉以下反病毒軟體的進程:
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
9,同時結束掉以下敵對病毒的進程:
mspatch.exe
penis32.exe
msblast.exe
scvhosl.exe
winhlpp32.exe
tftpd.exe
dllhost.exe
winppr32.exe

發作現象:

防火牆退出或失效,機器向外大量傳送數據包.
特別說明:利用兩個重大漏洞進行傳播

相關詞條

熱門詞條

聯絡我們