Worm.Aimdes.c是一種蠕蟲病毒,該病毒會在特定目錄下尋找AIM並運行,然後給AIM好友傳送信息:“Hey I went to a wild party last week! checkout the pics!!!!”,並傳送檔案檔案C:\party!!.pif,以此進行傳播。
基本介紹
- 外文名:Worm.Aimdes.c
- 病毒別名::IM-Worm.Win32.Aimes.C[AVP]
- 病毒類型::蠕蟲(通過AIM傳播)
- 威脅級別::★★
- 影響系統::Win9x / WinNT
病毒行為,釋放檔案,修改註冊,終止進程,嘗試運行,搜尋磁碟,
病毒行為
病毒還修改註冊表禁止任務管理器和註冊表編輯器,嘗試調用TaskKill關閉某些系統進程,並對某個網站發動攻擊。與變種B不同的是,該變種增加了郵件傳播的感染方式,病毒冒充安全軟體公司symantec,向外傳送攜帶病毒副本的郵件。
釋放檔案
將自己複製為以下檔案:
C:\Windows\sys32dll.exe
C:\party!!.pif
修改註冊
修改添加註冊表鍵值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sys32dll
"<病毒全路徑>C:\Windows\sys32dll.exe"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
"NoAutoUpdate"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=dword:0x1
"DisableRegistryTools"=dword:0x1
刪除註冊表鍵值:
HKLM\software\Microsoft\windows\currentversion\run
"windows auto update.exe"
終止進程
(Win XP以上系統):
TASKKILL /T /F /IM SVCHOST.exe
TASKKILL /F /IM LSASS.exe
並對某個網站發動攻擊。
嘗試運行
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
給AIM好友傳送信息:“Hey I went to a wild party last week! checkout the pics!!!!”,並傳送檔案檔案C:\party!!.pif,以此進行傳
播。
搜尋磁碟
搜尋本地磁碟中擴展名為一下的檔案中的信箱地址,然後向搜尋到的信箱地址發郵件,以病毒副本為附屬檔案。
標題可能為:
New worm on the looser please read
Blaster strikes again...please read!
New Computer Virus Protection!!
Read this please!
Read it!
Family Album
Antivirus Update
Protect your SYSTEM from new viruses!
Destroy Blaster
Read this for your PC's safety!!
郵件內容為:
Dear user, a new variant of the worm 'Blaster' has been released a week ago!
It's spreading faster than it ever did, this version of Blaster has been classified as 'Category 5'.
Please click on the following link to understand how bad is a worm classified in Category 5:
http://securityresponse.symantec.com/avcenter/threat.severity.html#category
Symantec has developped a new 'patch' file which will prevent the new variant of Blaster to be executed and keep your system safe and clean.
The Patch file can be found in the attachment, please make sure you install it before being infected, because if you're already infected, the patch file cannot fix/remove this type of threat as it's not yet studied quite good. Symantec strongly recommends you to download and install the patch file before it's too late!
Symantec will soon release the 'Removal Tool' for this threat.
So if you don't often visit Symantec.com, we recommend you to visit us everyday to be in touch with the news of this type of
threat.
P.S: We would like to thank Mr.Bazzi for making this patch file.
Regards,
Symantec, http://www.symantec.com
附屬檔案名為:Patch.zip
