Worm.Cone.e是一種通過Kazaa檔案共享系統和電子郵件來進行傳播的蠕蟲性病毒。
基本介紹
- 外文名:Worm.Cone.e
- 病毒類型:蠕蟲
- 影響系統:Win9x / WinNT
- 威脅級別:★★
- 病毒別名:I-Worm.Cone.e [AVP]
病毒特點,病毒行為,
病毒特點
這是一個通過Kazaa檔案共享系統和電子郵件來進行傳播的蠕蟲病毒。如果當前系統時間是3月以後,該病毒只在本地機器上生成並打開一個網頁檔案W32.Cyclone.htm來傳播某些言論,並不採取破壞動作。如果當前系統時間是3月或3月以前,該病毒會打開一個作業系統許可協定的文本檔案,在Kazaa檔案共享系統的下載目錄下建立一個屬性為“系統”、“隱藏”的資料夾Recieved,並將病毒的多個副本拷貝到該資料夾下。由於這些病毒副本是隱藏檔案,共享用戶可能會在拷貝其他檔案的時候將這些病毒檔案也拷貝過去,從而導致系統中毒。該病毒還將病毒做為郵件附屬檔案傳送出去,修改host檔案,使得用戶無法訪問多個安全網站。
病毒行為
(1)病毒生成的網頁檔案%SystemRoot%\W32.Cyclone.htm
該檔案顯示的內容為:
We need freedom in iran
We don't want islamic
republic
where is human rights watch?
Also this is a warning to European countries: don't support islamic republic of iran, you must know that your
support is our misery,
the next warning will be the next worm that targets European organizations!
Zer0_SuN
(there is a sun at zero o'clock)
(I don't want to damage any computer, I just want to bring irna.com down Iranian programmers, help me in this way - we want to show the world that we don't want islamic republic)
(2)建立多個病毒的副本:
%SystemRoot%\svchost.exe
%System%\1enel.dll
%System%\1vis.dll
%System%\1url.dll
%System%\1eml.dll
%System%\1check.dll
%System%\1seml.dll
%Temp%\svchost.exe
%Temp%\1http.dll
%Kazaa檔案共享系統下載目錄%\Recieved\Playboy-Screensaver-Nov-03.scr
%Kazaa檔案共享系統下載目錄%\Recieved\BAD-GIRLS(Playboy)-ScreenSaver.scr
%Kazaa檔案共享系統下載目錄%\Recieved\Winamp5.01.exe
%Kazaa檔案共享系統下載目錄%\Recieved\Screensaver-Hot Girls-part*.scr
windows\Start Menu\Programs\Startup\win.exe
documents and settings\ALL USERS\Start Menu\Programs\Startup\win.exe
(3)在註冊表中添加啟動項:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Windows Services Host"="%SystemRoot%\svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Windows Services Host"="%SystemRoot%\svchost.exe"
(4)建立互斥體C-OnE
(5)修改host禁止下列網站:
www.trendmicro.com
trendmicro.com
rads.mcafee.com
customer.symantec.com
liveupdate.symantec.com
us.mcafee.com
updates.symantec.com
update.symantec.com
support.microsoft.com
www.microsoft.com
microsoft.com
www.nai.com
nai.com
secure.nai.com
dispatch.mcafee.com
download.mcafee.com
www.my-etrust.com
my-etrust.com
mast.mcafee.com
ca.com
www.ca.com
networkassociates.com
www.networkassociates.com
avp.com
www.kaspersky.com
www.avp.com
kaspersky.com
www.f-secure.com
f-secure.com
viruslist.com
www.viruslist.com
liveupdate.symantecliveupdate.com
mcafee.com
www.mcafee.com
sophos.com
www.sophos.com
symantec.com
securityresponse.symantec.com
www.symantec.com