| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | 

您现在的位置: 中国X黑客小组 >> 技术文章 >> 新闻中心 >> 病毒公告 >> 文章正文 用户登录 新用户注册
  “就不让你用google”Netsky变种分析         ★★★ 【字体:
“就不让你用google”Netsky变种分析
作者:伯狼    文章来源:CnXHacker.Net    点击数:    更新时间:2004-11-2    

互联网络在MSN病毒过后似乎一直不算平静,先是江民被黑,然后是国内众多黑客站点互相攻击,打的不变乐乎,紧接着Mydoom搅得各全球各大杀毒厂商坐立不安,这头还没忘完,这会Netsky又带着皇帝的新衣来跟我们玩过家家酒了……
 Netsky此次的新变种(W32.Netsky.AE @ mm)为依然依靠大规模的邮件传播,而且味口相当不错,从95、98一直到XP、2K3,除了DOS之些已经进入历史“名人堂”的系统,微软的的主流系统算是被它吃定了。

  其他命名:I-Worm.Skybag.a [Kaspersky], W32/Netsky.ah @ MM [McAfee]
  病毒类型:蠕虫
  病毒长度:85,628字节
  受影响系统:Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  风险指数:低(目前绝大多数病毒的风险指数已经艰难有超过中级的了)
  破坏指数:中(看来还是有一定破坏力的)
  感染指数:高(当然了,Netsky一直都是强力传播型的,怕是跟“非典”有的一拼)

  技术分析:

  当它开始“发功”时:

  1,将自拷贝为:

  ·%System%\bloodred.exe(血红????)
  ·%System%\Windows_kernel32.exe(真会唬人,还有kernel32作名称,哼,小样,披着羊皮照样认识你)

  注意:%system%文件夹:Windows 95/98/Me系统中默认为:C:\Windows\system,Windows NT/2000系统中默认为:C:\Winnt\system32,Windows XP系统中为:C:\Windows\system32

  2,创建一个互斥实例名为“~~~Bloodred~~~owns~~~you~~~xoxo~~~2004”,以确保只有一个实例在运行。

  3,创建如下的文件:

  ·%Windir%\bloodred.zip (病毒文件的压缩拷贝. 在里面的文件名为 Urgent_Info.pif.)
  ·%System%\base64exe.sys  
  ·%System%\base64zip.sys

  注意: %Windir%表示Windows安装目录. 默认情况下它是 C:\Windows 或C:\Winnt.

  4,创建%System%\fun.txt文件

  5,在如下注册表项:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  添加如下键值:

  "Microsoft Kernel"="%System%\Windows_kernel32.exe"

  以便在Windows启动时运行病毒程序

  6,将下列条目覆写入%System%\Drivers\etc\hosts文件:

127.0.0.1 www.norton.com
127.0.0.1 norton.com
127.0.0.1 yahoo.com
127.0.0.1 www.yahoo.com
127.0.0.1 microsoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 windowsupdate.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.google.com
127.0.0.1 google.com

  微软、google都就打不开了,因为这些条目的地址全部指向本机地址,能打开就是见了鬼了。

  7,创建如下实例:

'D'r'o'p'p'e'd'S'k'y'N'e't'
SkynetNotice
SkynetSasserVersionWithPingFast
JumpallsNlsTillt
Jobaka3l
Jobaka3
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m
SkyNet-Sasser
AdmSkynetJKIS003


[SkyNet.cz]SystemsMutex
LK[SkyNet.cz]SystemsMutex
Netsky AV Guard
MI[SkyNet.cz]SystemsMutex
KO[SkyNet.cz]SystemsMutex
SkYnEt_AVP
Rabbo
Rabbo_Mutex
Bgl_*L*o*o*s*e*
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
89845848594808308439858307378280987074387498739847
Protect_USUkUyUnUeUtU_Mutex
SyncMutex_USUkUyUnUeUtU
SyncMutex_USUkUyUnUeUtUU
_-=oOOSOkOyONOeOtOo=-_
NetDy_Mutex_Psycho
____--->>>>U<<<<--____
(S)(k)(y)(N)(e)(t)
AdmMoodownJKIS003

  8,会显示如下提示消息:

  Windows encountered an error reading the file

  9,终止大量的杀毒和安全程序。

  10,从TCP 2345端口接听攻击者发出的命令

  11,如果攻击者发送一个可执行文件到受感染主机,该文件将保存到%System%文件夹下,扩展名为.exe,文件名称将为3-12个随机小写字母组成。

  12,如果受感染主机日期设置为2004年11月15日之后,病毒将对www.kazaa.com执行DoS(拒绝服务)攻击。

  13,将自身拷贝到C-X盘下的任何带有“Shar”字符串的文件夹,使用如下文件名之一:

Visual Studio.NET.zip .exe
DVD Xcopy xpress.exe
Britney spears naked.jpeg .exe
Teen Porn.mpeg ..exe
Windows crack.zip ..exe
Kazaa Lite.zip ..exe
NETSKY SOURCE CODE.zip ..exe
Battlefield 1942.exe
Norton AntiVirus 2004.exe
Brianna banks and jenna jameson.mpeg ..exe
Snood new version.exe
Opera Registered version.exe
jenna jameson screensaver.scr
WINDOWS SOURCE CODE.zip ..exe
Windows Longhorn Beta.exe
WinRAR.exe
WinAmp 6.exe
Cisco source code.zip ..exe
Adobe Photoshop Full Version.exe
ACDSEE10.exe

  @#$%#%&*$^#$@!$!%&**真TMD(导弹防御系统)的黑……

  14,如果任务管理器是开着的,就将它关闭

  15,从如下扩展名的文件中搜集邮件地址:

.adb
.asp
.dbx
.doc
.htm
.html
.jsp
.rtf
.txt
.xml

  16,使用SMTP引擎将自身发送到搜集来的地址中去,内容如下:

  发信地址: (如下之一)

Server@<recipient domain>
administration@<recipient domain>
management@<recipient domain>
service@<recipient domain>
userhelp@<recipient domain>

  <recipient domain>指的是接收者邮箱所处的域名

  标题: (如下之一)

Email Account Information
User Information
Detailed Information

URGENT PLEASE READ!
User Info
Server Error
Urgent Update!

  消息内容: (如下之一)

Our server is experiencing some latency in our email service.
The attachment contains details on how your account will be affected.
Due to recent internet attacks, your Email account security is being upgraded.
The attachment contains more details
Our Email system has received reports of your account flooding email servers.
There is more information on this matter in the attachment
We regret to inform you that your account has been hijacked and used for illegal purposes.
The attachment has more information about what has happened.
Your Email account information has been removed from the system due to inactivity.
To renew your account information refer to the attachment
There is urgent information in the attachment regarding your Email account

  附件: (如下之一)

Account_Information
Word_Document
Gift
Information
Details
Update

  扩展名为.cmd,.pif,或者.scr,另外,病毒也发送压缩过的身文件作为附件。

  17,病毒避开发送到带有如下字符串的邮件地址:

@hotmail
@fsecure
@virusli
@noreply
@norton
@norman
@mm
@sopho
@msn
@microsoft
@avp
@panda
@symantec

  病毒尝试终止的进程列表(看看你的有没有在列其中?):

AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVSYNMGR.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVprotect9x.exe
Au.exe
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
BORG2.EXE
BS120.EXE
CCAPP.exe
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLEAN.EXE

CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
D3dupdate.exe
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
DRWEBUPW.EXE
ENT.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
LUALL.EXE
LUCOMSERVER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE

NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NUPGRADE.EXE
NVARCH16.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUPVAMEEVAL.EXE
SETUP_FLOWPROTECTOR_US.EXE
SFC.EXE
SGSSFW32.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EX

[1] [2] 下一页

文章录入:IceRiver    责任编辑:IceRiver 
  • 上一篇文章:

  • 下一篇文章:
    • 发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    最新热点 最新推荐 相关文章
    不让别人看到你的QQ程序在运
    不让Excel把8-18变成8月18日
      网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!)
    Powered by ICE RIVER - STUDIO
    » CnXHacker.CoM   © CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved.