设为首页 - 加入收藏 1818新闻网 (http://www.1818xinwen.com)- 国内知名站长资讯网站,提供最新最全的站长资讯,创业经验,网站建设等!
热搜: 2019 系统 什么 平台
当前位置: 首页 > 站长学院 > MsSql教程 > 正文

恶性蠕虫-"赛舍"(Worm.Zezer)分析报告

发布时间:2019-06-19 03:21 所属栏目:[MsSql教程] 来源:蓝点
导读:> 病毒名称: Worm.Zezer 病毒长度: 22016Bytes 发现日期:2003.10.09 处理日期:2003.10.09 中文名称: 赛舍 病毒别名: I-Worm.Zezer[AVP], W32.Zezer.Worm[Symantec] 病毒类型: 蠕虫 受影响系统: Win9x\Win2K\WinXP 威胁级别: 3B 该蠕虫利用邮件快速传播,并
>   病毒名称:Worm.Zezer

  病毒长度:22016Bytes



  发现日期:2003.10.09



  处理日期:2003.10.09



  中文名称:赛舍



  病毒别名:



   I-Worm.Zezer[AVP], W32.Zezer.Worm[Symantec]



  病毒类型:蠕虫



  受影响系统: Win9x\Win2K\WinXP



  威胁级别:3B



   该蠕虫利用邮件快速传播,并以微软的名义发送带毒邮件。病毒在宿主机器上伪装成MSN的补丁安装程序来迷惑用户。



  技术特征:



   1、复制自己为:



   WindowsRoot%\Mscsgs.exe、



   %WindowsRoot%\System\Mscsgs32.exe、



   %WindowsRoot%\Msn_inst.exe、



   启动目录\msnexec.exe



   注:%WindowsRoot%为系统安装目录,通常为"windows\"或"winnt\"。启动目录为“开始”菜单中“程序”组里的“启动”项。



   2、禁用系统功能:



   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 1



   以使Regedit.exe不能打开注册表。



   3、添加启动项随机启动:



   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Mscsgs "%WindowsRoot%\Mscsgs.exe"



   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices "%WindowsRoot%\SYSTEM\Mscsgs32.exe"



   4、创建如下注册表项保存病毒所需的信息:



   HKEY_CURRENT_USER\Software\Zed\Dozer\



   Dozer "W32/Dozer by Zed"



   HKEY_CURRENT_USER\Software\Zed\Dozer\MSNContacts


   5、病毒假冒如下邮箱地址向MSN联系人发送带毒邮件:



   winpatch@microsoft.com



   services@microsoft.com



   msnsupport@microsoft.com



   helpdesk@microsoft.com



   security@microsoft.com



   windowsupdate@microsoft.com



   附件名称:"Msn_inst.exe"



   邮件主题:"Windows Update ( MSN Messenger Update 6 MSN Messenger vulnerability)"



   邮件正文:"Attention All Microsoft Users: A patch has been issued to correct a vulnerability in MSN Messenger which can be performed by a malicious user in order to gain unauthorized access to compromised computers. Windows users who have MSN Messenger 4.x and higher versions are affected by this vulnerability and must download and install the patch labeled , which is attached to this email message. For any support regarding this patch please contact support@microsoft.com for more information."

(注,发送邮件使用worldcomputers.com这个服务器(不要写到新闻稿中))



   6、关闭许多反病毒软件、网络防火墙、病毒防火墙:



   "_AVP.EXE"



   "_AVP32.EXE"



   "_AVPCC.EXE"



   "_AVPM.EXE"



   "ACKWIN32.EXE"



   "ANTI-TROJAN.EXE"



   "APVXDWIN.EXE"



   "AUTODOWN.EXE"



   "AVCONSOL.EXE"



   "AVE32.EXE"



   "AVGCTRL.EXE"



   "AVKSERV.EXE"



   "AVNT.EXE"



   "AVP.EXE"



   "AVP32.EXE"



   "AVPCC.EXE"



   "AVPDOS32.EXE"



   "AVPM.EXE"



   "AVPMON.EXE"



   "AVPNT.EXE"
   "AVPTC32.EXE"



   "AVPUPD.EXE"



   "AVSCHED32.EXE"



   "AVWIN95.EXE"



   "AVWUPD32.EXE"



   "BLACKD.EXE"



   "BLACKICE.EXE"



   "CCAPP.EXE"



   "CFIADMIN.EXE"



   "ESAFE.EXE"



   "CFIAUDIT.EXE"



   "CFIND.EXE"



   "CFINET.EXE"



   "CFINET32.EXE"



   "CLAW95.EXE"



   "CLAW95CF.EXE"



   "CLAW95CT.EXE"



   "CLEANER.EXE"



   "CLEANER3.EXE"



   "DV95.EXE"



   "DV95_O.EXE"



   "DVP95.EXE"



   "DVP95_0.EXE"



   "ECENGINE.EXE"



   "EFINET32.EXE"



   "ESPWATCH.EXE"



   "F-AGNT95.EXE"



   "FINDVIRU.EXE"



   "FPROT.EXE"



   "F-PROT.EXE"



   "FPROT95.EXE"



   "F-PROT95.EXE"



   "FP-WIN.EXE"



   "FRW.EXE"



   "F-STOPW.EXE"



   "IAMAPP.EXE"



   "IAMSERV.EXE"



   "IBMASN.EXE"



   "IBMAVSP.EXE"



   "ICLOAD95.EXE"



   "ICLOADNT.EXE"



   "ICMON.EXE"



   "ICMOON.EXE"



   "ICSSUPPNT.EXE"



   "ICSUPP95.EXE"



   "ICSUPPNT.EXE"



   "IFACE.EXE"



   "IOMON98.EXE"



   "JED.EXE"



   "JEDI.EXE"



   "KPF.EXE"



   "KPFW32.EXE"



   "LOCKDOWN2000.EXE"



   "LOOKOUT.EXE"



   "LUALL.EXE"



   "MOOLIVE.EXE"



   "MPFTRAY.EXE"



   "N32SCAN.EXE"



   "N32SCANW.EXE"



   "NAVAPW32.EXE"



   "NAVLU32.EXE"



   "NAVNT.EXE"



   "NAVSCHED.EXE"



   "NAVW.EXE"



   "NAVW32.EXE"



   "NAVWNT.EXE"



   "NISUM.EXE"



   "NMAIN.EXE"



   "NORMIST.EXE"



   "NUPGRADE.EXE"



   "NVC95.EXE"



   "OUTPOST.EXE"



   "PADMIN.EXE"



   "PAVCL.EXE"



   "PAVSCHED.EXE"



   "PAVW.EXE"



   "PCCWIN98.EXE"



   "PCFWALLICON.EXE"



   "PERSFW.EXE"



   "RAV7.EXE"



   "RAV7WIN.EXE"



   "RESCUE.EXE"



   "SAFEWEB.EXE"



   "SCAN32.EXE"



   "SCAN95.EXE"



   "SCANPM.EXE"



   "SCRSCAN.EXE"



   "SERV95.EXE"



   "SMC.EXE"



   "SPHINX.EXE"



   "SWEEP95.EXE"



   "TBSCAN.EXE"



   "TCA.EXE"



   "TDS2-98.EXE"



   "TDS2-NT.EXE"



   "VCONTROL.EXE"



   "VET32.EXE"



   "VET95.EXE"



   "VET98.EXE"



   "VETTRAY.EXE"



   "VSCAN40.EXE"



   "VSECOMR.EXE"



   "VSHWIN32.EXE"



   "VSSCAN40.EXE"



   "VSSTAT.EXE"



   "WEBSCAN.EXE"



   "WEBSCANX.EXE"



   "WFINDV32.EXE"



   "ZAPRO.EXE"



   "ZONEALARM.EXE"
   7、利用系统网络设置来偷取存储于系统中的帐号及密码



  解决方案:



   1、不要相信微软发送的补丁邮件,微软是不会以邮件方式发送补丁程序的,请使用Windows Update进行补丁升级;



   2、为防止该病毒的入侵请尽快升级毒霸到最新,10月9日病毒库可处理该病毒;



   3、手工清除方法:



   对于WIN9X用户可以在纯DOS模式下删除以下病毒文件:



   %WindowsRoot%\Mscsgs.exe、



   %WindowsRoot%\System\Mscsgs32.exe、



   %WindowsRoot%\Msn_inst.exe、



   启动目录\msnexec.exe



   对于Win2000/WinXP用户,请使用进程管理器结束名为:“Mscsgs.exe、Mcsgs32.exe、Msn_inst.exe、msnexec.exe”的进程,然后删除以下文件:



   %WindowsRoot%\Mscsgs.exe、



   %WindowsRoot%\System\Mscsgs32.exe、



   %WindowsRoot%\Msn_inst.exe、



   启动目录\msnexec.exe



   请下载金山毒霸的注册表修复工具( http://www.duba.net/download/3/8.shtml ),回恢对系统功能的限制,然后删除病毒在注册表中添加的项目:



   HKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Run\ Mscsgs "%WindowsRoot%\Mscsgs.exe"



   HKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\ RunServices "%WindowsRoot%\SYSTEM\Mscsgs32.exe"



   HKEY_CURRENT_USER\Software\Zed\Dozer\ Dozer "W32/Dozer by Zed"



   HKEY_CURRENT_USER\Software\Zed\Dozer\MSNContacts



   最后,将保存在系统中的密码都修改一次。比如:MSN的登录密码,某些网站的登录密码、邮箱的登录密码等等。

作者:金山毒霸安全资讯网

【免责声明】本站内容转载自互联网,其相关言论仅代表作者个人观点绝非权威,不代表本站立场。如您发现内容存在版权问题,请提交相关链接至邮箱:bqsm@foxmail.com,我们将及时予以处理。

网友评论
推荐文章