病毒!!!
最近在客户哪儿遇到多次该病毒 ,我还不知道是什么名称,只知道在WIN2000的任务管理其中有个‘WINEXE。EXE’进程在运行,但是无法无法结束。各位大虾告诉我如何消灭它,我用过几种杀毒软件都没有用啊》》 问题点数:30、回复次数:2Top
1 楼yishao(飞龙)回复于 2003-08-03 17:54:38 得分 5
1:重新安装系统
2:用搜索把他的位置找出来再用killer把进程关闭,立刻删除它们。Top
2 楼smallrascal(㊣小无赖㊣有事给我留言㊣)回复于 2003-08-03 18:07:44 得分 25
Win32.Lovgate.L
病毒名称:Win32.Lovgate.L
别名:W32.HLLW.Lovgate.I@mm (Symantec), W32/Lovgate.I@M (McAFee)
疯狂度:★★
破坏性:★★★
普及度:★★★★
种类:Win32
类型:蠕虫
病毒特性:
Lovgate.J是一种通过电子邮件和网络共享传播的互联网蠕虫病毒。但不会在操作系统为Win9x的电脑上发作。 运行时,蠕虫会拷贝自己的病毒副本文件到系统目录中(文件大小为132,096字节),且使用下面这些文件名:
IEXPLORE.EXE、 KERNEL66.DLL、 RAVMOND.EXE、 WINEXE.EXE、
WinDriver.exe、 WinGate.exe、 WinHelp.exe
蠕虫还会生成下面这3个文件:
WIN32VXD.DLL(32,768 字节, 蠕虫使用DLL文件来安装钩子函数-Windows hook)
DRWTSN16.EXE(49,152字节, Lovgate.L的感染文件)
WIN32.TMP (病毒感染文件时所生成的临时文件)
蠕虫会修改下面这个注册表键值,以便在用户试图运行可执行文件时调用蠕虫文件:
HKCR\exefile\shell\open\command\(Default),
"%SysDir%\winexe.exe "%1" %*"
蠕虫还会添加下面这些注册表键值,以便Windows每次启动时自动调用Lovgate.L:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp, "%SysDir%\WinHelp.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinGate initialize, "%SysDir%\WinGate.exe -remoteshell"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\
Windows\run, "RAVMOND.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator, "RUNDLL32.EXE reg678.dll ondll_reg"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program In Windows, "%SysDir%\IEXPLORE.EXE"
Lovgate.L也会通过修改下面的注册表将自己注册为一个服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Instrumentation Driver Extension
"ImagePath" = "%SYSTEM\WinDriver.exe - start_server"
蠕虫会生成一个名为"I-WORM---IPC-20168"的目标事件,用来避免自身被多次运行。
蠕虫通过电子邮件传播时有2种方式。第一种是使用MAPI来回复用户收件箱中的邮件。这些看起来像是正式的回复邮件,都引用原文,并有下列一些特征:([ ]符号中的是可变的)
主题:
Re: [original subject]
正文:
'[recipient name]' wrote:
====
>
[Original message (each line prefixed with ">")]
====
[recipient domain] account auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE [recipient domain] account now! <
蠕虫只引用原文的前512字节内容,如果原始邮件的内容多于512字节,那其他将以....表示。
附件(随机选择):
"I am For u.doc.exe"
"Britney spears nude.exe.txt.exe"
"joke.pif"
"DSL Modem Uncapper.rar.exe"
"Industry Giant II.exe"
"StarWars2 - CloneAttack.rm.scr"
"dreamweaver MX (crack).exe"
"Shakira.zip.exe"
"SETUP.EXE"
"Macromedia Flash.scr"
"How to Crack all gamez.exe"
"Me_nude.AVI.pif"
"s3msong.MP3.pif"
"Deutsch BloodPatch!.exe"
"Sex in Office.rm.scr"
"the hardcore game-.pif"
第2种方式则是蠕虫直接使用SMTP服务器发送带毒邮件。蠕虫会搜索"我的文档"中的所有*.ht*文件,找出目标邮件地址。而传播蠕虫的邮件有下列特征:
主题(随机):
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
Hi
See the attachement
邮件正文(随机):
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his victory over Stephen Leaney.
(AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery software (Exim).
It's the long-awaited film version of the Broadway hit.
Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart
(Zellweger),
who shoots her unfaithful lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer about Friday night.
Send me your comments...
附件名称(随机选择):
About_Me.txt.pif、 driver.exe、 Doom3 Preview!!!.exe、 enjoy.exe、YOU_are_FAT!.TXT.pif、 Source.exe、 Interesting.exe、 README.TXT.pif、 images.pif、 Pics.ZIP.scr
蠕虫利用ipc$和admin$对guest和Administrator账号进行多个简单密码试探。如果成功,蠕虫会以NetServices.exe为文件名拷贝自己到远程计算机的系统目录下,并创建一个服务"Microsoft NetWork FireWall Services"。蠕虫还会生成一个自己的副本文件,而文件名则是下面中的一个:
MSN Password Hacker and Stealer.exe
SIMS FullDownloader.zip.exe
Winrar + crack.exe
Star Wars II Movie Full Downloader.exe
MoviezChannelsInstaler.exe
Age of empires 2 crack.exe
CloneCD + crack.exe
Sex_For_You_Life.JPG.pif
AN-YOU-SUCK-IT.txt.pif
100 free essays school.pif
Mafia Trainer!!!.exe
Panda Titanium Crack.zip.exe
How To Hack Websites.exe
The world of lovers.txt.exe
autoexec.bat
Are you looking for Love.doc.exe
蠕虫会把自身的木马功能部分解压缩到一个DLL库文件中,以便此木马以一个单独程序来运行。下面这4个DLL文件的大小都为59,392字节:
111.DLL、 ILY668.DLL、 REG678.DLL、 Task688.dll
蠕虫会监听TCP端口20168。而木马的DLL库文件会在下面这两个地方注册为一个服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
ll_reg, "ImagePath" = "RUNDLL32.EXE Task688.dll ondll_reg"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
NetMeeting Remote Desktop (RPC) Sharing,
"ImagePath" = "RUNDLL32.EXE Task688.dll ondll_server"
蠕虫会将文件Win32pwd.sys中的内容发送到hello_dll@163.com,而邮件的主题为007OOT007OOT
为了更加便于传播,蠕虫会在%WinDir%\Temp目录下创建一个共享目录,并拷入自己的副本文件。病毒文件的文件名长度是随机的,而扩展名则是下面中的一个: .txt.exe、 .jpg.exe、 .mp3.exe、
.htm.exe、 .rm.exe、 .avi.exe、 .doc.exe、 .gif.exe、 .dat.exe
蠕虫会试图停止内存中包含下面这些字符串的进程:
KV、 KAV、 Duba、 NAV、 kill、 RavMon.exe、 Rfw.exe、
Gate、、McAfee、 Symantec、SkyNet、 Rising
Lovgate.J也会感染系统里的可执行文件,并以自身的副本文件将其替换。文件Win32vxd.dll也是蠕虫Lovgate.J的一部分,它会通过安装一个钩子函数(Windows hook)来欺骗系统,将收集到的信息记录在文件win32add.sys中,并发送到一个特定的邮件地址,而邮件主题为"333www"。Top
