注意,新病毒昨日流出感染网络,类似冲击波!!
根据分析,“震荡波”病毒会在网络上自动搜索系统有漏洞的电脑,并直接引导这些电脑下载病毒文件并执行,因此整个传播和发作过程不需要人为干预。只要这些用户的电脑没有安装补丁程序并接入互联网,就有可能被感染。
“震荡波”病毒的发作特点,类似于去年夏天造成大规模电脑系统瘫痪的“冲击波”病毒,那就是造成电脑反复重启。
瑞星反病毒专家王耀华介绍,该病毒会通过FTP 的5554端口攻击电脑,使系统文件崩溃,造成电脑反复重启。病毒如果攻击成功,会在C:\WINDOWS目录下产生名为avserve.exe的病毒体,用户可以通过查找该病毒文件来判断是否中毒。
“震荡波”病毒会随机扫描IP地址,对存在有漏洞的计算机进行攻击,并会打开FTP的5554端口,用来上传病毒文件,该病毒还会在注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run中建立:"avserve.exe"=%windows%\avserve.exe的病毒键值进行自启动。
该病毒会使“安全认证子系统”进程━━LSASS.exe崩溃,出现系统反复重启的现象,并且使跟安全认证有关的程序出现严重运行错误。
----------------------------
如何防范“震荡波”
首先,用户必须迅速下载微软补丁程序,对于该病毒的防范,http://www.microsoft.com/china/tech...s04-011.mspx。
金山或者瑞星用户迅速升级杀毒软件到最新版本,然后打开个人防火墙,将安全等级设置为中、高级,封堵病毒对该端口的攻击。
非金山或者瑞星用户迅速下载免费的专杀工具,下载地址为:http://dl.pconline.com.cn/html/1/8/...1&pn=0&.html。
如果用户已经被该病毒感染,首先应该立刻断网,手工删除该病毒文件,然后上网下载补丁程序,并升级杀毒软件或者下载专杀工具。手工删除方法:查找该目录C:\WINDOWS目录下产生名为avserve.exe的病毒文件,将其删除。
问题点数:0、回复次数:3Top
1 楼sczhoubing(http://bbs.028club.com)回复于 2004-05-02 00:24:46 得分 0
SYMANTEC响应中心关于此病毒的公告:
病毒运作现象:
When W32.Sasser.Worm runs, it does the following:
Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
Copies itself as %Windir%\avserve.exe.
--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------
Adds the value:
"avserve.exe"="%Windir%\avserve.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
处理办法:
1. To end the malicious process
To end the malicious process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for the following processes:
avserve.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
If you find any such process, click it, and then click End Process.
Exit the Task Manager.
2. To disable System Restore (Windows Me/XP)
3. To update the virus definitions
4. To scan for and delete the infected files
5. To reverse the change made to the registry
a.Click Start, and then click Run. (The Run dialog box appears.)
b.Type "regedit" Then click OK. (The Registry Editor opens.)
c.Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
d.In the right pane, delete the value:
"avserve.exe"="%Windir%\avserve.exe"
e.Exit the Registry Editor.
Top
2 楼qiang312(小强)回复于 2004-05-02 08:52:32 得分 0
难怪我昨天发现电脑有奇怪的进程要访问端口 后来就把这些东西删除了,做法跟symantec的建议一样,看来病毒和木马的惯用手段就那么一两个 ^_^Top
3 楼clys(我跳起来给微软一脚!)回复于 2004-05-02 09:37:07 得分 0
^_^禁了!Top
