熊貓燒香病毒到底做些什麽?
(2007-01-27 07:11:30)
下一個
1.針對查殺熊貓最猛烈的超級巡警
2.同樣的文件名(GameSetup.exe),這點很明顯,感染熊貓的共享木馬下必有這個文件,殺軟報的也就這個
3.猜解字典一樣
4.Autorun模式一樣
每隔2秒改寫一次主頁:www.51.vc
每隔6秒關閉以下服務:
Schedule
sharedaccess
RsCCenter
RsRavMon
KVWSC
KVSrvXP
kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
刪除以下注冊表:
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/RavTask
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/KvMonXP
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/kav
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/KAVPersonal50
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/McAfeeUpdaterUI
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/Network Associates Error Reporting Service
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/ShStatEXE
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/YLive.exe( :D)
SOFTWARE/Microsoft/Windows/CurrentVersion/Run/yassistse
停止並刪除以下服務:
RsCCenter
RsRavMon
KVWSC
KVSrvXP
AVP
kavsvc
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
每隔20分鍾彈出IE,地址:www.51.vc
創建線程,關閉以下窗口:
VirusScan
NOD32
係統配置實用程序
Symantec AntiVirus
Windows 任務管理器
esteem procs
System Safety Monitor
System Repair Engineer
Wrapped gift Killer
Winsock Expert
遊戲木馬檢測大師
超級巡警
pjf(ustc)
msctls_statusbar32
IceSword
天網防火牆
進程
網鏢
殺毒
毒霸
瑞星
木馬清道夫
注冊表編輯器
Duba
卡巴斯基反病毒
綠鷹PC
木馬輔助查找器
噬菌體
密碼防盜
超級兔子
黃山IE
木馬清道夫
關閉以下程序:
Mcshieid.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
使用以下弱密碼探測共享並試圖傳自己為GameSetup.exe過去:
password
1234
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
1
12
123
1234567
123456789
654321
54321
111
000000
abc
pw
11111111
88888888
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
520
super
123asd
0
ihavenopass
godblessyou
enable
xp
2002
2003
2600
alpha
110
111111
121212
123123
1234qwer
123abc
007
a
aaa
patrick
pat
administrator
root
sex
god
foobar
secret
test
test123
temp
temp
win
pc
asdf
qwer
yxcv
zxcv
home
xxx
owner
login
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root
把自己複製到:
/Documents and Settings/All Users/「開始」菜單/程序/啟動/
/Documents and Settings/All Users/Start Menu/Programs/Startup/
/WINDOWS/Start Menu/Programs/Startup/
/WINNT/Profiles/All Users/Start Menu/Programs/Startup/
連接:
http://www.ac86.cn/88/down/up.txt 其中包括熊貓燒香
http://update.whboy.net/ie.txt 已無法訪問
下載文件中的病毒程序
每隔8秒死循環訪問如下網站:
tom.com
163.com
souhu.com
google.com
yahoo.com
每隔6秒向各盤根目錄下釋放如下文件
autorun.inf
內容:
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell/Auto/command=setup.exe
setup.exe(自己的安裝exe)