台達的官網有病毒!!!
- 主題發起人 fantasy
- 開始日期
似乎有可能已經修正了...fantasy兄提到最初的檔案大小為158K.... [/b][/quote]
可能是已經修正了吧,
原本的檔案是11MB,
病毒檔則是158k....
這病毒有多好玩,
等我有空再告訴大家
http://securityresponse.symantec.com/avcen...gate.ak@mm.html
只要一執行它,它會立刻把所有的.exe檔改成.zmx檔,
並且會把屬性改成系統檔+隱藏檔,
然後再把158K的病毒檔複製成原來的.exe檔名,
Scans all the drives from C to Z. If the drive type is removable, mapped, or fixed, the worm will do the following on all the drives found:
Attempt to rename the extension on all .exe files to .zmx.
Set the attributes to Hidden and System on these files.
Copy itself as the original file name.
而且還會在所有磁碟的根目錄產生AUTORUN.INF 和COMMAND.EXE ,
以及一些奇怪的.RAR檔案,
這個COMMAND.EXE就是病毒檔本身,
你只要點兩下硬碟名稱,
就會自動執行它,
Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE and setup.RAR into that folder.
Creates a zip file named <filename>.<ext> in the root folder of all the drives, unless the drive letter is A or B.
<filename> will be one of the following:
WORK
setup
Important
bak
letter
pass
and <ext> is one of the following:
RAR
ZIP
This zip file contains a copy of the worm with the file name <filename>.<ext>.
<filename> is one of the following:
WORK
setup
Important
book
email
PassWord
and <ext> is one of the following:
.exe
.com
.pif
.scr
它還會自動用OUTLOOK回信給收件夾裡所有信件的寄件者,
回信的內容我不知道,不過我猜應該也是病毒檔...
Replies to all the incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, including Microsoft Outlook.
這個病毒當然也會修改登錄檔,把自己常駐在系統裡面,
關也關不掉,
Copies itself as the following:
%Windir%SysTra.exe
%System%ravmond.exe
%System%iexplore.exe
%System%WinHelp.exe
%System%kernel66.dll (With attributes set to Read Only, Hidden, and System.)
Notes:
%Windir% is a variable: The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.
%System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Creates the following files:
%System%ODBC16.dll
%System%msjdbc11.dll
%System%MSSIGN30.DLL
%System%LMMIB20.DLL
Note: These files are all the same; they are backdoor components of the worm and each 53,760 bytes in size.
Adds the values:
"Program in Windows"="%system%iexplore.exe"
"Protected Storage"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"WinHelp"="%system%WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
so that the worm runs when you start Windows.
Adds the value:
"SystemTra"="%Windir%SysTra.exe"
to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
so that the worm runs as a service when you start Windows 95/98/Me.
Adds the value:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows
so that the worm runs when you start Windows NT/2000/XP.
May create the subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionZMXLIB1
Inserts the following line in the [Windows] section of Win.ini file:
run=ravmond.exe
Injects a process-watching routine as a thread into either Explorer.exe or Taskmgr.exe. This remote thread will launch %System%Iexplore.exe if the worm process is stopped.
這病毒厲害的地方是,
它會關掉下面所有防毒軟體的自動防護弁遄A
Terminates all the processes that contain any of the following strings:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
只要一執行它,它會立刻把所有的.exe檔改成.zmx檔,
並且會把屬性改成系統檔+隱藏檔,
然後再把158K的病毒檔複製成原來的.exe檔名,
Scans all the drives from C to Z. If the drive type is removable, mapped, or fixed, the worm will do the following on all the drives found:
Attempt to rename the extension on all .exe files to .zmx.
Set the attributes to Hidden and System on these files.
Copy itself as the original file name.
而且還會在所有磁碟的根目錄產生AUTORUN.INF 和COMMAND.EXE ,
以及一些奇怪的.RAR檔案,
這個COMMAND.EXE就是病毒檔本身,
你只要點兩下硬碟名稱,
就會自動執行它,
Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE and setup.RAR into that folder.
Creates a zip file named <filename>.<ext> in the root folder of all the drives, unless the drive letter is A or B.
<filename> will be one of the following:
WORK
setup
Important
bak
letter
pass
and <ext> is one of the following:
RAR
ZIP
This zip file contains a copy of the worm with the file name <filename>.<ext>.
<filename> is one of the following:
WORK
setup
Important
book
PassWord
and <ext> is one of the following:
.exe
.com
.pif
.scr
它還會自動用OUTLOOK回信給收件夾裡所有信件的寄件者,
回信的內容我不知道,不過我猜應該也是病毒檔...
Replies to all the incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, including Microsoft Outlook.
這個病毒當然也會修改登錄檔,把自己常駐在系統裡面,
關也關不掉,
Copies itself as the following:
%Windir%SysTra.exe
%System%ravmond.exe
%System%iexplore.exe
%System%WinHelp.exe
%System%kernel66.dll (With attributes set to Read Only, Hidden, and System.)
Notes:
%Windir% is a variable: The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.
%System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Creates the following files:
%System%ODBC16.dll
%System%msjdbc11.dll
%System%MSSIGN30.DLL
%System%LMMIB20.DLL
Note: These files are all the same; they are backdoor components of the worm and each 53,760 bytes in size.
Adds the values:
"Program in Windows"="%system%iexplore.exe"
"Protected Storage"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"WinHelp"="%system%WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
so that the worm runs when you start Windows.
Adds the value:
"SystemTra"="%Windir%SysTra.exe"
to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
so that the worm runs as a service when you start Windows 95/98/Me.
Adds the value:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows
so that the worm runs when you start Windows NT/2000/XP.
May create the subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionZMXLIB1
Inserts the following line in the [Windows] section of Win.ini file:
run=ravmond.exe
Injects a process-watching routine as a thread into either Explorer.exe or Taskmgr.exe. This remote thread will launch %System%Iexplore.exe if the worm process is stopped.
這病毒厲害的地方是,
它會關掉下面所有防毒軟體的自動防護弁遄A
Terminates all the processes that contain any of the following strings:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
看了大大的文件讓在下聯想到一件事 : 為何病毒關掉的防毒軟體惟獨 Loss 那個趨勢科技的
PCClin ? 照道理說 , 連 KAV 都關的掉了 , PCC 的防護弁鄐S會比上述的高到哪去 ? 讓人
不得不懷疑這個毒的出處..... 不過只是個人猜想 , 此篇若有違反版規者請版主刪除 .
PCClin ? 照道理說 , 連 KAV 都關的掉了 , PCC 的防護弁鄐S會比上述的高到哪去 ? 讓人
不得不懷疑這個毒的出處..... 不過只是個人猜想 , 此篇若有違反版規者請版主刪除 .
嗯嗯 ! 大大所言也是有理 , 不過說來真悲哀 ! 在下看最近的 PCC 廣告是越打越大 , 但弁鄐W
卻沒有相對的進步 , 跟以前一樣都是新病毒出來肆虐之後過兩天才有新的病毒碼問世... 線上
更新病毒和防範新病毒 ( 廠商說是 " 打疫苗 " ) 弁鄑峖P虛設 ! :o
在此強烈建議良好的使用習慣才是防毒的王道 , 看 E-Mail 盡量以 Web-Mail 方式看 , 熟人寄
的 Mail 也要防範 ( 說不定是病毒寄的 ) ! 不隨便亂下載來路不明檔或安裝軟體 , 稍為有點警
覺心 , 這樣才能長長久久的使用電腦啊 ! 防毒軟體只是一但有病毒入侵時的最後一道防線 , 別
太過依賴 . :)
卻沒有相對的進步 , 跟以前一樣都是新病毒出來肆虐之後過兩天才有新的病毒碼問世... 線上
更新病毒和防範新病毒 ( 廠商說是 " 打疫苗 " ) 弁鄑峖P虛設 ! :o
在此強烈建議良好的使用習慣才是防毒的王道 , 看 E-Mail 盡量以 Web-Mail 方式看 , 熟人寄
的 Mail 也要防範 ( 說不定是病毒寄的 ) ! 不隨便亂下載來路不明檔或安裝軟體 , 稍為有點警
覺心 , 這樣才能長長久久的使用電腦啊 ! 防毒軟體只是一但有病毒入侵時的最後一道防線 , 別
太過依賴 . :)
最近w32的病毒越來越多...
像什麼w32.spy...
小弟前兩天重灌..
居然在做微軟的windows update時中獎...
氣煞我也..
諾噸也掃不到...
最後找了ad-ware才掃掉幾隻..
like
c:winntsystem32msbb.exe
c:winntsystem32wuamgrd.exe
c:winntsystem32dllcon.exe .
and so on...
亂七八糟..
像什麼w32.spy...
小弟前兩天重灌..
居然在做微軟的windows update時中獎...
氣煞我也..
諾噸也掃不到...
最後找了ad-ware才掃掉幾隻..
like
c:winntsystem32msbb.exe
c:winntsystem32wuamgrd.exe
c:winntsystem32dllcon.exe .
and so on...
亂七八糟..
