★警惕★MSN相册病毒卷土重来!
MSN相册病毒(IM-Worm.Win32.MSN-Pictures.gen)分析出处:DSW Avert 时间:2007年9月14日
根据超级巡警团队监测,MSN相册病毒又卷土重来了。虽然是老伎俩,不过加了个新壳。还是困扰了不少的网友。
一、病毒相关分析:
病毒标签:
病毒名称:IM-Worm.Win32.MSN-Pictures.gen
病毒类型:蠕虫
危害级别:3
感染平台:Windows 平台
病毒大小:24,576 字节
SHA1:697f115881c22568af99b46bc3d09b0c727a2623
加壳类型:UPX //修改过
病毒分析:
1、文件运行后会释放文件
%WinDir%\system\csrss.exe 24,576 字节
下载文件
%WinDir%\My_Pictures2007.zip 24,742 字节
//压缩包中文件为picture59.jpeg-[url]www.photobucket.com[/url],与csrss.exe为同一文件
运行后会在以下字符串中随机发送,并传送文件My_Pictures2007.zip给在线好友
hey man accept my pics. :( i just edited it to look maad funny..Dude i found your picture on hotornot.com! Take a look!
do I look dumb in this picture? I want to put it on myspace.
hey you got a myspace album? anyways heres my new myspace album :) accept k?
ok, I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
Have you seen me Naked Yet :D
OMG, i found ur pic on cuteornot.com! Check it out!!!
Hey just finished new myspace album! :) theres a few kinky ones in there!
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey accept my pictures, i got a bunch from when i was like a toddler :X
OMG just accept please its only some pics!!
do you think this picture is too kinky for Myspace?
Wanna see my pics before i send em to facebook?
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with
my cellphone
Can you believe somone actually wears this size bra? I could use it for a Tent.
I've been editing some pics you should def see em loL! accept :)
Lmfao hey im sending my new pictures! Check em out!
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Take a look at the new pics already! :p
wanna see this pic of my Boobs?Can i put this pic of you into my new myspace album?
wow! look at this old picture i found....
OMFG!!!!!!!! :D
my crazy sister wants u to see these pics for some reason... take a look
wow I just dyed my hair... You will never believe the color it is now. lol And dont laugh
is this pic tooo sexy for photobucket??
sry about the messup i fixed the pic! Try it one more time pz
you care if i put this pictuer of you in my new album?
can i up some of these pics of ya to my myspace profile?
hey did i ever show you this picture of me?
haha lets hope your parents dont see this picture of you :D
Wow i think i found your pic on myspace!
This picture isnt you... right?
2、添加注册表项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Server Runtime Server Subsystem"="C:\\WINDOWS\\system\\csrss.exe"
3、生成%Temp%\_@*.tmp 24,576 字节 //*代表一位至两位数字或是一位大写字母
并将文件以csrss为镜像名运行
当在内存中的此进程发现自身文件被删除时,便重新生成一个*的下一个文件
//例如[email]_@1.tmp[/email] 生成[email]_@2.tmp[/email] ,[email]_@A.tmp[/email]生成[email]_@B.tmp[/email]
4、连接IRC服务器,下载文件并接受远程命令
5、下载并安装后门,部份文件为:PStore.dll,Advapi.dll
6、蠕虫文件内含有字符串 “Built on: Sep 9 2007.”
二、解决方案
1、升级超级巡警到最新病毒库,并进行全盘扫描。
2、下载超级巡警的MSN相册专杀工具,在感染病毒的机器查杀病毒。为保证彻底清除,请重起后再查杀一次。
3、结束非系统进程的其他csrss.exe //可能会有多个
删除文件csrss.exe和My_Pictures2007.zip,并清空临时文件夹%Temp%
三、安全建议
1、立即安装或更新防病毒软件并对内存和硬盘全面扫描(推荐安装超级巡警)。
2、使用超级巡警的补丁检查功能,检查系统补丁,并及时安装补丁。
3、不要随便共享文件或文件夹,即使要使用共享,应先设置好权限,另外不建议设置可写或可控制。
4、不要随便打开不明来历的电子邮件,尤其是邮件附件。
5、不要随便登陆不明网站,特别不要随意登陆需要自己银行帐号或手机及计算机系统帐号的不明网站。
6、使用移动存储介质进行数据访问时,先对其进行病毒检查,建议使用超级巡警U盘免疫器进行免疫。
7、做好系统和重要数据的备份,以便能够进行系统和数据灾难恢复。
超级巡警:彻底查杀各种木马,全面保护系统安全。
更多免费工具下载:[url]http://www.dswlab.com[/url]
专业的桌面与内容安全产品:[url]http://www.unnoo.com[/url]
新科GPS正品专卖,行货联保,电话咨询优惠 点亮在线商城DL818.COM
新科GPS正品专卖,行货联保,电话咨询优惠 点亮在线商城DL818.COM新科车载GPS导航仪|新科3512|新科GM-3512
新科车载GPS导航仪|新科3518|新科GM-3518
新科车载GPS导航仪|新科3500|新科GT-3500
新科车载GPS导航仪|新科410C|新科GM-410C
新科车载GPS导航仪|新科411C|新科GM-411
新科车载GPS导航仪|新科4810|新科GM-4810
新科车载GPS导航仪|新科4308|新科GM-4308
新科车载GPS导航仪|新科701 |新科GM-701
新科车载GPS导航仪|新科702 |新科GM-702C
新科车载GPS导航仪|新科71C |新科GD-71C
页:
[1]