wingering 2008-2-27 16:34
MSN新变种(poolmc.exe,photo38.JPG-www.myspace.com)病毒分析
[align=center][align=center][size=3][font=宋体]出处:超级巡警团队 时间:2008年2月27日[/font][/size][/align][/align][size=12pt][font=Times New Roman] [/font][/size]
[font=宋体][size=12pt]超级巡警团队监测到随着广大网友开始正常的工作,[/size][/font][size=12pt][font=Times New Roman]MSN[/font][/size][font=宋体][size=12pt]蠕虫又开始扩散。它会给[/size][/font][size=12pt][font=Times New Roman]MSN[/font][/size][font=宋体][size=12pt]上的好友发送名字中带有[/size][/font][size=12pt][font=Times New Roman]photo[/font][/size][font=宋体][size=12pt]字样的附件。[/size][/font]
[font=宋体][size=12pt]超级巡警团队提醒广大用户不要轻易下载并运行利用[/size][/font][size=12pt][font=Times New Roman]MSN[/font][/size][font=宋体][size=12pt]传播的程序。[/size][/font][size=12pt][/size]
[align=left][align=left][font=宋体][size=12pt]一、病毒相关分析:[/size][/font][/align][/align][font=宋体][size=12pt]病毒标签:[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]病毒名称:[/size][/font][size=12pt][font=Times New Roman]Backdoor.win32.IRCB.gen[/font][/size]
[font=宋体][size=12pt]病毒别名:[/size][/font][size=12pt][font=Times New Roman]MSN[/font][/size][font=宋体][size=12pt]蠕虫[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]病毒类型:蠕虫[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]危害级别:[/size][/font][size=12pt][font=Times New Roman]3[/font][/size]
[font=宋体][size=12pt]感染平台:[/size][/font][size=12pt][font=Times New Roman]Windows[/font][/size]
[font=宋体][size=12pt]病毒大小:[/size][/font][size=12pt][font=Times New Roman]78,848([/font][/size][font=宋体][size=12pt]字节[/size][/font][size=12pt][font=Times New Roman])[/font][/size]
[size=12pt][font=Times New Roman]SHAI
[/font][/size][font=宋体][size=12pt]:[/size][/font][size=12pt][font=Times New Roman]c69509ab0a8108c2c48eb9589735d4be51ed26d5[/font][/size]
[font=宋体][size=12pt]加壳类型:[/size][/font][size=12pt][font=Times New Roman]EXECryptor[/font][/size]
[font=宋体][size=12pt]开发工具:[/size][/font][size=12pt][font=Times New Roman]VC[/font][/size]
[font=宋体][size=12pt]病毒行为:[/size][/font][size=12pt][/size]
[size=12pt][font=Times New Roman]1[/font][/size][font=宋体][size=12pt]、复制自身为[/size][/font][size=12pt][font=Times New Roman]%System%\poolmc.exe
[/font][/size][font=宋体][size=12pt]生成文件:[/size][/font][size=12pt][font=Times New Roman]%temp%\photo*.zip
//[/font][/size][font=宋体][size=12pt]压缩包中文件为[/size][/font][size=12pt][font=Times New Roman]picture*.JPG-[url]www.myspace.com[/url][/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman](*[/font][/size][font=宋体][size=12pt]代表同一随机数字[/size][/font][size=12pt][font=Times New Roman])
//[/font][/size][font=宋体][size=12pt]压缩包中文件与[/size][/font][size=12pt][font=Times New Roman]poolmc.exe[/font][/size][font=宋体][size=12pt]为同一文件[/size][/font][size=12pt][/size]
[size=12pt][font=Times New Roman] 2[/font][/size][font=宋体][size=12pt]、连接以下域名:[/size][/font][size=12pt]
[font=Times New Roman] [url]www.timbercreeksoftware.com[/url]
[url]www.massiverender.com[/url]
01.cybernix.info
[/font][/size][font=宋体][size=12pt]下载文件:[/size][/font][size=12pt]
[font=Times New Roman] [url]http://www.massiverender.com/[/url]*****/p3.exe //[/font][/size][font=宋体][size=12pt]与[/size][/font][size=12pt][font=Times New Roman]poolmc.exe[/font][/size][font=宋体][size=12pt]为同一文件[/size][/font][size=12pt][font=Times New Roman]
3[/font][/size][font=宋体][size=12pt]、添加注册表启动项:[/size][/font][size=12pt]
[font=Times New Roman] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Pool Setup"="poolmc.exe"
[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]4[/font][/size][font=宋体][size=12pt]、下载文件:[/size][/font][size=12pt][font=Times New Roman]http://www.timbercreeksoftware.com/regdata/eng.txt
[/font][/size][font=宋体][size=12pt]文件内容如下:[/size][/font][size=12pt]
[font=Times New Roman] u want to see something really funny? look at this lol
have you seen this new picture of me?
do you like this picture of me?
new party pictures :)
You want to see something very funny? accept this haha
Do you like sexyness? accept this and you will know!
want to see my new pics? accept this
I just found this nasty pic.. you need to see this haha
let me introduce you to my newest friend :) accept the pic
New myspace pics here
New facebook pics accept ;]
this person looks like you
look at my new profile pic
watch out.. this picture im sending you is so nasty!
do I look good with this mix?
Hello! would you like to see my new picture?
did I send you my new pic? if not here it is :)
this picture is so amazing I cannot believe this
have you seen the newest iphone? its so amazing check it out
would you like me to add our picture to facebook?
can I add your picture to my Myspace albums?
checkout the newest faster car.. it is incredible!
do I look good in this picture?
checkout my new shirt I just got :)
This is my newest webcam.. tell me what you think of it
I have an old picture of you...want it? here it is!
dont freakout when you see this picture
dont scream when you see this picture lol
dont kill me for sending you this picture, you must see it!
haha this picture of you is so funny!
I'm sending you my new photo accept it
Hi, remember this picture of you ?
You look so sexy in this picture
do you like dogs? look at my new dog!
can I add this picture of us to my new blog?
This is so hot I want it badly look!
I got a new car!! look at the pics!
checkout my latest acquisition hehe
do you know this person on this picture? I think you do
I think you will faint when you see this pic
I was so drunk at this party.. check it out lol
I can't believe I am in this picture look!
haha you're gonna laugh hard when you see this
checkout the newest fastest car
I took this pic in my vacation:)
this is so nasty...
I love this watch I think im buying it
I look so fat in this pic :(
your mom in this picture lol
I like this picture of you a lot
[/font][/size][font=宋体][size=12pt]并根据在文件中随机选择语句发送给[/size][/font][size=12pt][font=Times New Roman]MSN[/font][/size][font=宋体][size=12pt]好友,同时发送压缩包文件[/size][/font][size=12pt][font=Times New Roman]photo*.zip [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]//*[/font][/size][font=宋体][size=12pt]为随机数字[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]二解决方案[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]推荐方案:安装超级巡警进行全面病毒查杀。超级巡警用户请升级到最新病毒库,并进行全盘扫描。[/size][/font][size=12pt]
[font=Times New Roman] [/font][/size][font=宋体][size=12pt]超级巡警下载地址:[/size][/font][size=12pt][url=http://www.dswlab.com/d1.html][font=ˎ̥][size=12.0pt][font=Times New Roman][color=#000000]http://www.dswlab.com/d1.html
[/color][/font][/size][/font][/url][/size][font=宋体][size=12pt]手工清除方法:[/size][/font][size=12pt][/size]
[size=12pt][font=Times New Roman]1[/font][/size][font=宋体][size=12pt]、结束病毒进程。打开超级巡警,选择进程管理功能,终止[/size][/font][size=12pt][font=Times New Roman]poolmc.exe[/font][/size][font=宋体][size=12pt]进程。[/size][/font][size=12pt]
[font=Times New Roman] 2[/font][/size][font=宋体][size=12pt]、删除病毒生成的文件。[/size][/font][size=12pt]
[font=Times New Roman] 3[/font][/size][font=宋体][size=12pt]、删除病毒的启动项。打开超级巡警,选择启动管理,删除名为[/size][/font][size=12pt][font=Times New Roman]"Windows Pool Setup"[/font][/size][font=宋体][size=12pt]的启动项。[/size][/font][size=12pt][font=Times New Roman]
4[/font][/size][font=宋体][size=12pt]、建议用户使用超级巡警的恶意网站屏蔽功能屏蔽本文中提到的域名。[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]三安全建议[/size][/font][size=12pt][/size]
[size=12pt][font=Times New Roman]1[/font][/size][font=宋体][size=12pt]、立即安装或更新防病毒软件并对内存和硬盘全面扫描[/size][/font][size=12pt][font=Times New Roman]([/font][/size][font=宋体][size=12pt]推荐安装超级巡警[/size][/font][size=12pt][font=Times New Roman])[/font][/size][font=宋体][size=12pt]。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]2[/font][/size][font=宋体][size=12pt]、根据实际安全级别需要适当考虑选用防火墙,并进行正确的设置。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]3[/font][/size][font=宋体][size=12pt]、使用超级巡警的补丁检查功能,及时安装系统补丁。[/size][/font][size=12pt][font=Times New Roman]
[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]4[/font][/size][font=宋体][size=12pt]、禁用或删除不必要的的帐号,对管理员帐号设置一个强壮的密码。[/size][/font][size=12pt][font=Times New Roman]
[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]5[/font][/size][font=宋体][size=12pt]、禁用不必要的服务。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]6[/font][/size][font=宋体][size=12pt]、及时更新常用软件,尤其是聊天工具。[/size][/font][size=12pt][font=Times New Roman]
[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]7[/font][/size][font=宋体][size=12pt]、不要随便打开不明来历的电子邮件,尤其是邮件附件。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]8[/font][/size][font=宋体][size=12pt]、不要随意下载不安全网站的文件并运行。[/size][/font][size=12pt][font=Times New Roman]
[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]9[/font][/size][font=宋体][size=12pt]、下载和新拷贝的文件要首先进行查毒。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]10[/font][/size][font=宋体][size=12pt]、不要轻易打开即时通讯工具中发来的链接或可执行文件。[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]11[/font][/size][font=宋体][size=12pt]、使用移动存储介质进行数据访问时,先对其进行病毒检查,建议使用超级巡警[/size][/font][size=12pt][font=Times New Roman]U[/font][/size][font=宋体][size=12pt]盘免疫器进行免疫。[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]注:[/size][/font][size=12pt][font=Times New Roman] %System% [/font][/size][font=宋体][size=12pt]是一个可变路径,在[/size][/font][size=12pt][font=Times New Roman]windows95/98/me[/font][/size][font=宋体][size=12pt]中该变量是指[/size][/font][size=12pt][font=Times New Roman]%Windir%\System[/font][/size][font=宋体][size=12pt],在[/size][/font][size=12pt][font=Times New Roman]WindowsNT/2000/XP/2003/VISTA[/font][/size][font=宋体][size=12pt]中该变[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]量指[/size][/font][size=12pt][font=Times New Roman]%Windir%\System32[/font][/size][font=宋体][size=12pt]。其它:[/size][/font][size=12pt][/size]
[size=12pt][font=Times New Roman]%SystemDrive% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]系统安装的磁盘分区[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %SystemRoot% = %Windir% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman]WINDODWS[/font][/size][font=宋体][size=12pt]系统目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %ProgramFiles%[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] 应用程序默认安装目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %AppData% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]应用程序数据目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %CommonProgramFiles%[/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]公用文件目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %HomePath% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]当前活动用户目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %Temp% =%Tmp% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]当前活动用户临时目录[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %DriveLetter% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]逻辑驱动器分区[/size][/font]
[font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] %HomeDrive% [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt] [/size][/font][size=12pt][font=Times New Roman] [/font][/size][font=宋体][size=12pt]当前用户系统所在分区[/size][/font][size=12pt][/size]
[font=宋体][size=12pt]超级巡警:彻底查杀各种木马,全面保护系统安全。[/size][/font][size=12pt]
[font=Times New Roman] [/font][/size][font=宋体][size=12pt]更多免费工具下载:[/size][/font][size=12pt][url=http://www.dswlab.com/][font=ˎ̥][size=12.0pt][font=Times New Roman][color=#800080]http://www.dswlab.com[/color][/font][/size][/font][/url]
[font=Times New Roman] [/font][/size]
[align=center][align=center][size=3][font=宋体]专业的桌面与内容安全产品:[/font][url=http://www.unnoo.com/][font=ˎ̥][size=12pt][font=Times New Roman][color=#800080]http://www.unnoo.com[/color][/font][/size][/font][/url][/size][size=12pt][/size][/align][/align]
