ºô»Ú½×¾Â - ¼eÀW¨Ï¥Î / ¨¾¬r¨¾Àb°Q½× - [¯f¬rįÂÎ] Worm.Win32.Viking.ai¤ÀªR
» ¹C«È:  µù¥U | µn¿ý | ·|­û | À°§U
 

§K¶O½u¤W¤p»¡
°Êº©¤ÀÃþ ¡G ³Ì·s¤W¬[ ¡U ¼öªù³s¸ü ¡U ¥þ¥»¤p»¡ ¡U ³Ì·s¤W¬[ ¡U ¥È¤Û©_¤Û ¡U ³£¥«¨¥±¡ ¡U ªZ«L¥P«L ¡U ­x¨Æ¾ú¥v ¡U ºô´åÄv§Þ ¡U ¬ì¤ÛÆF²§ ... §ó¦h¤p»¡

§@ªÌ:
¼ÐÃD: [¯f¬rįÂÎ] Worm.Win32.Viking.ai¤ÀªR ¤W¤@¥DÃD | ¤U¤@¥DÃD
  ÅKº~¬X±¡
  ¶i¶¥·|­û 
 


  ¿n¤À 1990
  µo¤å 76
  µù¥U 2006-2-27
  ª¬ºA Â÷½u
#1  [¯f¬rįÂÎ] Worm.Win32.Viking.ai¤ÀªR

¯f¬r¼Ðñ¡G
¯f¬r¦WºÙ¡G Worm.Win32.Viking.ai
¤¤¤å¦WºÙ¡G «Âª÷
¯f¬rÃþ«¬¡G įÂÎ
¤å¥ó MD5¡G 5693A6A373B1D9254D13B060997E8A50
¤½¶}½d³ò¡G §¹¥þ¤½¶}
¦M®`µ¥¯Å¡G ¤¤
¤å¥óªø«×¡G 49,152 ¦r¸`
·P¬V«Y²Î¡G windows98¥H¤Wª©¥»
¶}µo¤u¨ã¡G Borland Delphi 6.0 - 7.0
¥[´ßÃþ«¬¡G UPX 0.89.6 - 1.02
©R¦W¹ï·Ó¡G Symantec[µL]SSS
¡@¡@¡@¡@ ¡@McAfee[µL]

¯f¬r´y­z¡G
¡@¡@ ³o¬O¤@­Óºôµ¸Ä¯Âίf¬r¡C¥¦³q¹L¤¬Ápºô¸ê·½½Æ¨î¦Û¨­¡C¸ÓįÂΦۨ­¬O¤@­Ó Windows PE EXE ¤å¥ó¡A¤j¤p 49152 ¦r¸`¡C¨Ï¥Î UPX ¥[±K¨Ã¥B¸Ñ±K«á¡A¤å¥ó¤j¤p 219 KB ¡C¥¦¬O¨Ï¥Î Borland Delphi ½s¼gªº¡C¹B¦æ«á·|±qºô¯¸¤W¤@­Ó¤ì°¨¡C

¦æ爲¤ÀªR¡G
1¡B¯f¬r¹B¦æ«á­l¥Í¯f¬r¤å¥ó¨ì Windows ®Ú¥Ø¿ý¡G

%WinDir%\rundl132.exe

2¡B¸ÓįÂΪ`¥U¸Ó¤å¥ó¨ì«Y²Îª`¥Uªí¤¤¥H½T«O¨C¦¸¶}¾÷«á¦Û°Ê¥[¸ü¡C¦b Win 98/Me «Y²Î¤¤¡G

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load"="%WinDir%\rundl132.exe"
¦b¨ä¥¦«Y²Î¤¤¡G
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="%WinDir%\rundl132.exe"

3¡B¸ÓįÂÎÀH«áÀË´ú«Y²Î¤é´Á¡A¦pªG«Y²Î¤é´Á±ß©ó2105 ¦~ 1 ¤ë 4 ¤é¡A¥¦±N²×¤î¬¡°Ê¡C

4¡B¸ÓįÂΦP¼Ë·|¦b«Y²Î®Ú¥Ø¿ý¤Uª`¥U¤@­Ó¦W爲 Dll.dll ¤j¤p 24 575 ¦r¸`ªº¤å¥ó¡G

%WinDir%\dll.dll

5¡BįÂÎÀH«áª`¥U°ÊºAÃì±µ®w¨ì Explorer.exe ©M Iexplore.exe ¶iµ{¤¤¡A¦P®É³Ð«Ø¥H¤Uª`¥UªíÁä­È¡G

[HKLM\Software\Soft\DownloadWWW]
"auto"="1"
¨Ã¶}©l±q58.215.65.236:80¤U¸ü¤ì°¨¤å¥ó
%WinDir%\532793.DLL¡@¡@¡@¡@ ¤å¥ó¤j¤p¡G81,713 ¦r¸`
%WinDir%\532793M.BMP¡@¡@¡@¡@¤å¥ó¤j¤p¡G53,248 ¦r¸`

6¡B³q¹L§½°ìºô¶Ç¼½:

¸ÓįÂνƨî¦Û¨­¨ì¥H¤U¦@¨Éºôµ¸¸ê·½¡G
ADMIN$
IPC$

7¡B¸ÓįÂα½´y¸Ó«Y²Î¨Ã¥B²×¤î¥H¤U¦WºÙªº¶iµ{¡G

EGHOST.EXE
IPARMOR.EXE
KAVPFW.EXE
MAILMON.EXE
mcshield.exe
RavMon.exe
Ravmond.EXE
regsvc.exe

8¡B¸ÓįÂΦP¼Ë·|¬d§ä°£¤F¥H¤U¥Ø¿ý¤¤ªº©Ò¦³ EXE ¤å¥ó¡G

Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Messenger
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
NetMeeting
Recycled
System
System Volume Information
system32
windows
Windows NT
WindowsUpdate
winnt

9¡B¸ÓįÂη|ÀË´ú¥H¤U¤å¥ó¦W¡A¨Ã¥B±N¸ÓįÂÎ¥»Åéª`¤J³o¨Çµ{§Ç¤å¥ó¡G

ACDSee4.exe
ACDSee5.exe
ACDSee6.exe
AgzNew.exe
Archlord.exe
AutoUpdate.exe
autoupdate.exe
BNUpdate.exe
Datang.exe
editplus.exe
EXCEL.EXE
flashget.exe
foxmail.exe
FSOnline.exe
GameClient.exe
install.exe
jxonline_t.exe
launcher.exe
lineage.exe
LineageII.exe
MHAutoPatch.exe
Mir.exe
msnmsgr.exe
Mu.exe
my.exe
NATEON.exe
NSStarter.exe
Patcher.exe
patchupdate.exe
QQ.exe
Ragnarok.exe
realplay.exe
run.exe
setup.exe
Silkroad.exe
Thunder.exe
ThunderShell.exe
TTPlayer.exe
Uedit32.exe
Winrar.exe
WINWORD.EXE
woool.exe
zfs.exe

¡@¡@·í³o¨Ç¤å¥ó³Q¹B¦æ®É¡A±N·|°õ¦æ¤@­Ó³Q·P¬Vªº¯f¬r¤å¥ó¡C

¡@¡@ ¦b©Ò¦³¥Ø¿ý¤¤±½´yÂX®i¦W爲 .exe ªº¤å¥ó¡A¸ÓįÂγЫؤ@­Ó¤å¥ó¦W爲 "_desktop.ini" ªº¤å¥ó¡C¸Ó¤å¥ó¨Ï¥Î " ÁôÂà " ©M " «Y²Î " ÄÝ©Ê¡A¨Ã¥B¥]§t¸ÓįÂιB¦æªº¤é´Á¡C

10¡B¸ÓįÂΦP¼Ëµo°e¤@­Ó ICMP ½Ð¨D¨Ï¥Î¡§Hello, World¡¨¡A¨ÓÀË´ú¥i¥Îªººôµ¸¸ê·½¡CÀH«á±½´y©Ò¦³¦@¨Éºôµ¸¸ê·½¨Ã¥B·P¬V¥H¤W©Ò´£¨ìªº¤å¥ó¡C

11¡B¸ÓįÂΦpªG¦b«Y²Î¤¤µo²{ avp.exe ¶iµ{«h·|±N¨÷¯Å§O³]¸m爲 0 ¡C

12¡B¸ÓįÂÎ¥]§t¤@­Ó URLs ¦a§}¦Cªí¨ÓÀË´ú¤å¥ó¡C¦pªG¸Ó¤å¥ó³Q«O¦s¨ì¥ô·N¤@­Ó¦a§}¡A¥¦±N³Q¤U¸ü¨ì«Y²Î¤¤¨Ã¹B¦æ¡C


--------------------------------------------------------------------------------
²M°£¤è®×¡G
1¡B¨Ï¥Î¦w¤Ñ¤ì°¨¨¾½u¥i¹ý©³²M°£¦¹¯f¬r(±ÀÂË)¡C

2¡B¤â¤u²M°£½Ð«ö·Ó¦æ爲¤ÀªR§R°£¹ïÀ³¤å¥ó¡A«ì½Æ¬ÛÃö«Y²Î³]¸m¡C

(1) ¨Ï¥Î¦w¤Ñ¤ì°¨¨¾½u¡§¶iµ{ºÞ²z¡¨Ãö³¬¯f¬r¶iµ{

rundl132.exe
dll.dll
532793.DLL
532793M.BMP

(2) §R°£¯f¬r¤å¥ó

%WinDir%\ rundl132.exe
%WinDir%\ dll.dll
%WinDir%\532793.DLL
%WinDir%\532793M.BMP

(3) §R°£¯f¬r²K¥[ªºª`¥Uªí¶µ

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load"="%WinDir%\rundl132.exe"
¦b¨ä¥¦«Y²Î¤¤¡G
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="%WinDir%\rundl132.exe"




¦^©«¬O³Ì¦nªº¹ªÀy
2007-7-27 06:31 PM
¬d¬Ý¸ê®Æ  µoµu®ø®§   ½s¿è¤å³¹  ¤Þ¥Î¦^ÂÐ
  baolai
  VIP·|­û 
 


 
  ¿n¤À 2747
  µo¤å 164
  µù¥U 2006-9-5
  ¨Ó¦Û Taipei
  ª¬ºA Â÷½u
#2  «ì½Æ«Âª÷¯f¬r·P¬VªºEXE¤å¥ó¤p¤èªk

­º¥ý§Ú­Ì¨Ï¥Î±þ¬r³n¥ó¥H¤Î±M±þ¤u¨ã¬d±þ«Âª÷¯f¬r¡A¦ý¤d¸U­nª`·Nªº¬O¡A¹ï©ó·P¬Vªº.exe¤å¥ó¤£­n¿ï¾Ü§R°£¡A¹jÂ÷§Y¥i¡C
¡@¡@µM«á¡A¦bWindows¥Ø¿ý¤U«Ø¥ß¤@­ÓªÅ¤å¥ó¡A¤å¥ó¦W爲logo1_.exe¡A¤å¥óÄݩʳ]¸m¦¨¡§¥uŪ¡BÁôÂáB«Y²ÎÄÝ©Ê¡¨¡C«ö·Ó¦¹¤èªk¡AÁٻݫإßrundl123.exe¡Blogo_1.exe¥H¤ÎSy0.exe~Sy9.exeµ¥¤å¥ó¡C

¡@¡@±µµÛ¡A©Þ±¼ºô½u¡AÂ_¶}ºôµ¸¡A¼È®ÉÃö³¬¯f¬r¨¾Å@¡CÁÙ­ì³Q¹jÂ÷ªº.exe¤å¥ó¡AÂIÀ»¹B¦æ¡C³o®É³Q·P¬Vªº.exe¤å¥ó´N·|²æ´ß¡Alogo1_.exe¥H¤Îrundl123.exeµ¥·|³QÄÀ©ñ¡C¥Î³Ì·sªº±M±þ¹ï³o­Ó.exe¤å¥óÀË´ú¤@¹M¡AµM«á§â¥¦©ñ¤JRARÀ£ÁY¥]ùØ¡C¦bRAR¤¤ªº.exe¤å¥ó¤£·|·P¬V¡A¦bRAR¤¤¹B¦æ³o­Óµ{§Ç¤]¨S°ÝÃD¡C

¡@¡@ª`·N¡A¦b¨Ï¥Î¶W¯Å¨ß¤lµ¥³n¥ó®É¤@©w¤£¯à²M²z¦Û¤v³Ð«Øªº¨º´X­Ó¤å¥ó¡C§_«h¡A¯f¬r±N¦A¦¸¶}©l¬¡°Ê¡C

¡@¡@³Ì«á¡A¦A¦¸¥þ­±¬d±þ¡A«OÃÒ¤º³¡µL¬r¡C

http://bbs.mychat.to/read.php?fid=254&tid=593177





Åwªï¥úÁ{Ä_¨Óªº¬õ¦â¤Ñ¸ª¤l³¡¸¨®æ


2007-7-31 10:01 AM
¬d¬Ý¸ê®Æ  ³X°Ý¥D­¶  µoµu®ø®§   ½s¿è¤å³¹  ¤Þ¥Î¦^ÂÐ

¥i¥´¦Lª©¥» | ±ÀÂ˵¹ªB¤Í | ­q¾\¥DÃD | ¦¬ÂÃ¥DÃD

½×¾Â¸õÂà¿ï³æ¡G