Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/RBot.213504
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:中等程度
破坏 / 损害程度:中等程度
静态文件:
文件大小:213.504 字节
MD5 校检和:dc3839955b70c30Aef19c441cb9c65e1
VDF 版本:7.11.53.216

 况概描述 传播方法:
   • 局域网络


别名:
   •  Symantec: W32.Spybot.Worm
   •  Kaspersky: Backdoor.Win32.Rbot.amh
   •  Eset: Win32/Rbot
   •  Bitdefender: Backdoor.Rbot.AMH


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


副作用:
   • 关闭安全应用程序
   • 注册表修改
   • 利用软件漏洞
   • 第三方控件

 文件 它将本身复制到以下位置:
   • %WINDIR%\wmedia.exe

 注册表 会添加以下注册表项,以便在系统重新引导后运行进程:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Windows Media Player Service"="wmedia.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   • "Windows Media Player Service"="wmedia.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Windows Media Player Service"="wmedia.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
   • "Windows Media Player Service"="wmedia.exe"



会添加以下注册表项目注册值:

– HKLM\SOFTWARE\Microsoft\Ole
   • "Windows Media Player Service"="wmedia.exe"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   • "Windows Media Player Service"="wmedia.exe"



会更改以下注册表项:

– HKLM\SOFTWARE\Microsoft\Ole
   旧值:
   • "EnableDCOM"=%用户定义的设置%
   新值:
   • "EnableDCOM"="N"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   旧值:
   • "restrictanonymous"=%用户定义的设置%
   新值:
   • "restrictanonymous"=dword:00000001

停用 Windows 防火墙:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   旧值:
   • "Start"=%用户定义的设置%
   新值:
   • "Start"=dword:00000004

 网络感染 该恶意软件会尝试以下方式连接其他计算机来作广泛传播/感染。

它会将其本身的副本植入以下网络共享中:
   • IPC$
   • C$
   • ADMIN$


漏洞攻击:
它会利用以下漏洞攻击:
– MS03-026 (RPC 接口中的缓冲区溢出)
– MS03-039 (RPCSS 服务中的缓冲区溢出)
– MS04-007 (ASN.1 漏洞)
– MS05-039 (即插即用中的漏洞)


感染进程:
在受影响的计算机上创建 TFTP 或 FTP 脚本,以便将恶意软件下载到远程位置。


远程执行:
–它会尝试在刚感染的计算机上安排远程执行恶意软件。 因此,它会使用NetScheduleJobAdd 功能。

 IRC 为了提供系统信息和远程控制,它会连接到以下 IRC 服务器:

服务器: irc.optix**********
端口: 35868
通道: #0wned
昵称: [F][Rs]-%数字%
密码: Serve



– 此恶意软件能够搜集并发送类似如下信息:
    • 搜集的电子邮件地址
    • CPU 速度
    • 当前用户
    • 有关驱动程序的详细信息
    • 可用磁盘空间
    • 可用内存
    • 有关网络的信息
    • 运行中进程的信息
    • 内存大小
    • 用户名
    • Windows 操作系统信息


– 而且,它能够进行此般操作:
    • 启动 DDoS ICMP 洪水攻击
    • 启动 DDoS SYN 洪水攻击
    • 关闭 DCOM
    • 关闭网络文件共享
    • 下载文件
    • 启用 DCOM
    • 启用网络共享
    • 执行文件
    • 加入 IRC 通道
    • 结束进程
    • 离开 IRC 通道
    • 打开远程 Shell
    • 执行 DDoS 攻击
    • 执行网络扫描
    • 注册服务
    • 启动传播例程
    • 终止恶意软件
    • 终止进程
    • 自行更新

 进程终止 被终止进程列表:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; ANTI-TROJAN.EXE; ANTIVIRUS.EXE;
      ANTS.EXE; APIMONITOR.EXE; ARR.EXE; ATCON.EXE; ATGUARD.EXE;
      ATRO55EN.EXE; ATUPDATER.EXE; ATWATCH.EXE; AU.EXE; AUPDATE.EXE;
      AUTODOWN.EXE; AUTO-PROTECT.NAV80TRY.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AVCONSOL.EXE; AVE32.EXE; AVGCC32.EXE; AVGCTRL.EXE;
      AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE; AVGUARD.EXE; AVGW.EXE;
      AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE; AVKWCTl9.EXE; AVLTMAIN.EXE;
      AVNT.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPDOS32.EXE; AVPM.EXE;
      AVPTC32.EXE; AVPUPD.EXE; AVSCHED32.EXE; AVSYNMGR.EXE; AVWIN95.EXE;
      AVWINNT.EXE; AVWUPD.EXE; AVWUPD32.EXE; AVWUPSRV.EXE; AVXMONITOR9X.EXE;
      AVXMONITORNT.EXE; AVXQUAR.EXE; BACKWEB.EXE; BARGAINS.EXE;
      BD_PROFESSIONAL.EXE; BDSS.EXE; BDSWITCH.EXE; BEAGLE.EXE; BELT.EXE;
      BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE; BIPCPEVALSETUP.EXE; BISP.EXE;
      BLACKD.EXE; BLACKICE.EXE; BLSS.EXE; BOOTCONF.EXE; BOOTWARN.EXE;
      BORG2.EXE; BPC.EXE; BRASIL.EXE; BS120.EXE; BUNDLE.EXE; BVT.EXE;
      CCAPP.EXE; CCEVTMGR.EXE; CCPXYSVC.EXE; CDP.EXE; CFD.EXE; CFGWIZ.EXE;
      CFIADMIN.EXE; CFIAUDIT.EXE; CFINET.EXE; CFINET32.EXE; Claw95.EXE;
      CLAW95CF.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE; CLEANPC.EXE;
      CLICK.EXE; CMD.EXE; CMD32.EXE; CMESYS.EXE; CMGRDIAN.EXE; CMON016.EXE;
      CONNECTIONMONITOR.EXE; CPD.EXE; CPF9X206.EXE; CPFNT206.EXE; CTRL.EXE;
      CV.EXE; CWNB181.EXE; CWNTDWMO.EXE; DATEMANAGER.EXE; DCOMX.EXE;
      DEFALERT.EXE; DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE; DIVX.EXE;
      DLLCACHE.EXE; DLLREG.EXE; DOORS.EXE; DPF.EXE; DPFSETUP.EXE; DPPS2.EXE;
      DRWATSON.EXE; DRWEB32.EXE; DRWEBUPW.EXE; DSSAGENT.EXE; DVP95.EXE;
      DVP95_0.EXE; ECENGINE.EXE; EFPEADM.EXE; EMSW.EXE; ENT.EXE; ESAFE.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ESCANV95.EXE; ESPWATCH.EXE; ETHEREAL.EXE;
      ETRUSTCIPE.EXE; EVPN.EXE; EXANTIVIRUS-CNET.EXE; EXE.AVXW.EXE;
      EXPERT.EXE; EXPLORE.EXE; F-AGNT95.EXE; F-AGOBOT.EXE; FAMEH32.EXE;
      FAST.EXE; FCH32.EXE; FIH32.EXE; FINDVIRU.EXE; FIREWALL.EXE;
      FLOWPROTECTOR.EXE; FNRB32.EXE; FPROT.EXE; F-PROT.EXE; F-PROT95.EXE;
      FP-WIN.EXE; FP-WIN_TRIAL.EXE; FRW.EXE; FSAA.EXE; FSAV.EXE; FSAV32.EXE;
      FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE; FSGK32.EXE; FSM32.EXE;
      FSMA32.EXE; FSMB32.EXE; F-STOPW.EXE; GATOR.EXE; GBMENU.EXE;
      GBPOLL.EXE; GENERICS.EXE; GMT.EXE; GUARD.EXE; GUARDDOG.EXE;
      HACKTRACERSETUP.EXE; HBINST.EXE; HBSRV.EXE; HIJACKTHIS.EXE;
      HOTACTIO.EXE; HOTPATCH.EXE; HTLOG.EXE; HTPATCH.EXE; HWPE.EXE;
      HXDL.EXE; HXIUL.EXE; IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE;
      IBMASN.EXE; IBMAVSP.EXE; ICLOAD95.EXE; ICLOADNT.EXE; ICMON.EXE;
      ICSUPP95.EXE; ICSUPPNT.EXE; IDLE.EXE; IEDLL.EXE; IEDRIVER.EXE;
      IEXPLORER.EXE; IFACE.EXE; IFW2000.EXE; INETLNFO.EXE; INFUS.EXE;
      INFWIN.EXE; INIT.EXE; INTDEL.EXE; INTREN.EXE; IOMON98.EXE;
      IPARMOR.EXE; IRIS.EXE; ISASS.EXE; ISRV95.EXE; ISTSVC.EXE; JAMMER.EXE;
      JDBGMRG.EXE; JEDI.EXE; KAVLITE40ENG.EXE; KAVPERS40ENG.EXE; KAVPF.EXE;
      KAZZA.EXE; KEENVALUE.EXE; KERIO-PF-213-EN-WIN.EXE;
      KERIO-WRL-421-EN-WIN.EXE; KERIO-WRP-421-EN-WIN.EXE; KERNEL32.EXE;
      KILLPROCESSSETUP161.EXE; LAUNCHER.EXE; LDNETMON.EXE; LDPRO.EXE;
      LDPROMENU.EXE; LDSCAN.EXE; LNETINFO.EXE; LOADER.EXE; LOCALNET.EXE;
      LOCKDOWN.EXE; LOCKDOWN2000.EXE; LOOKOUT.EXE; LORDPE.EXE; LSETUP.EXE;
      LUALL.EXE; LUAU.EXE; LUCOMSERVER.EXE; LUINIT.EXE; LUSPT.EXE;
      MAPISVC32.EXE; MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE;
      MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MD.EXE; MFIN32.EXE;
      MFW2EN.EXE; MFWENG3.02D30.EXE; MGAVRTCL.EXE; MGAVRTE.EXE; MGHTML.EXE;
      MGUI.EXE; MINILOG.EXE; MMOD.EXE; MONITOR.EXE; MOOLIVE.EXE; MOSTAT.EXE;
      MPFAGENT.EXE; MPFSERVICE.EXE; MPFTRAY.EXE; MRFLUX.EXE; MSAPP.EXE;
      MSBB.EXE; MSBLAST.EXE; MSCACHE.EXE; MSCCN32.EXE; MSCMAN.EXE;
      MSCONFIG.EXE; MSDM.EXE; MSDOS.EXE; MSIEXEC16.EXE; MSINFO32.EXE;
      MSLAUGH.EXE; MSMGT.EXE; MSMSGRI32.EXE; MSSMMC32.EXE; MSSYS.EXE;
      MSVXD.EXE; MU0311AD.EXE; MWATCH.EXE; N32SCANW.EXE; NAV.EXE;
      NAVAP.NAVAPSVC.EXE; NAVAPSVC.EXE; NAVAPW32.EXE; NAVDX.EXE;
      NAVENGNAVEX15.NAVLU32.EXE; NAVLU32.EXE; NAVNT.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NCINST4.EXE; NDD32.EXE;
      NEOMONITOR.EXE; NEOWATCHLOG.EXE; NETARMOR.EXE; NETD32.EXE;
      NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
      NETSTAT.EXE; NETUTILS.EXE; NISSERV.EXE; NISUM.EXE; NMAIN.EXE;
      NOD32.EXE; NORMIST.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
      NOTSTART.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPROTECT.EXE; NPSCHECK.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSYS32.EXE;
      NSTASK32.EXE; NSUPDATE.EXE; NT.EXE; NTRTSCAN.EXE; NTVDM.EXE;
      NTXconfig.EXE; NUI.EXE; NUPGRADE.EXE; NVARCH16.EXE; NVC95.EXE;
      NVSVC32.EXE; NWINST4.EXE; NWSERVICE.EXE; NWTOOL16.EXE; OLLYDBG.EXE;
      ONSRVR.EXE; OPTIMIZE.EXE; OSTRONET.EXE; OTFIX.EXE; OUTPOST.EXE;
      OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE; PADMIN.EXE; PANIXK.EXE;
      PATCH.EXE; PAVCL.EXE; PAVPROXY.EXE; PAVSCHED.EXE; PAVW.EXE;
      PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCIOMON.EXE; PCCNTMON.EXE;
      PCCWIN97.EXE; PCCWIN98.EXE; PCDSETUP.EXE; PCFWALLICON.EXE;
      PCIP10117_0.EXE; PCSCAN.EXE; PDSETUP.EXE; PENIS.EXE; PERISCOPE.EXE;
      PERSFW.EXE; PERSWF.EXE; PF2.EXE; PFWADMIN.EXE; PGMONITR.EXE;
      PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE; POPROXY.EXE; POPSCAN.EXE;
      PORTDETECTIVE.EXE; PORTMONITOR.EXE; POWERSCAN.EXE; PPINUPDT.EXE;
      PPTBC.EXE; PPVSTOP.EXE; PRIZESURFER.EXE; PRMT.EXE; PRMVR.EXE;
      PROCDUMP.EXE; PROCESSMONITOR.EXE; PROCEXPLORERV1.0.EXE;
      PROGRAMAUDITOR.EXE; PROPORT.EXE; PROTECTX.EXE; PSPF.EXE; PURGE.EXE;
      PUSSY.EXE; PVIEW95.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE;
      RAV.EXE; RAV7.EXE; RAV7WIN.EXE; RAV8WIN32ENG.EXE; RAY.EXE; RB32.EXE;
      RCSYNC.EXE; REALMON.EXE; REGED.EXE; REGEDIT.EXE; REGEDT32.EXE;
      RESCUE.EXE; RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RTVSCAN.EXE;
      RTVSCN95.EXE; RULAUNCH.EXE; RUN32DLL.EXE; RUNDLL.EXE; RUNDLL16.EXE;
      RUXDLL32.EXE; SAFEWEB.EXE; SAHAGENT.EXE; SAVE.EXE; SAVENOW.EXE;
      SBSERV.EXE; SC.EXE; SCAM32.EXE; SCAN.EXE; SCAN32.EXE; SCAN95.EXE;
      SCANPM.EXE; SCRSCAN.EXE; SCRSVR.EXE; SCVHOST.EXE; SD.EXE; SERV95.EXE;
      SERVICE.EXE; SERVLCE.EXE; SERVLCES.EXE; SETUP_FLOWPROTECTOR_US.EXE;
      SETUPVAMEEVAL.EXE; SFC.EXE; SGSSFW32.EXE; SH.EXE; SHELLSPYINSTALL.EXE;
      SHN.EXE; SHOWBEHIND.EXE; SMC.EXE; SMS.EXE; SMSS32.EXE; SOAP.EXE;
      SOFI.EXE; SPERM.EXE; SPF.EXE; SPHINX.EXE; SPOLER.EXE; SPOOLCV.EXE;
      SPOOLSV32.EXE; SPYXX.EXE; SREXE.EXE; SRNG.EXE; SS3EDIT.EXE;
      SSG_4104.EXE; SSGRATE.EXE; ST2.EXE; START.EXE; STCLOADER.EXE;
      SUPFTRL.EXE; SUPPORT.EXE; SUPPORTER5.EXE; SVC.EXE; SVCHOSTC.EXE;
      SVCHOSTS.EXE; SVSHOST.EXE; SWEEP95.EXE;
      SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SYMPROXYSVC.EXE; SYMTRAY.EXE;
      SYSEDIT.EXE; SYSTEM.EXE; SYSTEM32.EXE; SYSUPD.EXE; TASKMG.EXE;
      TASKMGR.EXE; TASKMO.EXE; TASKMON.EXE; TAUMON.EXE; TBSCAN.EXE; TC.EXE;
      TCA.EXE; TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE; TDS-3.EXE; TEEKIDS.EXE;
      TFAK.EXE; TFAK5.EXE; TGBOB.EXE; TITANIN.EXE; TITANINXP.EXE;
      TRACERT.EXE; TRICKLER.EXE; TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE;
      TSADBOT.EXE; TVMD.EXE; TVTMD.EXE; UNDOBOOT.EXE; UPDAT.EXE; UPDATE.EXE;
      UPGRAD.EXE; UTPOST.EXE; VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE;
      VBWIN9X.EXE; VBWINNTW.EXE; VCSETUP.EXE; VET32.EXE; VET95.EXE;
      VETTRAY.EXE; VFSETUP.EXE; VIR-HELP.EXE; VIRUSMDPERSONALFIREWALL.EXE;
      VNLAN300.EXE; VNPC3000.EXE; VPC32.EXE; VPC42.EXE; VPFW30S.EXE;
      VPTRAY.EXE; VSCAN40.EXE; VSCENU6.02D30.EXE; VSCHED.EXE; VSECOMR.EXE;
      VSHWIN32.EXE; VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE;
      VSWIN9XE.EXE; VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE;
      WATCHDOG.EXE; WEBDAV.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
      WGFE95.EXE; WHOSWATCHINGME.EXE; WIMMUN32.EXE; WIN32.EXE; WIN32US.EXE;
      WINACTIVE.EXE; WIN-BUGSFIX.EXE; WINDOW.EXE; WINDOWS.EXE; WININETD.EXE;
      WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE; WINMUN32;
      WINNET.EXE; WINPPR32.EXE; WINRECON.EXE; WINSERVN.EXE; WINSSK32.EXE;
      WINSTART.EXE; WINSTART001.EXE; WINTSK32.EXE; WINUPDATE.EXE;
      WKUFIND.EXE; WNAD.EXE; WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      WUPDATER.EXE; WUPDT.EXE; WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE;
      ZAPRO.EXE; ZAPSETUP3001.EXE; ZATUTOR.EXE; ZONALM2601.EXE;
      ZONEALARM.EXE

它会尝试终止以下进程并删除相应的文件:
   • teekids.exe
   • MSBLAST.exe
   • mscvb32.exe
   • Penis32.exe
   • sysinfo.exe
   • PandaAVEngine.exe
   • taskmon.exe


会关闭以下服务:
   • Automatic Updates

 窃取 – 它会使用网络嗅探器来检查以下字符串:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

 其他 Mutex:
它会创建以下 Mutex:
   • lustrare licks his toes LOL

 文件详细信息 编程语言:
该恶意软件程序是用 MS Visual C++ 编写的。


运行时压缩程序:
为了提高检测难度以及减小文件,它已使用运行时压缩程序进行压缩。

설명 삽입자 Irina Boldea   2006년 5월 11일 목요일
설명 업데이트 Irina Boldea   2006년 5월 11일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.