Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/Agobot.97918
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:中等程度
感染/传播能力:中等程度至高程度
破坏 / 损害程度:中等程度
静态文件:
文件大小:97.918 字节
MD5 校检和:445882B3C915350B29735DF1C8169ECB
VDF 版本:7.11.53.216

 况概描述 传播方法:
   • 电子邮件
   • 局域网络


别名:
   •  Symantec: W32.Mytob.HL@mm
   •  Kaspersky: Net-Worm.Win32.Mytob.bw
   •  TrendMicro: WORM_MYTOB.IJ
   •  F-Secure: W32/Mytob.IQ@mm
   •  VirusBuster: I-Worm.Mytob.JF
   •  Bitdefender: Backdoor.SDBot.E0549F1E


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


副作用:
   • 使用自置的电子邮件引擎
   • 记录按键
   • 注册表修改
   • 利用软件漏洞
   • 窃取信息
   • 第三方控件

 文件 它将本身复制到以下位置:
   • %SYSDIR%\svchosts.exe



它会删除其本身最初执行的副本。

 注册表 会添加以下注册表项,以便在系统重新引导后运行进程:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Win32 Driver"="svchosts.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "Win32 Driver"="svchosts.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Win32 Driver"="svchosts.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "Win32 Driver"="svchosts.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Win32 Driver"="svchosts.exe"



会添加以下注册表项,以便在系统重新引导之后加载服务:

– [HKLM\SYSTEM\CurrentControlSet\Services\shit]
   • "Type"=dword:00000020
   • "Start"=dword:00000004
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\svchosts.exe" -netsvcs
   • "DisplayName"="Win32 Driver"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,69,00,76,\
   • 00,01,00,00,00,01,00,00,00
   • "DeleteFlag"=dword:00000001



会添加以下注册表项目注册值:

– [HKLM\SYSTEM\CurrentControlSet\Services\shit\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

– [HKLM\SYSTEM\CurrentControlSet\Services\shit\Enum]
   • "0"="Root\\LEGACY_SHIT\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\0000]
   • "Service"="shit"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Win32 Driver"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="shit"

 电子邮件 它包含集成的 SMTP 引擎,用于发送电子邮件。 将与目标服务器建立直接连接。 下面说明了它的特征:


发件人:
机器生成的地址。 请不要认为向您发送此电子邮件是出于发件人的本意。 他可能并不知道计算机已被感染,甚至可能根本没有被感染。 此外,您可能还会收到一些退回的电子邮件,通知您已被感染。 情况也可能不是这样。


收件人:
– 在系统上的特定文件中找到的电子邮件地址。
– 程序生成的地址


主题:
以下某项内容:
   • *DETECTED* Online User Violation
   • *WARNING* YOUR EMAIL ACCOUNT IS SUSPENDED
   • Email Account Suspension
   • Important Notification
   • Members Support
   • NOTICE OF ACCOUNT LIMITATION
   • Security measures
   • Warning Message: Your services near to be closed.
   • We have suspended your account
   • You are banned!!!
   • Your Account is Suspended
   • YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS

主题可能包含随机字母。


正文:
– 包含 HTML 代码。
电子邮件的正文如下所示:

   • Dear %recipients domain% Member,
     We have temporarily suspended your email account %电子邮件应用程序帐户%.
     This might be due to either of the following reasons:
     1. A recent change in your personal information (i.e. change of address).
     2. Submiting invalid information during the initial sign up process.
     3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
     See the attached details to reactivate your %recipients domain% account.
     Sincerely,The %recipients domain% Support Team

   • Dear %recipients domain% Member,
     Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
     Virtually yours,
     The %recipients domain% Support Team

   • Some information about your %recipients domain% account is attached.
     The %recipients domain% Support Team


附件:
附件的文件名是以下某个名称:
   • account-details.zip
   • account-info.zip
   • account-report.zip
   • document.zip
   • email-details.zip
   • important-details.zip
   • information.zip
   • readme.zip

该附件是恶意软件本身的副本。



电子邮件可能如下所示:




 邮件 搜索地址:
它会在以下文件中搜索电子邮件地址:
   • .wab; .html; .adb; .tbb; .dbx; .asp; .php; .xml; .cgi; .jsp; .sht;
      .htm


为 FROM (“发件人”) 字段生成地址:
为了生成地址,它会使用以下字符串:
   • accounts
   • admin
   • administrator
   • info
   • mail
   • register
   • service
   • support
   • webmaster

它会将结果与文件 (之前在该文件中搜索过地址) 中找到的域组合在一起。


为 TO (“收件人”) 字段生成地址:
为了生成地址,它会使用以下字符串:
   • adam; alex; andrew; anna; bill; bob; brenda; brent; brian; claudia;
      dan; dave; david; debby; frank; fred; george; helen; jack; james;
      jane; jerry; jim; jimmy; joe; john; jose; josh; julie; kevin; leo;
      linda; maria; mary; matt; michael; mike; paul; peter; ray; robert;
      sales; sam; sandra; serg; smith; stan; steve; ted; tom

它会将结果与文件 (之前在该文件中搜索过地址) 中找到的域组合在一起。


避免地址:
它不会向包含以下某个字符串的地址发送电子邮件:
   • "accoun"; "certific"; "listserv"; "ntivi"; "support"; "icrosoft";
      "admin"; "page"; "the.bat"; "gold-certs"; "feste"; "submit"; "not";
      "help"; "service"; "privacy"; "somebody"; "soft"; "contact"; "site";
      "rating"; "bugs"; "you"; "your"; "someone"; "anyone"; "nothing";
      "nobody"; "noone"; "webmaster"; "postmaster"; "samples"; "info";
      "root"; "mozilla"; "utgers.ed"; "tanford.e"; "pgp"; "acketst";
      "secur"; "isc.o"; "isi.e"; "ripe."; "arin."; "sendmail"; "rfc-ed";
      "ietf"; "iana"; "usenet"; "fido"; "linux"; "kernel"; "google";
      "ibm.com"; "fsf."; "gnu"; "mit.e"; "bsd"; "math"; "unix"; "berkeley";
      "foo."; ".mil"; "gov."; ".gov"; "ruslis"; "nodomai"; "mydomai";
      "example"; "inpris"; "borlan"; "sopho"; "panda"; "hotmail"; "msn.";
      "icrosof"; "syma"; "avp"; ".edu"; "abuse"; "abuse"


前面追加 MX 字符串:
为了获取电子邮件服务器的 IP 地址,它能够在域名前追加以下字符串:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

 网络感染 该恶意软件会尝试以下方式连接其他计算机来作广泛传播/感染。


漏洞攻击:
它会利用以下漏洞攻击:
– MS03-049 (工作站服务中的缓冲区溢出)
– MS04-007 (ASN.1 漏洞)
– MS04-011 (LSASS 漏洞)


IP 地址生成:
它会创建随机 IP 地址,但会保留自己地址的第一个八进制字节。 之后,它会尝试与所创建的地址建立连接。


感染进程:
在被入侵的计算机上创建 FTP 脚本,以便将恶意软件下载到远程位置。

 IRC 为了提供系统信息和远程控制,它会连接到以下 IRC 服务器:

服务器: time.sanalcheh**********.com
端口: 7745
通道: #zebra
昵称: akira-%random chracter string%



– 此恶意软件能够搜集并发送类似如下信息:
    • 缓存密码
    • CPU 速度
    • 当前用户
    • 可用磁盘空间
    • 可用内存
    • 恶意软件运行时间
    • 有关网络的信息
    • 内存大小
    • 视窗目录


– 而且,它能够进行此般操作:
    • 启动 DDoS ICMP 洪水攻击
    • 启动 DDoS SYN 洪水攻击
    • 启动 DDoS TCP 洪水攻击
    • 启动 DDoS UDP 洪水攻击
    • 关闭网络文件共享
    • 下载文件
    • 启用网络共享
    • 执行文件
    • 执行网络扫描
    • 执行端口重定向
    • 重新引导系统
    • 启动传播例程
    • 自行更新
    • 上传文件

 后门程序 会打开以下端口:

– %SYSDIR%\svchosts.exe 在随机 TCP 端口上 以便提供 FTP 服务器。

 窃取 它会尝试窃取以下信息:

– 在输入与以下某个字符串匹配的按键之后,启动日志记录例程:
   • paypal
   • PAYPAL

– 它会捕获:
    • 按键

– 在访问 URL 中包含以下某个子字符串的网站之后,会启动日志记录例程:
   • paypal.com
   • PAYPAL.COM

– 它会捕获:
    • 登录信息

 文件详细信息 编程语言:
该恶意软件程序是用 Borland C++ 编写的。


运行时压缩程序:
为了提高检测难度以及减小文件,它已使用以下运行时压缩程序进行压缩:
   • PE Pack 1.0

Açıklamayı yerleştiren Andrei Gherman tarihinde 30 Ağustos 2005 Salı
Açıklamayı güncelleyen: Andrei Gherman tarihinde 31 Ağustos 2005 Çarşamba

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.