Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:Worm/Darby.O
发现日期:13/12/2012
类型:蠕虫
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:中等程度至高程度
破坏 / 损害程度:中等程度
静态文件:
文件大小:140.470 字节
MD5 校检和:c7a286a790fcb6b93264b2cc26522cf3
VDF 版本:7.11.53.216

 况概描述 传播方法:
   • 电子邮件
   • 局域网络
   • 对等网络


别名:
   •  Symantec: W32.Darby.B
   •  Kaspersky: P2P-Worm.Win32.Darby.o
   •  TrendMicro: WORM_DARBY.O
   •  Sophos: W32/Darby-O
   •  Grisoft: Worm/Darby.S
   •  VirusBuster: Worm.P2P.Darby.Q
   •  Bitdefender: Win32.Worm.P2P.Darby.O


平台/操作系统:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


副作用:
   • 使用自置的电子邮件引擎
   • 降低系统安全设置
   • 注册表修改


执行完毕之后会显示以下信息:


 文件 它会使用列表中的文件名植入其本身的副本
– 收件人: %SYSDIR%\ 使用以下名称:
   • %随机字符串%.exe
   • %随机字符串%.bat
   • %随机字符串%.cmd
   • %随机字符串%.scr




创建以下文件:

– 非恶意文件:
   • %SYSDIR%\bZip.exe
   • c:\bardiel.hta

– 包含搜集的电子邮件地址的文件:
   • %TEMPDIR%\mail.dat

 注册表 会添加以下注册表项,以便在系统重新引导后运行进程:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • %随机字符串%=%SYSDIR%\%随机字符串%



会添加以下注册表项目注册值:

– HKLM\Software\GedzacLABS\Bardiel.d
   • "Parent" = "%SYSDIR%\%随机字符串%
   • "Sey3" = "%随机字符串%)%随机字符串%"
   • "Sey2" = "%随机字符串%)%随机字符串%"
   • "Sey1" = "%随机字符串%)%随机字符串%"

– HKLM\Software\Microsoft\Active Setup\Installed Components\Bardiel
   • "StubPath" = "%SYSDIR%\%随机字符串%

– HKLM\SYSTEM\CurrentControlSet\Services\GEDZAC LABS
   • "ImagePath" = "%SYSDIR%\%随机字符串%"
   • "DisplayName" = "GEDZAC Service"
   • "ObjectName" = "LocalSystem"
   • "ErrorControl" = dword:00000001
   • "Start" = dword:00000002
   • "Description" = "GEDZAC Service for W32.Bardiel.D"
   • "Type" = dword:00000010

禁用 Regedit 和任务管理器:
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   旧值:
   • "Shell" = "%用户定义的设置%"
   新值:
   • "Shell" = "Explorer.exe %SYSDIR%\%随机字符串%"

禁用 Regedit 和任务管理器:
– HKCR\regfile\shell\open\command
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "GDC"

– HKLM\Software\Microsoft\Windows Scripting Host\Settings
   旧值:
   • "Timeout" = dword:00000000
   新值:
   • "Timeout" = dword:00000000

– HKLM\Software\Microsoft\Windows Script Host\Settings
   旧值:
   • "Timeout" = dword:00000000
   新值:
   • "Timeout" = dword:00000000

– HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System
   旧值:
   • "DisableTaskMgr" = %用户定义的设置%
   • "DisableRegistryTools" = %用户定义的设置%
   新值:
   • "DisableTaskMgr" = dword:00000001
   • "DisableRegistryTools" = dword:00000001

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   旧值:
   • "DisableTaskMgr" = %用户定义的设置%
   • "DisableRegistryTools" = %用户定义的设置%
   新值:
   • "DisableTaskMgr" = dword:00000001
   • "DisableRegistryTools" = dword:00000001

– HKCR\exefile\shell\open\command\
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "%SYSDIR%\%随机字符串%"%1" %*"

– HKCR\batfile\shell\open\command\
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "%SYSDIR%\%随机字符串%"%1" %*"

– HKCR\comfile\shell\open\command\
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "%SYSDIR%\%随机字符串%"%1" %*"

– HKCR\piffile\shell\open\command\
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "%SYSDIR%\%随机字符串%"%1" %*"

– HKCR\scrfile\shell\open\command\
   旧值:
   • "@" = "%用户定义的设置%"
   新值:
   • "@" = "%SYSDIR%\%随机字符串%"%1" %*"

 电子邮件 它包含集成的 SMTP 引擎,用于发送电子邮件。 将与目标服务器建立直接连接。 下面说明了它的特征:


发件人:
发件地址是仿冒的。


收件人:
– 在系统上的特定文件中找到的电子邮件地址。
– 从 WAB (Windows 通讯簿) 搜集到的电子邮件地址


电子邮件设计:
 


主题: Mail Delivery Return System
正文:
   • La informaci
     n no pudo ser enviada a uno o m
     s destinatarios
附件:
   • ReturnMsg.zip ReturnMsg
 


主题: Hola %来自收件人电子邮件地址的用户名%
正文:
   • Te envio la info que me pediste, responde que tal esta, bye
附件:
   • videoClip.zip
   • Tienes un Mensage %来自收件人电子邮件地址的用户名%
 


主题: Sabes si te mienten?
正文:
   • El lenguage corporal delata sutilmente la mentira, 5 tips para saber si te estan diciendo la verdad.
附件:
   • NoMentir.zip
   • NoMentir
 


主题: Manual de Seduccion
正文:
   • Quieres mejorar tu exito con el sexo opuesto, pos echale un ojo a este texto. que tiene utiles consejos
附件:
   • Seduc.zip
   • Arte de Seducir
 


主题: tienes un Regalo Virtual
正文:
   • Te han enviado un Regalo virtual, esta disponible durante 7 dias, descargalo o entra al link :)
附件:
   • Virtual0034.zip
   • %来自收件人电子邮件地址的用户名%
 


主题: Gusanito.com
正文:
   • Hay una targeta disponible para ti de parte de un amigo. descargala o entra al link :)
附件:
   • E-Card.zip
   • Targeta Virtua
 


主题: Fotos en tu email
正文:
   • XXX Todo Vale XXX
附件:
   • xImages.zip
   • Mirame ;)
 


主题: Que hay detras de un beso
正文:
   • Sabes que significa la forma de besar o que tipos y tecnicas existen, conocelas
附件:
   • beso.zip
   • Besos
 


主题: Sexo Tantrico
正文:
   • Tantra: antigua disciplina oriental para mejorar el desempe
附件:
   • Sex_Tantra.zip
   • Sexo Tantrico Images
 


主题: No Adware
正文:
   • Se te cambia la pagina de inicio?, te salen ventanas de publicidad, problemas con dialers, troyanos u otros adwares, prueba este programa gratis y acabemos con la lacra que es el Adware
附件:
   • CwshredderPlus.zip
   • Limpiar Pc
 


主题: Hey
正文:
   • mira la imagen 30 segundos y luego mira a otra parte y veras algo sorprendente (buena ilusion optica, casi alucinacion)
附件:
   • IlusionI.zip
   • Imagenes
 


主题: Mira la foto
正文:
   • Mira mi foto ;)
附件:
   • Photo.zip
   • Mi Album
 


主题: Que significa tu nombre?
正文:
   • Los nombres y los apellidos como toda palabra tienen un significado, el cual ya en la mayoria de veces o no recordamos, tal vez encuentres el significado del tuyo en nuestra base de datos :)
附件:
   • SigNombre.zip
   • Tu Nombre
 


主题: Eres inteligente? ;)
正文:
   • El Papa de rosa era un empleado en una compa
     ia de seguros, vivia modestamente, tenia una casa mediana, un auto no muy nuevo y un perro, pero lo que el queria m
     s eran sus 3 hijas: Ana, Ane y ...
     Como se llamaba su otra hija?
附件:
   • RptAcertijos.zip
   • Respuesta
 


主题: Hack Hotmail
正文:
   • Quisiste hackear una cuenta de hotmail alguna vez, entonces prueba esta tecnica, y lo bueno es que no se nesecita ser un Hacker para usarla.
附件:
   • HackHotmail.zip
   • HackHotmail
 


主题: Respuesta para
正文:
   • La respuesta a su pedido ha sido aprobada, con lo que se hace acreedor de las ventajas y descuentos de nuestro circulo, para mas detalles vea texto el adjunto.
附件:
   • Respuesta para %来自收件人电子邮件地址的用户名% .zip
   • Admin Page
 


主题: Importante para
正文:
   • Hola, no me conoces, pero te envio algo que te interesara, ojala te sea de utilidad, bye
附件:
   • _msg.zip
   • Mensage
 


主题: Click en el adjunto y pon audifono :)
正文:
   • Escuchate esta cancion, Carta a Santa Claus III ;)
附件:
   • FuckSanta.zip
   • Play Song
 


主题: quieres saber cuan psicopata eres?
正文:
   • Este es un test usado por el ejercito de estados unidos al reclutar soldados, para en palabras simples medir cuan propensos a la locura son, hacelo y ve cuan zafado estas.
附件:
   • TestRayado.zip
   • Test Aqui
 


主题: Dibujitos (Esta Buenisimo)
正文:
   • Mirate esto ;)
附件:
   • Dibujitos.zip
   • at the picture
 


主题: Osama Ben Laden el hombre que le declaro la Guerra a Estados Unidos
正文:
   • Que lo indujo a dejar una posible vida de lujos(es millonario), para embarcarse en una guerra santa contra USA, sabias que las familias de Bush y Osama se conocian, enterate de las verdaderas causas de su guerra aqui.
附件:
   • Osama.zip
   • Osama Web
 


主题: PornStars Show
正文:
   • Mira este scrensaver de las actrices del cine porno
附件:
   • PornStars.zip
   • PorStars All Access
 


主题: Solo la pura verdad
正文:
   • Asi es la vida :(
     e picture
     Solo la Pura Verdad
附件:
   • ZALIA.zip
 


主题: 16 Fotos de las mejores conejitas de Playboy
正文:
   • Las mejores fotos de PlayBoy de este a o, pasalas ;)
附件:
   • 16Playboy.zip
   • Planeta PlayBoy
 


主题: Aviso Importante
正文:
   • Debido a las reformas del servidor, se pide a los usuarios completar el nuevo registro a fin de validar sus cuentas y no sean suspendidas. Atentamente AdminSystem
附件:
   • Registro.zip
   • Nuevo Registro
 


主题: Diez mandamientos del Amor y Sexo
正文:
   • Mantener una relacion amorosa saludable y exitante exige mucho esfuerzo y muchas ganas, te damos estas 10 claves
附件:
   • 10Claves.zip
   • Amor y Sexo
 


主题: Como Saber si le Gustas?
正文:
   • Te mueres por esa persona, pero no sabes si decirle algo, porque capaz no te da bola, con este test puedes descubrir detalles que te indiquen que siente por ti :)
附件:
   • TestG.zip
   • My Page
 


主题: 100% Ideal
正文:
   • Participa en este rompecabezas, si se pudiera crear a la(el) Chica(o) Ideal escogiendo un rostro de aqui y una silueta de alla, como seria tu pareja Ideal?
附件:
   • Ideal.zip
   • 100% Ideal
 


主题: Vision del Futuro
正文:
   • TodO hA sIdO Dad0
附件:
   • TuFuturo.zip
   • Necromancia
 


主题: Que Raro
正文:
   • Miralo tu mismo
附件:
   • QueRaro.zip
   • Que Raro
 


主题: Mail Delivery Return System
正文:
   • The information could not be a correspondent to one or more addressees.
附件:
   • ReturnMsg.zip
   • ReturnMsg
 


主题: Hello %来自收件人电子邮件地址的用户名%
正文:
   • I ship You the info that you requested me, responds that such this, bye
附件:
   • videoClip.zip
   • you Have a Mensage
 


主题: do you Know if they lie you?
正文:
   • The corporal language accuses the lie subtly, 5 tips to know if they are telling you the truth.
附件:
   • Lie.zip
   • NotLie
 


主题: Manual gives Seduction
正文:
   • you Want to improve your success with the opposite sex, search keeps an eye on this text. that has useful advice.
附件:
   • Seduc.zip
   • Art gives to Seduce
 


主题: %来自收件人电子邮件地址的用户名% you have a Virtual Gift
正文:
   • they have sent You a virtual Gift, this available one during 7 days, discharge it or enters to the link:)
附件:
   • Virtual0034.zip
   • %来自收件人电子邮件地址的用户名%
 


主题: Gusanito.com
正文:
   • there is an available card for you on behalf of a friend. discharge it or enters to the link:)
附件:
   • EL-Card.zip
   • Virtual Card
 


主题: Pictures in your email
正文:
   • XXX All Voucher XXX
附件:
   • xImages.zip
   • you Look at me ;
 


主题: That there is behind a kiss
正文:
   • you Know that it means the form gives to kiss or that types and techniques exist, know them
附件:
   • Kiss.zip
   • Kisses
 


主题: No Adware
正文:
   • are you changed the it paginates beginning he/she gives?, do they leave you windows publicity he/she gives, problems with dialers, troyanos or other adwares, does it prove this program free and do let us put an end to the insensitive one that the Adware is.
附件:
   • CwshredderPlus.zip
   • to Clean Pc
 


主题: Sex Tantrico
正文:
   • Tantra: ancient discipline oriental to improve the sexual acting. Know it
附件:
   • Sex_Tantra.zip
   • Sex Tantrico Images
 


主题: Hey %来自收件人电子邮件地址的用户名%
正文:
   • %来自收件人电子邮件地址的用户名% he/she looks at the image 30 second and then he/she looks to another part and truth at something surprising (good optic illusion, almost hallucination)
附件:
   • IlusionI.zip
   • Images
 


主题: %来自收件人电子邮件地址的用户名% Looks at the picture
正文:
   • Looks at my picture;)
附件:
   • Ph0t0.zip
   • My Album
 


主题: That means your name?
正文:
   • The names and the last names like all word have a meaning, the one which already in most he/she gives times or we don't remember, perhaps find the meaning he/she gives yours in our database:)
附件:
   • SigName.zip
   • Your Name
 


主题: are you intelligent? ;)
正文:
   • The Father gives Sandra was an employee in an insurance company, lived modestly, tapeworm a medium house, a car very new no and a dog, but what the one wanted more they were its 3 daughters: Ana, Ane and... Like their other daughter was called?
附件:
   • Riddles
   • Answer
 


主题: Hack Hotmail
正文:
   • you Wanted hackear one it counts gives hotmail at some time, then test this technique, and the good thing is that no you need to be a Hacker to use it
附件:
   • HackHotmail.zip
   • HackHotmail
 


主题: Answer for %来自收件人电子邮件地址的用户名%
正文:
   • it is This way the life :(
     The answer to its order has been approved, with what becomes accrediting gives the advantages and discounts gives our I circulate, for but you detail sees text the assistant
附件:
   • %来自收件人电子邮件地址的用户名% .zip
   • Admin Page
 


主题: Important for %username from receiver's email addre
正文:
   • Hello, you don't know me, but I ship you something that interested you, God willing it is you gives utility, bye
附件:
   • _msg.zip
   • Message
 


主题: Click in the assistant and put earphone:)
正文:
   • you Listen to yourself this song, Letter to Santa Claus III ;)
附件:
   • FuckSanta.zip
   • Play Song
 


主题: do you want to know how psychopath you are?
正文:
   • This is a test used for the I exercise gives states together to recruiting soldiers, it stops in simple words to measure how prone to the madness they are, and you go how released these.
附件:
   • CrazyTest.zip
   • Test Here
 


主题: Drawings (This Very Good)
正文:
   • you Look at yourself this ;)
附件:
   • Drawings.zip
   • MORE Drawings
 


主题: Osama Ben Laden the man that I declare the War to United States
正文:
   • That induced it to leave a possible life he gives luxuries, to go aboard in a sacred war against it USES, wise that the families give Bush and Osama they knew each other, find out he gives the true causes he gives their war
附件:
   • Osama.zip
   • Osama Web
 


主题: PornStars Show
正文:
   • Looks at this scrensaver gives the actresses he/she gives the cinema porn
附件:
   • PornStars.zip
   • PorStars All Access
 


主题: Alone the pure truth
正文:
   • it is This way the life :(
附件:
   • e picture
   • Alone the pure truth
 


主题: 16 Pictures give the best doe gives Playboy
正文:
   • The best pictures give PlayBoy gives this year, it passes them ;)
附件:
   • 16Playboy.zip
   • Planet PlayBoy
 


主题: I Warn Important
正文:
   • %来自收件人电子邮件地址的用户名% due to the reformations he/she gives the servant, it is asked the users to complete the new registration in order to validate their you count and don't be suspended. Sincerely AdminSystem"
附件:
   • Registry.zip
   • New Registry
 


主题: Ten commandments give the Love and Sex
正文:
   • to Maintain a healthy loving relationship and upper demands a lot of effort and many desires, we give you these 10 keys
附件:
   • 10Claves.zip
   • Love and Sex
 


主题: As Knowing if he Likes?
正文:
   • you die for that person, but you don't know if to tell him something, because capable doesn't give you ball, with this test you can discover specificses that indicate you that it feels for you :)
附件:
   • TestG.zip
   • My Page
 


主题: 100% Ideal
正文:
   • %来自收件人电子邮件地址的用户名% does it Participate in this puzzle, if you could create to the Girl (or Boy) Ideal choosing a face gives here and does a silhouette give there, as serious your Ideal couple?
附件:
   • Ideal.zip
   • 100% Ideal
 


主题: Vision gives the Future
正文:
   • Everything has Been given
附件:
   • YourFuture.zip
   • Necromancy
 


主题: YourFuture.zip
正文:
   • you Look at it your same one
附件:
   • ThatStrange.zip
   • That Strange


附件:

该附件是恶意软件本身的副本。



电子邮件如下所示:


 邮件 搜索地址:
它会在以下文件中搜索电子邮件地址:
   • .htm
   • .txt
   • .php
   • .asp


避免地址:
它不会向包含以下某个字符串的地址发送电子邮件:
   • virus; master; persys; perant; abuse; report; panda; symantec; trend;
      avp; kasp; nod; support; admin; foo; iana; messagelab; microsoft; msn;
      anyone; bug; f-secur; free-av; google; help; info; linux; soporte;
      nobody; noone; noreply; rating; root; samples; sopho; spam; unix; upd;
      winrar; winzip


MX 服务器:
它能够访问以下某台 MX 服务器:
   • mdm@latinmail.com
   • mx1.hotmail.com
   • mdm@hotmail.com
   • correo.viabcp.com

 P2P 为了感染对等网络社区中的其他系统,会执行以下操作:   它会搜索以下标准共享:
   • appleJuice\incoming
   • eDonkey2000\incoming
   • Gnucleus\Downloads
   • Grokster\My Grokster
   • ICQ\shared files
   • Kazaa\My Shared Folder
   • Kazaa Lite\My Shared Folder
   • LimeWire\Shared
   • morpheus\My Shared Folder
   • Overnet\incoming
   • Shareaza\Downloads
   • Swaptor\Download
   • WinMX\My Shared Folder
   • Tesla\Files
   • XoloX\Downloads
   • Rapigator\Share
   • KMD\My Shared Folder
   • BearShare\Shared
   • Direct Connect\Recieved Files
   • eMule\Incoming
   • Kazaa Lite K++\My Shared Folder
   • My Downloads

   它会搜索所有共享的标准目录。

   如果成功,会创建以下文件:
   • Quick Time Key Crack.exe; Ana Kournikova Sex Video.exe; AVP Antivirus
      Pro Key Crack.exe; Britney Spears Sex Video.exe; Buffy Vampire Slayer
      Movie.exe; Crack Passwords Mail.exe; Cristina Aguilera Sex Video.exe;
      Game Cube Real Emulator.exe; delphi.exe; Hentai Anime Girls Movie.exe;
      Jenifer Lopez Sex Video.exe; Matrix Movie.exe; Mcafee Antivirus Scan
      Crack.exe; Norton Anvirus Key Crack.exe; Panda Antivirus Titanium
      Crack.exe; PS2 PlayStation Simulator.exe; divx pro.exe; Sakura Card
      Captor Movie.exe; Sex Live Simulator.exe; Sex Passwords.exe; Spiderman
      Movie.exe; Start Wars Trilogy Movies.exe; Thalia Sex Video.exe; Winzip
      KeyGenerator Crack.exe; aol cracker.exe; aol password cracker.exe; GTA
      3 Crack.exe; GTA 3 Serial.exe; play station emulator.exe; virtua girl
      - adriana.exe; virtua girl - bailey short skirt.exe; Virtua Girl
      (Full).exe; warcraft 3 crack.exe; warcraft 3 serials.exe;
      counter-strike.exe; divx_pro.exe; HotGirls.exe; hotmail_hack.exe;
      pamela_anderson.exe; serials2000.exe; subseven.exe; VB6.exe;
      VirtualSex.exe; ACDSee 5.5.exe; Age of Empires 2 crack.exe; Animated
      Screen 7.0b.exe; AOL Instant Messenger.exe; AquaNox2 Crack.exe;
      Audiograbber 2.05.exe; BabeFest 2004 ScreenSaver 1.5.exe; Babylon
      3.50b reg_crack.exe; Battlefield1942_bloodpatch.exe;
      Battlefield1942_keygen.exe; DirectX InfoTool.exe; Business Card
      Designer Plus 7.9.exe; Clone CD 5.0.0.3 (crack).exe; Clone CD
      5.0.0.3.exe; Coffee Cup Free zip 7.0b.exe; Cool Edit Pro v2.55.exe;
      Diablo 2 Crack.exe; DirectDVD 5.0.exe; DirectX Buster (all
      versions).exe; DivX Video Bundle 6.5.exe; Download Accelerator Plus
      6.1.exe; DVD Copy Plus v5.0.exe; DVD Region-Free 2.3.exe; FIFA2004
      crack.exe; Final Fantasy VII XP Patch 1.5.exe; Flash MX crack
      (trial).exe; FlashGet 1.5.exe; FreeRAM XP Pro 1.9.exe; GetRight
      5.0a.exe; Global DiVX Player 3.0.exe; Gothic2 licence.exe; Guitar
      Chords Library 5.5.exe; Hitman_2_no_cd_crack.exe; Hot Babes XXX Screen
      Saver.exe; ICQ Pro 2004a.exe; SmartRipper v2.7.exe; ICQ Pro 2004b (new
      beta).exe; iMesh 3.6.exe; iMesh 3.7b (beta).exe; IrfanView 4.5.exe;
      KaZaA Hack 2.5.0.exe; KaZaA Speedup 3.6.exe; Links 2004 Golf game
      (crack).exe; Living Waterfalls 1.3.exe; Mafia_crack.exe; Matrix
      Screensaver 1.5.exe; MediaPlayer Update.exe; mIRC 6.40.exe; mp3Trim
      PRO 2.5.exe; MSN Messenger 5.2.exe; NBA2004_crack.exe; Need 4 Speed
      crack.exe; Nero Burning ROM crack.exe; Netfast 1.8.exe; SmartFTP
      2.0.0.exe; Network Cable e ADSL Speed 2.0.5.exe; NHL 2004 crack.exe;
      Nimo CodecPack (new) 8.0.exe; PalTalk 5.01b.exe; Popup Defender
      6.5.exe; Pop-Up Stopper 3.5.exe; QuickTime_Pro_Crack.exe; Serials 2004
      v.8.0 Full.exe; Space Invaders 1978.exe; Splinter_Cell_Crack.exe;
      Steinberg_WaveLab_5_crack.exe; Trillian 0.85 (free).exe; TweakAll
      3.8.exe; Unreal2_bloodpatch.exe; Unreal2_crack.exe;
      UT2004_bloodpatch.exe; UT2004_keygen.exe; UT2004_no cd (crack).exe;
      UT2004_patch.exe; WarCraft_3_crack.exe; Winamp 3.8.exe; WindowBlinds
      4.0.exe; WinOnCD 4 PE_crack.exe; WinZip 9.0b.exe; Yahoo Messenger
      6.0.exe; Zelda Classic 2.00.exe; Windows XP complete + serial.exe;
      Screen saver christina aguilera.exe; Screen saver christina aguilera
      naked.exe; Visual basic 6.exe; Starcraft serial.exe; Credit Card
      Numbers generator(incl Visa,MasterCard,...).exe; Edonkey2000-Speed me
      up scotty.exe; Hotmail Hacker 2004-Xss Exploit.exe; Kazaa SDK + Xbit
      speedUp for 2.xx.exe; Microsoft KeyGenerator-Allmost all microsoft
      stuff.exe; Netbios Nuker 2004.exe; Security-2004-Update.exe; Stripping
      MP3 dancer+crack.exe; Visual Basic 6.0 Msdn Plugin.exe; Windows Xp
      Exploit.exe; WinRar 3.xx Password Cracker.exe; WinZipped Visual C++
      Tutorial.exe; XNuker 2004 2.93b.exe; cable modem ultility pack.exe;
      macromedia dreamweaver key generator.exe; winamp plugin pack.exe;
      winzip full version key generator.exe; PerAntivirus 8.9.exe; The
      Hacker Antivirus 5.7.exe

   这些文件是恶意软件本身的副本。



共享目录可能如下所示:


 网络感染 它使用以下登录信息来访问远程计算机:

– 以下用户名列表:
   • Andrea; Pamela; Patricia; Cristina; Adriana; Katherine; July; Vanessa;
      Jennifer; Karina; Janeth; Dulce; Bill; Alejandro; Dark; Bracho;
      Torres; Aguilar; Martinez; Lugo; Costa; Velarde; Varela; Helsim;
      Valencia; Mancilla; Braschi; Wong; Chang; Mora; Arana; Alvites; Start;
      Toledo; Flores; Garcia; Orellana; Hoyos; Perez; Campos; Humala;
      Alvarez; Valenzuela; Luque

– 以下密码列表:
   • "123"; "1234"; "12345"; "123456"; "1234567"; "12345678"; "654321";
      "54321"; "111"; "11111"; "111111"; "11111111"; "000000"; "00000000";
      "pass"; "5201314"; "88888888"; "888888"; "passwd"; "password";
      "database"; "test"; "server"; "computer"; "secret"; "oracle";
      "sybase"; "Internet"; "super"; "user"; "manager"; "public"; "private";
      "default"; "1234qwer"; "123qwe"; "abcd"; "abc123"; "123abc"; "abc";
      "123asd"; "dos"; "asdfgh"; "!@; $"; "!@; $%"; "!@; $%^"; "!@; $%^&";
      "!@; $%^&*"; "!@; $%^&*("; "!@; $%^&*()"; "intel"; "KKKKKKK"; "09876"


 IRC 传播:
–Mirc.ini 文件已被修改。

 进程终止 它会尝试终止以下进程并删除相应的文件:
   • avx; adaware; advxdwin; alevir; arr; auto-protect; Avg; avw; ahnsd;
      apvxdwin; anti-trojan; avsched32; avconsol; ackwin32; autodown; alert;
      amon; avmon; antivir; avsynmgr; avnt; avrep32; ants; atcon; atupdater;
      atwatch; autotrace; aplica32; atro55en; aupdate; autoupdate; avrescue;
      agent; avltmain; backweb; blackice; blackd; bd_professional; bidef;
      bidserver; bipcp; bisp; bootwarn; borg2; bs120; buscareg; clrav;
      claw95ct; cfiaudit; cfiadmin; cmgrdian; ctrl; cfind; cfinet; ccapp;
      claw95; cpd; cleanpc; cmon016; cpf9x206; cpfnt206; csinject; csinsm32;
      css1631; cwnb181; cwntdwmo; ccevtmgr; ccpxysvc; dv95; dvp95; defwatch;
      defalert; doors; deputy; dpf; drwatson; drweb32; drwebupw; efinet32;
      espwatch; esafe; efpeadm; etrustcipe; evpn; ecengine; eli; findviru;
      f-agnt95; frw; f-stopw; filemon; f-prot; fch32; fih32; fp-win; fsgk32;
      fnrb32; fsaa; fameh32; fast; fix-it; flowprotector; fp-win_trial;
      fsav; fsm; fwenc; gbmenu; gbpoll; generics; guard; hacktracer; htlog;
      icssuppnt; icload; iamapp; icsupp95; ibma; iomon98; icmo; iface; iams;
      ifw2000; iparmor; iris; isrv95; jed; jammer; kpf; kavlite; kerio;
      luall; lookout; lockdown; lucomserver; ldpromenu; luspt; ldnetmon;
      ldpro; localnet; lsetup; luau; luinit; mpftray; moolive; msconfig;
      monitor; mcmnhdlr; mctool; mcupdate; mcvsrte; mghtml; minilog;
      mcvsshld; mpfservice; mwatch; mcshield; mfw2en; mfweng3; mgavr; mgui;
      monsys; monwow; mrflux; msinfo32; mssmmc32; mu0311ad; mxtask; nav;
      netd32; nod32; nspclean; nmain; nvc95; nisum; nupgrade; per; nwtool16;
      normist; nisserv; nsched32; neowatchlog; nvsvc32; nwservice;
      ntxconfig; ntvdm; npssvc; npscheck; netutils; ndd32; notstart; nc2000;
      ncinst4; netarmor; netinfo; netmon; pav; netspyhunter; netstat; npf;
      nui; nvarch16; nvlaunch; nwinst4; nvapsvc; outpost; offguard;
      ostronet; procexp; pcfwallicon; programauditor; pop3trap; poproxy;
      pcntmon; padmin; pview95; pcc; pqremove; pfwcon; pfwagent; pfwsvc;
      prebind; panixk; pcdsetup; pcip10117_0; pf2; pfwadmin; platin;
      portdetective; ppinupdt; pptbc; ppvstop; procexplorerv1; proport;
      protect; purge; pccntmon; ping; qconsole; qserver; rav; regmon;
      rescue; rapapp; rtvscn95; rulaunch; regedit; regedt32; realmon;
      rshell; stinger; serv95; safeweb; symproxysvc; symtray; sphinx; smc;
      ss3edit; sbserv; swnetsup; sfc; schedapp; setupvameeval;
      setup_flowprotector_us; sgssfw32; shellspyinstall; shn; sofi; spf;
      srwatch; st2; supftrl; supporter5; sweep; sysdoc32; sysedit;
      sharedaccess; tbscan; tds; taumon; tcm; tfak; taskmon; tauscan; tc;
      tgbob; titanin; tracer; trjs; tmntsrv; undoboot; Update; vshwin32;
      vet; vsecomr; vbcmserv; vbcons; vir -help; vptray; vsmain; vsmon;
      vsstat; vettray; vcontrol; vbust; vbwin; vccmserv; vcsetup; vfsetup;
      vnlan300; vnpc3000; vpc; vpfw30s; vscenu6; vsisetup; vswin; vvstat;
      view; wfindv32; wimmun32; wgfe95; webtrap; watchdog; wradmin; wrctrl;
      w32dsm89; whoswatchingme; winrecon; winroute; winsfcm; wsbgate;
      zonealarm; zapro; zap; zcap; zatutor; zonestub; asdf; zlclient;
      zauinst; zonalm2601; taskmgr

会终止具有以下特征的进程:
    •  标题: %随机字符串%     类名: DirectUIHWND
    •  标题: %随机字符串%     类名: RICHEDIT20a
    •  标题: %随机字符串%     类名: RICHEDIT
    •  标题: %随机字符串%     类名: ate32class

 文件详细信息 编程语言:
该恶意软件程序是用 Visual Basic 编写的。


运行时压缩程序:
为了提高检测难度以及减小文件,它已使用以下运行时压缩程序进行压缩:
   • UPX

Açıklamayı yerleştiren Irina Boldea tarihinde 6 Aralık 2005 Salı
Açıklamayı güncelleyen: Andrei Gherman tarihinde 30 Ocak 2006 Pazartesi

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.