( U8 S( J2 w1 p5 L7 h8 O6 y# K 9 W% i. T1 T7 `3 h2 r- T( H( t+ U2 U5 U 作者: 煎饼爱你一点 时间: 2004-5-12 12:17
病毒报告:“震荡波杀手”(Worm.Cycle.a)
& m& v4 j& @! r5 W$ B8 i9 h& G--------------------------------------------------------------------------------
9 p" S$ g; p8 g3 Bwww.rising.com.cn 2004-5-11 14:12:00 信息源:瑞星公司
" P) }4 F. d; W5 Y ~+ Z1 E) n2 g; ]0 q1 ]7 M- P; c) ^* z( T* j . ^8 F- a7 u: S" d; Y7 M
发现日期:5月11日: a8 }: G1 f- G+ M$ z
% E5 E& B7 S0 I* f- E% f1 W 利用微软的LSASS漏洞进行传播,该病毒会清除“震荡波”和“冲击波”,但同样会造成网络堵塞和系统异常重启,传播感染速度可能会非常快。另外,病毒在系统时间为5月18日时,对BBC.COM、BBCNEWS.com和IRNA.com(伊斯兰共和新闻社)进行拒绝服务攻击。从病毒体里留下的信息来看,该病毒的作者可能是对伊朗政府不满的人,他在病毒里公布信息说对伊朗的人权和自由不满意,以病毒攻击的方式来进行发泄。6 s* L* ]4 h& z: N7 Z+ z- d
; B* ?, Z' L: H7 f
一、病毒评估9 d+ q' \# i& s, F: }
* r3 ?' ?1 o& P# r' [
1.病毒中文名:震荡波杀手
9 D$ i/ z1 o: n7 ~* r3 F) { 2.病毒英文名:Worm.Cycle.a# J$ _8 g( q) C7 }. I/ M2 Y
3.病毒别名: W32.Cycle(Symantec)
* @& R$ T. a `# ` 4.病毒大小:10,240字节, S8 T: y1 f* m, j4 q4 b1 U! Y' n) G
5.病毒类型:蠕虫病毒
+ i" `# H1 N& A$ Y 6.病毒危险等级:★★★★ J: _ I5 V( i4 K! m
7.病毒传播途径:网络,文件感染2 d0 A8 Z- j% e: x( W) a: D- d
8.病毒依赖系统:Windows NT/2000/XP
* N3 ~9 w# u' M5 T7 z Z+ Z3 J0 J8 x
二、技术细节
/ z9 ` _% q5 L& B0 L3 S1 c4 i/ x g- o5 f" {; F 病毒运行后将自己复制到%WINDIR%\system目录下,文件名:svchost.exe并在注册表HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run及HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru中加入自己的键值:Generic Host Service,病毒也将自己注册成服务以这些方式达到随系统启动而运行的目的。- g! m7 u* H6 M7 K
, J% |0 t& w3 k) v6 a
病毒将建立一些病毒使用的互斥量,使中了该病毒的系统将对一些病毒有免疫力。这些互斥量为:Jobaka3、Jobaka3l、SkynetSasserVersionWithPingFast、JumpallsNlsTillt当病毒发现系统进程存在以下进程名时将杀死该进程:msblast.exe、avserve.exe、avserve2.exe、skynetave.exe接着病毒将启动一些功能线程实现病毒的一些动作。* h* I4 X+ K9 N4 d3 k4 r3 U
5 }8 d& Y: j. e3 }
1.tftp服务器:5 {( I; A( r6 Y! i6 n z
g9 u# q* ~4 m9 D' \5 h' h0 M' O8 Z 病毒将监听69端口,实现一个tftp服务器。用来在利用漏洞攻击成功时把病毒文件传到被攻击系统上以达到传播的目标。3 y1 L6 a' V" z2 M
0 s: W0 T$ Y4 O" B7 f1 V 2.利用漏洞对和当前系统存在连接的系统进行攻击2 Z& b( Z5 R( p8 h# I3 Z }
. [7 A0 \0 ~: N- c( V: u6 h6 ?
病毒得到所有已和当前系统建立TCP联接的系统地址,并尝试利用漏洞MS-4011对其进行攻击。$ [& E7 j; G O
+ }% w+ b9 G1 c
3.后门:# U! k% o' _# `2 l4 f- |0 }" o% [
8 N. Q9 {9 M' Y( x& j7 q/ l& b- @ 病毒在监听TCP的 3332端口,以实现一个后门服务。(该功能没有完成,可能在下一个版本里进行完善。)
$ R! c2 X, H5 }, g* E3 Z2 P' N2 V1 _' ]. G( ]! |
4.对局域网进行攻击
# T' G1 J+ B0 f. m- P" u5 @; @! G0 f9 ~ 病毒得到当前系统的IP地址,并以此为基数进行计算,尝试利用漏洞MS-4011对其得到的ip地址进行攻击。( x q; K( h+ V6 J* E
! S0 V* f5 C( Z' O# @ 5.Dos攻击# F4 t* C" L! ~2 w& ~2 V
" ~2 r. l& X8 g: K 当系统时间为5月18号以后时,病毒将对www.irna.com或www.bbc.com,www.bbcnews.com发动dos攻击.
8 ~- E) J4 Y" X6 n0 X z f6 Z$ S; t5 X. F! P$ d
6.病毒还将在%WINDIR%目录下生成一个名为:cyclone.txt的文件文件内容为:5 F: S5 m. o @8 X
3 C2 B: ^1 a7 v
Hi,My name is Cyclone and I live in Iran,# \0 I' I( A1 ?8 [' \: z# p. A
and I want to speak with you about problems that we have in iran:
H Y' l) `% g5 y8 R; Q4 H! s" jA.In Iran we don't have any kind of freedom, because we have islamic republic in iran:$ v" v x7 v1 v; ~
1.we can't speak freely about regime, we can't speak even a little bit against them!!!0 R. a8 t( O U o( m G
2.I have to be a moslem otherwise they don't care about me!( Y9 x: `, L' ^; t
3.we CAN'T even wear the clothes and styles that we wants!
b9 r( A% R6 G9 h 4.women MUST wear a cloth that no one can even see their hair!!!" y- J3 X0 I S' I9 l1 z8 O
5.they do not allow our national celebrations to be held, they beat us!!
V2 Q& v* ^, o; y9 C# g8 D 6.Many more...: n+ e& D9 X# J" J' c2 I0 `
B.The human rights is not implemented in Iran and there is no justice,
/ _+ w/ |/ g2 r8 _ 1.Lynch is very common in Iran. If you are against the regime then you may silently killed, or if there is a tribunal, you can't say anything, everyone works against you there.- x. ^% h0 d% H; d4 I1 o
2.1985-1990, the Islamic Republic of IRAN has been killed more than 10,000 Iranian youngs. that has been comfirmed by the documentations! This people killed without any tribunal or any proof.
& Z6 F M8 I6 S9 ? Z" W" v! w 3.there is a punishment that is used so much during this years, in this punishment, the person who must be killed stand in a hole then others attack him with stones, this will continue until he/she dead. there is some pictures and videos that shows this terrible torture!& H3 P4 Y- |! N: e- h1 ?, J
4.Many more.../ y6 v$ S1 L$ w: V. c7 L, N
C.Misery and poverty grows in Iran, because the islamic republic leaders steal the money, they stolen the money that provided by selling oil, and then the people must die because they don't have enough money to even buy a bread!!!
3 x X+ ?: e+ g9 m XD.Misery and poverty cause vice to grow, you see many young people in Iran using drugs and I think this is also a trick by the government to not allow us to arise against them!
" ?" m8 q- I' W% R; VE.Islamic republic gave Iran a bad name. before islamic republic we can travel
H, Y P0 p- S8 s# @anywhere in the world without any problem but now we have so much problems if we want to travel a foreign country, anyone think that we are terrorist. THE PEOPLE OF IRAN ARE NOT TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.
/ I" F! R- e7 E6 l" t3 |The people of Iran trying to arise, but failed to do. About one year ago, Iranian people try to say to the world that we don't need Islamic republic but the government and police beat the people who try to tell the truth and they killed some people.
' I8 t( h, ~9 _ S2 Q8 e iYou see that they don't even care about their own people, think what happen if they gain access to an ATOMIC BOMB!!! it's very dangerous for the world.! m5 Q9 Q W& `, T- m
With all of this conditions and injustices, european governments still support islamic republic, they say that they just care about their own country!4 m! w5 a( I7 I7 t1 y! ^
and I want to show them our WRATH!
# p; c2 ]3 H' E$ y7 n- UAll of the european people are my friends and I never want to harm them, just government and the Politicians!
8 R( e) X$ Z" P: VIf you protest against iraq war and say why there must be a war against iraq, and if you do this for humanity, please do anything that you can do for helping iranian people.
; b b4 f% x* l; {: F6 b" D3 Gat least make your country not to support islamic republic anymore, I'm deadly sure that if european countries do not support islamic republic. it will be destroyed after 3-6 months!7 f# }' n+ |: E1 ~+ Q. Q
so please help!I don't want to damage, I just want my country to grow, to improve!!! I have no other way to tell this words to world, sorry!!
( [! ^+ v* i: G. y8 d# O4 o; j- r4 `! @3 w* |5 x& D' i/ n5 W" W3 ~; Y' [& \
1. 进行升级
7 N+ f5 l6 [8 c$ h% L" o% Z. v: V9 P' O: B 瑞星公司将于当天进行升级,升级后的软件版本号为16.26.10,该版本以上的瑞星杀毒软件可以彻底查杀此病毒,瑞星杀毒软件标准版和网络版的用户可以直接登陆瑞星网站(http://www.rising.com.cn/)下载升级包进行升级,或者使用瑞星杀毒软件的“智能升级”功能。
" [$ h5 B( Z8 h; I: F( y; I+ O 2. 使用在线杀毒和下载版: F- N3 ~( l% _ b a2 M7 l
8 `* j& H& w/ I' j# I 用户还可以使用瑞星公司的在线杀毒与下载版产品清除该病毒,这两款产品有多种支付途径,用户可以登陆网址:http://online.rising.com.cn/来使用在线杀毒产品,或者登陆网址: http://go.rising.com.cn/来使用下载版产品。
; ~ x# P2 F% v7 a6 _/ _( w$ E+ q) V/ G
6 l. H, J: z( w2 r R4 s 3. 打电话求救8 x1 G9 ^9 N0 u$ {& P- e1 V& E7 z4 Y
! k4 D: `8 |5 H: |3 h 如果遇到关于该病毒的其它问题,用户可以随时拨打瑞星反病毒急救电话:010-82678800来寻求反病毒专家的帮助!! r$ r; A& o' ~, V/ H* H
/ B- o' ]4 N3 m' ]2 N! }0 Q- G; G/ A0 X3 d: V1 ?
4. 手动清除, v3 R2 H. i/ L# K8 R2 X
0 z8 Y) g2 ~0 o- f2 B) N" s
(1) 打开注册表编辑器,删除如下键值<如果存在的话>:4 }( p6 j1 z9 H; {. y3 D/ v& I
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3 N) t/ }$ L; Q3 y0 U9 nHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
1 m* T5 g6 a0 ?$ M) f( r" _ L"Generic Host Service"="%WINDIR%\system\svchost.exe"- t( @) O& x0 r& @4 N% ^
/ Q8 h9 L; E: U; D* |4 p& Y& ] (2)打开任务管理器查看是否存在进程名为: svchost.exe(文件为%WINDIR%\system\svchost.exe)终止它
7 Z( @; X6 T4 L4 K% K5 S- _0 t; I9 |2 |9 l+ X
(3)将%WINDIR%\system目录下的文件: svchost.exe删除
$ y( w8 V7 o, Q( H( T7 a% T9 A' F5 ~" I' [' g G9 e$ T- H: v! q 注:%SYSDIR%位Windows系统的安装目录,在Windows 9X/ME/XP下默认为:C:\WINDOWS\SYSTEM,Win2K下默认为:C:\WINNT\SYSTEM32。' J6 S$ n) a, w$ K! A, l! ~ ?! f
9 B8 t; \! I- y. r5 @
五、安全建议:
2 H8 |3 ?5 _, T1 u8 I U" H4 t @! Q& B6 j9 `! A$ t
1. 建立良好的安全习惯。例如:不要轻易打开一些来历不明的邮件及附件,不要上一些不太了解的网站,不要运行从互联网上下载的未经杀毒处理的软件等,这些必要的习惯会使您的计算机更加安全。& Q4 C( c+ k( |) C& P; `: X
: I4 I1 y, c) x
2. 关闭或删除系统中不需要的服务。默认情况下,操作系统会安装一些辅助服务,如 FTP 客户端、Telnet 和 Web 服务器。这些服务为攻击者提供了方便,而又对用户没有太大作用,如果删除它们,就能大大减少被攻击的可能性,增强电脑的安全。
6 u& \7 U$ y. h% i; I% E4 m$ ~& k9 h. g; @3 ]8 s 3. 经常升级安全补丁。据统计,大部分网络病毒都是通过系统安全漏洞进行传播的,象冲击波、大无极、SCO炸弹、网络天空等。漏洞的存在,会造成杀毒杀不干净的状况,所以应该定期到微软网站去下载最新的安全补丁,堵住系统的漏洞。
# F$ s% Y) E& u3 p1 N) }, I4 t! w. K
4. 使用复杂的密码。有许多网络病毒是通过猜测简单密码的方式攻击系统的,因此使用复杂的密码,将会大大提高计算机的安全系数,减少被病毒攻击的概率。, ?7 j/ M6 E ^* x% S- X
# X9 e% G# j O; @; H 5. 迅速隔离受感染的计算机。当您的计算机发现病毒或异常时应立刻断网,以防止计算机受到更多的感染,或者成为传播源,再次感染其它计算机。/ w/ C( c- \: v/ i) J
g1 c- ^, }2 z& Z! v% u 6. 了解一些病毒知识。这样您就可以及时发现新病毒并采取相应措施,在关键时刻使自己的计算机免受病毒破坏。如果能了解一些注册表知识,就可以定期看一看注册表的自启动项是否有可疑键值;如果能了解一些内存知识,就可以经常看看内存中是否有可疑程序。% u6 a9 o& D8 |: }# ^% K- R
( l6 B4 a6 l: j# j9 X$ ` 7. 最好是安装专业的防毒软件进行全面监控。在病毒日益增多的今天,使用毒软件进行防毒,是越来越经济的选择,不过用户在安装了反病毒软件之后,应该经常进行升级、将一些主要监控打开(如邮件监控)、遇到问题要及时上报, 这样才能真正保障计算机的安全
0 G( z; l8 S ^ ! U8 Q$ P9 r8 e: O" ~$ i }
' o1 Z( M; H5 r, d: G( D9 B