|
1、病毒运行后会复制自身到以下地址
%SYSTEM32%\wgareg.exe
2、在 %Windir%\Debug下释放一个DCPROMO.LOG文件
3、病毒在运行一段时间后会下载一个nrcs.exe(Trojan-Proxy.Win32.Ranky.fv)文件
4、连接IRC地址:bniu.househot.com(58.81.137.157:18067)
port:18067 频道名:#n1 密码:nert4mp1 频道名:#p 密码:无
此域名为动态域名以下是对应的IRC IP列表
IRC IP 61.189.243.240:18067
IRC IP 61.163.231.115:18067
IRC IP 58.81.137.157:18067
IRC IP 222.68.249.164:18067
IRC IP 218.61.146.86:18067
IRC IP 211.154.135.30:18067
IRC IP 202.121.199.200:18067
5、连接服务器的域名:media.pixpond.com(38.119.88.27:80)美国
port:80
下载http://media.pixpond.com/l9rd6g.jpg 拷到本地。重命名文件nrcs.exe
6、创建一个服务
服务名称:Windows Genuine Advantage Registration Service
描述:wgaregEnsures that your copy of Microsoft Windows is genuine and registered.Stopping or disabling this service will result in system instability.
映像路径
c:\windows\system32\wgareg.exe
7、修改多处注册表键,用以关闭杀毒软件、防火墙降低系统安全性.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = dword:00000001
AntiVirusDisableNotify = dword:00000001
FirewallDisableNotify = dword:00000001
AntiVirusOverride = dword:00000001
FirewallOverride = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\lanmanserver\parameters
AutoShareWks = dword:00000000
AutoShareServer = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Service
s\wgareg\Type=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Start=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ErrorControl=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ImagePath=C:\WINDOWS
\system32\wgareg.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\DisplayName=Windows Genuine Advant
创建服务
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\DisplayName=Windows Genuine Advantage Registration Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Security\Security=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ObjectName=LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\FailureActions=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Description=Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM
新键值: 字符串: "N"
原键值: 字符串: "Y"
8、连接到一个IRC服务器,等待恶意者的连接并接受控制,命令说明如下:
IRC命令如:
join 创建或加入闲聊室
Nick 更改别名
QUIT 退出
对目标主机的操作:
下载文件
发起拒绝服务(DDOS)攻击
执行基本的RIC命令
执行系统扫描
9、采用TCP协议,按照31个IP更换一次IP段的方式,扫描系统。
例如:
222.171.159.0
.
.
222.171.159.31
接着扫描
222.4.159.0
.
.
222.4.159.31
然后再扫描
222.171.159.32
.
.
222.171.159.63
接着扫描
222.4.159.32
222.171.159.254
|
1038
1069
1070
1101
1104
1135
1136
1518 |
445
445
445
445
445
445
445
445 |
|
病毒标签:
如果本机还有其它端口要开可以继续添加 
病毒上报信箱: