病毒名称:W32.Leave.B.Worm
发现日期:2001/7/9
大小: 76,800字节
蠕虫W32.Leave.B.Worm从WEB站点上下载组件,其中包含代码可以IRC获取命令。该蠕虫与前些时候的W32.Leave.Worm唯一不同的是下载组件的站点不同,该蠕虫表面上看来好象是微软公布的安全公告。
邮件内容:
蠕虫通过一封电子邮件传播,邮件的内容看起来象是微软发出的安全公告:具体如下
Subject: Microsoft Security Bulletin MS01-037
Message: The following is a Security Bulletin from the Microsoft Product
Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
********************************
-----------------------------------------------------------------------
Title: Vulnerability in Windows systems allowing an upload of a serious virus.
Date: 30 June 2001
Software: Windows 2000
Impact: Privilege Elevation
Bulletin: MS01-037
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-037.asp
-----------------------------------------------------------------------
Yesterday the internet has seen one of the first of it's downfalls. A virus (no
name assigned yet) has been released. One with the complexity to destroy data
like none seen before.
Systems affected:
=================
Microsoft Windows 95
Microsoft Windows 95b
Microsoft Windows 98
Microsoft Windows 98/SE
Microsoft Windows NT Enterprise
Microsoft Windows NT Workstation
Microsoft Windows Millenium Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Service packs up to Service Pack 6 for Windows NT 3/4 Systems.
Service pack 1 and 2 for windows 2000.
Issue:
======
Officials say this virus is unique in many ways. It spreads via new forms, such
as using a new vulnerability in Windows 98 allowing already infected computers
to upload (send files) to non-infected computers, this means that you do not
have to download or visit a site to be infected with the virus. The infected
computers are programmed to scan for computers running Windows 9x, and Windows
2000 and uploading the virus.
-What the virus does:
The virus itself is a threat to normal users aswell as businesses. Cooper from
microsoft said "This virus has the ability to wipe out most of the internet
users and the chances are it will, the risk is high, patches must be installed
to affected systems." The virus itself is made for one reason and one
reason only, to reproduce, destroy documents, delete mp3 files, movie files,
infect .exe files, this virus also has a unique feature that destroys the BIOS
(Basic Input Output System), which means ones that are infected would need to
purchase a new motherboard.
Patch Availability:
===================
Visit http://(URL removed) to download the patch named cvr58-ms.exe. Download
and run the file.
Acknowledgment:
===============
- Jon McDonald (http://www.entrigue.net)
- Russ Cooper (http://www.ntbugtraq.com)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad
KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9
bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z
E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx
Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4
bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg===QExj
-----END PGP SIGNATURE-----
*******************************************************************
你收到这封邮件公告表示你已经注册了Microsoft Product Security
Notification Service,但这是没有
什么实质性的。为了验证该公告的数字签名,请下载PGP key:
http://www.microsoft.com/technet/security/notify.asp
为了获取微软关于Microsoft Security Notification Service更多的信息,请访问:
http://www.microsoft.com/technet/security/notify.asp
要了解微软产品的更多安全性,请访问:
http://www.microsoft.com/security
关于该蠕虫:
该蠕虫由多个部分组成:
Bin.dll
Registry.dll
Regsv.exe
Rg32.dll
Aci32.dll
当Regsv.exe运行时,它将拷贝自身到\Windows文件夹中,文件名为Regsv.exe,然后运行该程序。
依据不同的操作系统创建不同的注册键:
Windows NT/2000:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
值:regsv C:\WINDOWS\regsv.exe
Windows 9x/Me:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
值:regsv C:\WINDOWS\regsv.exe
对所有操作系统添加:
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
值:icqrun C:\WINDOWS\regsv.exe
创建下面的注册键:
HKEY_LOCAL_MACHINE\Software\Classes\Scandisk\i386\i
HKEY_LOCAL_MACHINE\Software\Classes\Scandisk\i386\s
\i参数包含一些信息值。如原始文件名和一些密码。
\s参数包含一个加密的WEB站点的列表,这些站点是文件下载的地址,还有一些时钟服务。
接下来,删除原始的Regsv.exe文件并创建Aci32.dll,该文件包含加密的URL,它们是文件下载的地址。
在Windows 9x/Me系统中,当下列任何一个文件被执行,蠕虫都会警告系统运行自身:
C:\Program Files\Outlook Express\Wab.Exe
C:\Program Files\Outlook Express\Setup50.Exe
C:\Program Files\Outlook Express\Wabmig.Exe
C:\Program Files\Outlook Express\Msimn.Exe
C:\Program Files\Mediaring Talk 99\Talk99.Exe
C:\Program Files\Napster\Napster.Exe
C:\Program Files\Messenger\Msmsgs.Exe
%Windows%\System\Restore\Rstrui.Exe
C:\Program Files\Internet Explorer\Connection Wizard\Icwconn1.Exe
%Windows%\Defrag.Exe,Bot
%Windows%\Sndvol32.Exe
%Windows%\Calc.Exe
%Windows%\Kodakimg.Exe
%Windows%\Cleanmgr.Exe
%Windows%\Scandskw.Exe
C:\Program Files\Accessories\Mspaint.Exe
%Windows%\Ipconfig.Exe.Exe
%Windows%\Wupdmgr.Exe.Exe
%Windows%\Regedit.Exe
%Windows%\Rundll.Exe
%Windows%\Sysmon.Exe
%Windows%\Taskmon.Exe
%Windows%\Notepad.Exe
%Windows%\Control.Exe
C:\Program Files\Accessories\Wordpad.Exe
该蠕虫同时具有木马的特性,它监听端口113。
您的位置: