病毒基础知识.ppt

* 例子，WORM_MYTOB /vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.A * 例子， WORM_SDBOT.ANF 病毒 /vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EANFVSect=T Network Propagation and Exploit This worm spreads by dropping copies of itself in the following network shares: ADMIN$ IPC$ E$ D$ C$ * /vinfo/virusencyclo/default5.asp?VName=WORM_PEERCOPY.A WORM_PEERCOPY.A Description:? This worm propagates via peer-to-peer (P2P) applications, such as Kazaa, WinMX, Morpheus, Edonkey2000, Bearshare, and KMD. It may also propagates via the instant messaging appilications ICQ and mIRC. Upon execution, it drops the following copies of itself in the indicated hardcoded location: C:\Program Files\XP Keychanger.exe C:\Program Files\kazaa\my shared folder\Win XP Key Generator.exe C:\Program Files\mIRC\download\XP Keychanger.exe C:\mIRC\XP Keychanger.exe C:\Program Files\icq\shared files\XP Keychanger.exe C:\Program Files\WinMX\my shared folder\XP Keychanger.exe C:\Program Files\morpheus\my shared folder\XP Keychanger.exe C:\Program Files\Edonkey2000\incoming\XP Keychanger.exe C:\Program Files\Bearshare\XP Keychanger.exe C:\Program Files\KMD\my shared folder\XP Keychanger.exe If the immediate parent folder of any the said paths is non-existent, it skips the corresponding path. * WORM_MYTOB It propagates via networks by taking advantage of the Windows LSASS vulnerability, Microsoft Security Bulletin MS04-011 WORM_SDBOT It also takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. Microsoft Security Bulletin MS05-039 * * Chapter 1: Introduction to Computer Viruses and Malware * Chapter 1: Introduction to Computer Viruses and Malware * DOWNAD又称Conficker 至截稿时，已经发现32只WORM_DOWNAD家族的变种。 至2009年4月1日，WORM_DOWNAD.A、WORM_DOWNAD.AD、WORM_DOWNAD.KK三只变种是最受关注的。每只后来出现的变种与前一只变种都具有相同的行为，但每只后来出现的变种都得到了改进，以使自身更加难以检测和清除。 这个幻灯片总结了DOWNAD/Conficker的特性。 这只蠕虫利用了一个已知的微软操作系统的名为“Server”服务的漏洞(MS08-067)，该漏洞可以允许执行远程代码。关于这个漏洞的更多细节，可以参考