Worm.Cissi.c
2008-02-23 09:27:41来源:互联网 阅读 ()
该病毒是一个通过邮件和ipc弱口令猜测传播的蠕虫,采用Delphi编写,upx压缩
一旦运行,病毒将复制到下列目录:
%SYSDIR%\Cissi.exe
病毒还可能复制到下列目录:
\Documents and Settings\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\WINNT\Profiles\All Users\Start Menu\Programs\Startup
如果操作系统是 Windows 95/98/Me,该病毒将修改文件: System.ini 来自启动
如果操作系统是 Windows NT/2000/XP/2003, 病毒虽然修改文件:System.ini,但不会自启动。
后门:
该病毒是一种IRC bot,它将连接IRC服务器:irc.undernet.org,以某个昵称登录一个IRC频道
:
#TCow cow,一旦连接成功,病毒将等待来自服务器的命令。
网络传播:
病毒将进行IPC弱口令猜测,可能的用户名密码组合为:
用户名:
"Guest"
"Administrator"
"Owner"
"Root"
密码:
"1234"
"passWord"
"6969"
"harley"
"123456"
"golf"
"pussy"
"mustang"
"1111"
"shadow"
"1313"
"fish"
"5150"
"7777"
"qwerty"
"baseball"
"2112"
"letmein"
"12345678"
"12345"
"ccc"
"admin"
"Admin"
"Password"
"1"
"12"
"123"
"1234567"
"123456789"
"654321"
"54321"
"111"
"000000"
"abc"
"pw"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"pass"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"0"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"alpha"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"a"
"aaa"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"Foobar"
"secret"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"Oracle'pwd"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pw123"
"love"
"mypc"
"mypc123"
"admin123"
"mypass"
"mypass123"
"901100"
一旦成功,病毒将自动复制到该系统并使用计划工作来远程启动病毒
同时该病毒还会在有写权限的网络映射驱动器上复制病毒体。
该病毒还会通过邮件传播:
发送邮件时包含如下特征:
From: Cissi
主题<下列之一>:
"Heres a poem for you"
"Ive written a poem for you"
"Love poems for you :)"
"Look what i wrote for you"
"Poems for you"
"Roses are red,
You are mine,
I love you until im dead,
It will all be fine."
"I do miss you
I do love you
what you want me to do?
I never want to go."
"Where did you run?
Where did you hide?
I stand here undone
I stand here inside"
"How could u do that
Why did you say that
How do you feel inside
I wish i just could hide"
附件名为<下列之一>:
"LovePoem.pif"
"Poem_collection.pif"
"Zipped_poems.exe"
"My Poems.txt.exe"
"Poems.pif"
"Sad Stories and Poems.pif"
"My Story.pif"
"The Poems.pif"
"Poems for you.pif"
"Only Poems.txt.pif"
病毒发送的邮件地址从受感染的系统的下列扩展名的文件中搜索得到:
".htt"
".rtf"
".doc"
".xls"
".ini"
".mdb"
".txt"
".htm"
".Html"
".wab"
".pst"
".fdb"
".cfg"
".ldb"
".eml"
".abc"
".ldif"
".nab"
".adp"
".mdw"
".mda"
".mde"
".ade"
".sln"
".dsw"
".dsp"
".vap"
".PHP"
".ASP"
".shtml"
并将邮件地址保存在文件:
%SYSDIR%\CISSI.DLL
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇:Worm.Kibuv.b
下一篇:Worm.Bugbear.h
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash