原文是:
http://bbs.kill.com.cn/viewthrea...extra=page%3D1 病毒特性:
Win32/Stration是一族发送大量邮件的蠕虫,它会下载并运行其它程序。
感染方式:
Win32/Stration以.EXE到达,它会生成几个其它程序,很多是DLL文件。这些DLL可能通过添加它们的文件名到以下注册表而被安装:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
这个注册表中引用的任一DLL都会被自动加载,通过实际程序运行。
Stration的DLL和它主要的EXE文件可能通过以下注册表被安装:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
后期的变体还会复制到Windows目录,并在以下注册表设置一个值,为了在每次系统启动时运行这个副本:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
例如,Win32/Stration.E生成以下文件:
%System%\acac.dll
%System%\apphavif.dll
%System%\crswrich.dll
%System%\msobxpob.dll
%System%\mswemste.exe
它通过将名字添加到AppInit_DLLs注册表键值来安装2个DLL,例如:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "apphavif.dll msobxpob.dll"
蠕虫的主要的EXE文件和第三个DLL通过设置以下注册表来安装:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\DllName = "%System%\acac.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Image = ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Shutdown = "WlxShutdownEvent"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Startup = "WlxStartupEvent"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Impersonate = 0x0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Asynchronous = 0x0
Win32/Stration.CA复制自身到%Windows%\t2serve.exe,并设置以下键值:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\t2serv = "%Windows%\t2serve.exe s"
它还会生成这些文件:
%System%\e1.dll
%System%\fsusvcde.exe
%System%\mstle100.dll
%System%\p2psmsih.dll
%Windows%\t2serv.dll
Stration.CA添加"p2psmsih.dll"到AppInit_DLLs注册表键值,例如:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "p2psmsih.dll"
Stration的一些变体利用以下键值,将它们的原始EXE文件设置为重启后删除:
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
一些变体在第一次运行时,显示一个包含"Update successfully installed"内容的信息框:
注:'%System%'是一个可变的路径。病毒通过查询操作系统来决定当前系统文件夹的位置。Windows 2000 and NT默认的系统安装路径是C:\Winnt\System32; 95,98 和 ME 的是C:\Windows\System; XP 的是C:\Windows\System32。
传播方式:
通过邮件传播
为了获取发送病毒邮件的邮件地址,Win32/Stration在本地系统查找文件。它使用伪装的发件地址,从它内部代码列表获取。蠕虫生成的邮件内容有不同的形式。以下是一些示例:
Possible Subjects:
Error
Good day
hello
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
Server Report
Status
Possible Message Bodies:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
--------------------
The message contains Unicode characters and has been sent
as a binary attachment.
--------------------
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
--------------------
Mail transaction failed. Partial message is available.
--------------------
Possible Attachment names:
body.elm.pif
body.log.exe
body.txt.bat
body.zip
data.msg.bat
test.dat.scr
test.log.scr
text.elm.exe
Update-KB1289-x86.exe
Update-KB5230-x86.zip
收集邮件地址的过程中,蠕虫可能生成一个无害的文件,例如"t2serv.wax"。
危害:
下载并运行任意文件
Win32/Stration变体一般通过HTTP下载一个或两个文件,并运行它们。近期的变体从以下URL下载:
http://www4.vertionk...im.com/*******/lt.exe
http://www6.vertionk...im.com/*******/nt.exe
Stration还可能访问其它的网页,为了通知某些人关于被感染机器的信息。