朋友昨天开始有几人同时发生不明状况 高手请进~

feelsky 2003-08-24 09:24:15
昨天两个朋友的电脑 同时发生键盘 输入问题 鼠标选择出现异样 无法删除回收站里的文件 一删除就出现 是否要删除windows的提示 杀毒软件已不能工作 求救啊 小弟愚鲁 实在不知怎么解决了 请各位高手指点一二 ~~~~~~~~~~~`
...全文
98 10 打赏 收藏 转发到动态 举报
写回复
用AI写文章
10 条回复
切换为时间正序
请发表友善的回复…
发表回复
jacket1127 2003-08-24
  • 打赏
  • 举报
回复
楼上,可以说清楚一点吗?
yishao 2003-08-24
  • 打赏
  • 举报
回复
杀毒软件不能工作了,证明系统已经崩溃了

1到DOS杀毒
2拆硬盘到别人机器,用诺顿升级杀毒
3如果1 2都不行,那么只有FROMAT重装系统了
zhllwarez 2003-08-24
  • 打赏
  • 举报
回复
可能是一种“回收站”病毒的变种
alexdyong 2003-08-24
  • 打赏
  • 举报
回复
是不是又有新的病毒了,不过我在各安全网站上还没有看到类似的新病毒的报道,等待!!
  • 打赏
  • 举报
回复
到其他机器上做个杀毒启动盘到dos下杀毒吧

----------------------------------------
宠辱不惊,坐看庭前花开花落;
去留无意,漫随天上云卷云舒;
----------------------------------------
smallrascal 2003-08-24
  • 打赏
  • 举报
回复
被附加文件的名称从下表中选择 + ".scr":
screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker

名称甚至还可以是双后缀,主名为:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love
第一后缀名:
doc mp3 xls wav txt jpg gif dat bmp htm mpg mdb zip
第二后缀名:
pif bat scr
蠕虫可以在局域网中传播。其中的一个流在网络中扫描,寻找所有的带有如下名称的开放的目录资源:WINXP WINME WIN WINNT WIN95 WIN98 WINDOWS
蠕虫在这些目录中寻找文件win.ini,如果文件找到,那么用MSTASKMON.EXE把自己复制到这个目录中,并改变win.ini,以便在下次重新启动后蠕虫被自动运行。Win.ini文件仅在Windows9x系统中被使用,在Windows NT级的计算机上被忽略。[未结束][iduba_page]
蠕虫扫描内存中被执行的进程,结束下列列表中的进程:
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVCONSOL
AVSYNMGR
VSHWIN32
VSSTAT
NAVAPW32
NAVW32
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
NISSERV
RESCUE32
SYMPROXYSVC
NISUM
NAVAPSVC
NAVLU32
NAVRUNR
NAVWNT
PVIEW95

F-STOPW F-PROT95
PCCWIN98
IOMON98
FP-WIN
NVC95
NORTON
MCAFEE
ANTIVIR
WEBSCANX
SAFEWEB
ICMON
CFINET
CFINET32
AVP.EXE
LOCKDOWN2000
AVP32
ZONEALARM
WINK
SIRC32
SCAM32

它还含有单独的在不同操作系统中扫描内存的功能。验证内存的进程在不停被执行,这使得蠕虫有机会不让上述列表中的进程不被执行。而且还会结束并不让Windows Task Manager执行。

现象

蠕虫在Windows目录中建立随机文件名+txt的文件,写入以下文字
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK sh*tes
bY
sNAkeeYes,c0Bra
如果被执行,并且病毒携带文件的后缀名为".scr"
smallrascal 2003-08-24
  • 打赏
  • 举报
回复
据分析,此蠕虫包含有大量的被加密的文本字行,会把自身以随机名字复制到目录C:\Recycler 或 C:\Recycled中,故取名"垃圾桶"或"回收站"病毒。它会改变注册表中的HKCU\exefile\shell\open\command,这样蠕虫对所有的被执行文件执行时,都可以自动执行。如果它是从MSTASKMON.EXE中被执行的,则将更改win.ini中的自动执行项。以下是发作时的截图:
该病毒有两个版本,以下分别介绍:
I-Worm.Lentin , aka Yaha技术特征:
通过被感染邮件的附件传播的蠕虫病毒,是一Windows PE EXE执行文件,大约21K(用UPX打包了,未被打包的尺寸大约72K),用Microsoft Visual C++写成。被感染邮件含有附件“valentin.scr”(蠕虫文件),其标题和邮件正文从两种方案中选择:
标题 1:
Melt the Heart of your Valentine with this beautiful Screen saver
正文1:
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:

第二种方案看起来如同是第一种方案的转发
标题 1:
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
正文1:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.[未结束][iduba_page]***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
%EmailAddress% ——电子邮件地址
蠕虫仅在使用者自行激活被感染文件时才发作。此后它会把自己安装在系统中并开始自己的传播过程。

安装
在安装的过程中,蠕虫把自己用SMDM.EXE 和MSSCRA.EXE名复制到C:\RECYCLED,并把第一个文件注册到系统注册表中的HKCR\exefile\shell\open\command c:\recycled\msmdm.exe %1 %* 此后显示几行“Ur My Valentine..”,并随机的改变工作桌面窗口的大小。



在有些情况下,蠕虫还会显示出错信息
Config
No Configuration is availabile Now
Enjoy !!!

传播邮件
蠕虫从WAB, MSN, .NET Messenger中读取地址,同时寻找*.HT文件,扫描它们,选出其中为电子邮件地址的行。所有的地址被保存在"screendback.dll" 和 "www.dll",这两个文件是蠕虫在Windows目录中建立的。在传播被感染的邮件时,使用直接连接上的SMTP服务器。

其他版本
Lentin.g , aka Yaha.e的技术特征
大约27K(用UPX打包)。由于其末尾包含有随机数据,所以文件长度不定。蠕虫包含有大量的被加密的文本字行。

安装

蠕虫把自身以随机的名字复制到目录C:\Recycler 或是 C:\Recycled中。然后改变注册表中的
HKCU\exefile\shell\open\command,这样蠕虫对所有的被执行文件都可以开始执行。如果蠕虫是从MSTASKMON.EXE被执行的,那么将更改win.ini中的自动执行项。

传播邮件
被传播的邮件标题含有下边中的一行或是带有“Fw:”(也可以是不带)的几个组合:
searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time[未结束][iduba_page]Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say ‘I Like You‘ To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let‘s Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let‘s Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
U realy Want this
Romantic
humour
NewWonderfool
excite
Cool
charming
Idiot
Nice
Bullsh*t
One
Funny Great
LoveGangs
Shaking
powful
Joke
Interesting
Screensaver
Friendship
Love
relations
stuff
to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share

:-)
!
!!
文本可能含有:
Check the attachment
See the attachement
Enjoy the attachement
More details attached
Hi Check the Attachement .. See u
Hi Check the Attachement ..
Attached one Gift for u..
wOW CHECK THIS
Then there can follow a fake undeliverable message report or a fake screensaver subscription message. In case the worm sends a fake bounced message, it looks like that:
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: %EmailAddress%
For further assistance, please contact %EmailAddress% If you do so, please include this problem report. You can delete your own text from the message returned below.
Copy of your message, including all the headers is attached
Then there goes an EML file attachment with random name that contains the worm‘s sample and usually IFrame exploit to make the attachment run automatically on unpatched e-mail clients. [未结束][iduba_page]In case the worm spreads itself with a fake screensaver subscription message, it looks like that:
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from <сгенерированный URL> to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you‘ll know you have a circle of friends.
* To remove yourself from this mailing list, point your browser to: <сгенерированный URL> * Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address %EmailAddress% X-PMG-Recipient: %EmailAddress%
%EmailAddress% ——电子邮件地址
infofox 2003-08-24
  • 打赏
  • 举报
回复
重新安装杀毒软件吧
glgeneral 2003-08-24
  • 打赏
  • 举报
回复
在安全模式下杀毒试试吧。
zhllwarez 2003-08-24
  • 打赏
  • 举报
回复
我也只是凭空猜测,
你的现象只是与以前流行的“回收站”病毒的发作有些类似但并不完全符合,因为“回收站”病毒的源代码完全公开,所以不排除经人修改出现变种的可能性

9,505

社区成员

发帖
与我相关
我的任务
社区描述
Windows专区 安全技术/病毒
社区管理员
  • 安全技术/病毒社区
加入社区
  • 近7日
  • 近30日
  • 至今
社区公告
暂无公告

试试用AI创作助手写篇文章吧