秋水长天 - 2005-7-7 9:56:00
今天去服务器上杀毒,发现了这个病毒 , 名字是W32.toxbot . 杀不去,病毒也无法访问.请高人指教.
海上孤鹰-逸枫 - 2005-7-7 10:30:00
W32.Toxbot
2005年 03月12日
W32.Toxbot is a worm that opens an IRC back door on the compromised computer and spreads by exploiting vulnerabilities
When W32.Toxbot is executed, it performs the following actions:
Creates a copy of itself as %System%\[random file name].exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Where [random file name] is usually 8 characters long. Possible examples of [random file name] include:
TrkWksrv.exe
dxdllsvc.exe
ciclient.exe
Adds the value:
"(Default)" = "Service"
to the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[random file name]
so that it is executed every time Windows starts.
Adds the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[random file name]
Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:
Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061).
Checks for the presence of the virtual infrastructure software VMware by searching for the registry subkey HKEY_LOCAL_MACHINE\Software\VMware. The worm will not run on computers running this software.
Creates a copy of itself as %System%\[random file name].exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Where [random file name] is usually 8 characters long. Possible examples of [random file name] include:
TrkWksrv.exe
dxdllsvc.exe
ciclient.exe
Adds the value:
"(Default)" = "Service"
to the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[random file name]
so that it is executed every time Windows starts.
Adds the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[random file name]
Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:
Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061).
Checks for the presence of the virtual infrastructure software VMware by searching for the registry subkey HKEY_LOCAL_MACHINE\Software\VMware. The worm will not run on computers running this software.
秋水长天 - 2005-7-7 10:44:00
谢谢高人指点 , 可是我看不明白那些拼音是什么意识。
能告诉我怎么杀不?
酷十 - 2005-7-7 11:14:00
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061).
叫你到这些地方升级,打补丁
baohe - 2005-7-7 17:42:00
| 引用: |
【秋水长天的贴子】GG JJ帮帮我好伐
........................... |
根据杀软报告的病毒所在路径和文件名,找到那个病毒文件(.exe型的),打包传上来。我给你想办法。
草莓娃娃0926 - 2005-7-7 17:44:00
瑞星应该有专杀工具,去下吧
baohe - 2005-7-7 18:22:00
【回复“秋水长天”的帖子】你会用附件传图,不会用附件传包?
蓝色的枫叶 - 2005-7-7 18:38:00
病毒上传上来吧
baohe - 2005-7-7 20:27:00
| 引用: |
【秋水长天的贴子】这是病毒生成的文件
........................... |
怎么传了个0字节的文件?
命运里の金色 - 2005-7-8 7:46:00
WINDOWS下的木马/蠕虫程序。
断开网络,重启到安全模式下使用瑞星杀毒软件在安全模式下扫描全盘并杀毒即可解决。注意使用WINDOWS UPDATE将您的系统该打的补丁全部打全。http://community.rising.com.cn/UploadImages/200403/Img200431822936.gif。http://community.rising.com.cn/UploadImages/200403/Img20043182292139.gif。http://community.rising.com.cn/UploadImages/200403/Img20043182293811.gif。http://community.rising.com.cn/UploadImages/200403/Img20043182210143.gif。http://community.rising.com.cn/UploadImages/200403/Img200431822101822.gif,IE安全属性的疾病调节高一些,上线时开启反病毒实时监控。
命运里の金色 - 2005-7-8 8:02:00
抱歉,好象没有
命运里の金色 - 2005-7-8 8:19:00
应该可以的
秋水长天 - 2005-7-8 8:32:00
好了,在这里我多说一句, 中国网通的服务器托管是我所见过的最烂的(就济南地区而言),服务是最差的.技术人员是最白痴的,什么都不会,(只会简单的PING命令,然后告诉你网络是通还是不通.谈到如何解决的时候,就开始推脱责任.) 而且网通的内网间的病毒之多是我在电信和联通所没见过的.
秋水长天 - 2005-7-8 8:58:00
这个病毒就是放进网通机房刚接上线,防火墙和病毒监控还没起来的时候染上的.我决定明天找网通退钱(什么东西,他们的网络不好,根本连不上,推三推四,就和求他们一样).
Hero-Mick - 2005-7-8 9:53:00
还是电信好!
网通那班人居然偷卖公司的分离器,
还是高于公司的出售价!一群蛋!
© 2000 - 2026 Rising Corp. Ltd.
英文的看不太懂