close

小心狡滑病毒 也會自動更新


台灣醒報 更新日期:2010/04/12 14:50 林永富



【台灣醒報記者林永富報導】防毒公司病毒碼需要更新,現在連病毒本身都會自行更新!防毒軟體公司賽門鐵克近日發現,一款新的木馬病毒,竟然會透過遠端伺服器下載病毒更新,一旦感染後就很難根除,呼籲電腦使用者要加強安全防護,例如使用雙向防火牆軟體,以免後患無窮。



該公司表示,發現的這款「狡滑病毒」名稱為Backdoor.Dawcun,是一個盜取電腦機密資訊的後門木馬程式,會自己在系統正常啟動或即使進入安全模式啟動時,都會自動載入。



除了蒐集系統資訊,該病毒還會把資訊加密,並植入自動執行檔將蒐集到的資訊發送到遠端伺服器,透過指定伺服器連結並測試連接狀態,若未被防毒程式擋下就可下載病毒更新,成為會自動更新病毒碼的病毒,讓防毒軟體更難查覺。



防毒專家指出,除非在一開始就將這種病毒攔截,否則很難徹底清除,因此用戶要勤於更新病毒碼及使用更強大的防護軟體。



專家也建議,最好使用具雙向防火牆功能的軟體,就算無法在一開始時攔阻,也能夠阻止不明程式竊取使用者資訊並且無法將竊取資訊傳送。



另外,目前也有全球雲端鑑識技術,利用安全智慧型網路即時抵禦最新的威脅,每隔5到15分鐘,就會更新最新病毒檔和下載最新產品更新,可有效保護電腦免受病毒攻擊。


另外有關這支病毒 賽門鐵克網站的病毒資料


Discovered: April 1, 2010

Updated: April 1, 2010 7:21:46 PM

Type: Trojan

Infection Length: 52,736 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000


Once executed, the Trojan creates a new Boot Bus Extender service with the following characteristics:
Service name: [TROJAN FILE NAME]
Display name: [TROJAN FILE NAME]
Startup Type: Automatic

It creates the service by adding entries to the following registry subkey so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[TROJAN FILE NAME]

It also creates the following registry subkeys so it restarts in safe mode:



  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[TROJAN FILE NAME]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[TROJAN FILE NAME]



The Trojan captures registry access to prevent modifying and deleting registry key values related to the Trojan.

It also prevents access to its file so that security-related processes become unresponsive and unable to be terminated. The Trojan may also prevent file write access to certain folders.

The Trojan searches for services.exe process and if found, decrypts and injects two dlls into the process. It then starts three remote threads in the services.exe process.

The Trojan uses the injected threads to gather and encrypt confidential system information, saving the confidential information to the following hidden file:
C:\Documents and Settings\All Users\Application Data\mul.bin

The Trojan opens a back door by connecting to the following remote server on TCP ports 2266 and 3390 to send the confidential information and to download, decrypt and then start the updated rootkit driver:
204.12.216.50

It then connects to the following SMTP server on TCP port 25 to test the connection:
smtp.mail.ru


arrow
arrow
    全站熱搜
    創作者介紹
    創作者 奕宏資訊社 的頭像
    奕宏資訊社

    奕宏資訊社的部落格

    奕宏資訊社 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄