-
-
[不具新闻性]计算机病毒预报---Backdoor.Rocra
-
发表于: 2013-1-31 13:19 1356
-
Backdoor.Rocra
警惕程度★★★
影响平台:Win9X/ME/NT/2000/XP/Server2003
Backdoor.Rocra是一个木马,它在受感染的计算机上打开一个后门。该木马也被称为红色十月。
当木马会利用下列漏洞,执行一些有针对性的攻击:
MicrosoftExcel'FEATHEADER'RecordRemoteCodeExecutionVulnerability(CVE-2009-3129)
MicrosoftOfficeRTFFileStackBufferOverflowVulnerability(CVE-2010-3333)
MicrosoftWindowsCommonControlsActiveXControlRemoteCodeExecutionVulnerability
(CVE-2012-0158)
OracleJavaSERhinoScriptEngineRemoteCodeExecutionVulnerability(CVE-2011-3544)
该木马可能会执行以下文件:
Bloodhound.Exploit.306
Bloodhound.Exploit.366
Bloodhound.Exploit.457
Trojan.Maljava
Trojan.Maljava!gen27
木马接着创建下列文件:
%ProgramFiles%\WINDOWSNT\msc.bat
%ProgramFiles%\WINDOWSNT\[RANDOMCHARACTERSFILENAME].lt
%ProgramFiles%\WINDOWSNT\Svchost.exe
然后,该木马从受感染的计算机上搜集信息,并发送到下列远程地址:
csrss-check-new.com
csrss-update-new.com
csrss-upgrade-new.com
dll-host-check.com
dll-host-udate.com
dll-host.com
dllupdate.info
drivers-check.com
drivers-get.com
drivers-update-online.com
genuine-check.com
genuineservicecheck.com
genuineupdate.com
microsoft-msdn.com
microsoftcheck.com
microsoftosupdate.com
mobile-update.com
ms-software-check.com
ms-software-genuine.com
ms-software-update.com
msgenuine.net
msinfoonline.org
msonlinecheck.com
msonlineget.com
msonlineupdate.com
new-driver-upgrade.com
nt-windows-check.com
nt-windows-online.com
nt-windows-update.com
os-microsoft-check.com
os-microsoft-update.com
osgenuine.com
services-check.com
svchost-check.com
svchost-online.com
svchost-update.com
update-genuine.com
win-check-update.com
win-driver-upgrade.com
windows-genuine.com
windowscheckupdate.com
windowsonlineupdate.com
wingenuine.com
wins-driver-update.com
wins-update.com
xponlineupdate.com
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新
功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
警惕程度★★★
影响平台:Win9X/ME/NT/2000/XP/Server2003
Backdoor.Rocra是一个木马,它在受感染的计算机上打开一个后门。该木马也被称为红色十月。
当木马会利用下列漏洞,执行一些有针对性的攻击:
MicrosoftExcel'FEATHEADER'RecordRemoteCodeExecutionVulnerability(CVE-2009-3129)
MicrosoftOfficeRTFFileStackBufferOverflowVulnerability(CVE-2010-3333)
MicrosoftWindowsCommonControlsActiveXControlRemoteCodeExecutionVulnerability
(CVE-2012-0158)
OracleJavaSERhinoScriptEngineRemoteCodeExecutionVulnerability(CVE-2011-3544)
该木马可能会执行以下文件:
Bloodhound.Exploit.306
Bloodhound.Exploit.366
Bloodhound.Exploit.457
Trojan.Maljava
Trojan.Maljava!gen27
木马接着创建下列文件:
%ProgramFiles%\WINDOWSNT\msc.bat
%ProgramFiles%\WINDOWSNT\[RANDOMCHARACTERSFILENAME].lt
%ProgramFiles%\WINDOWSNT\Svchost.exe
然后,该木马从受感染的计算机上搜集信息,并发送到下列远程地址:
csrss-check-new.com
csrss-update-new.com
csrss-upgrade-new.com
dll-host-check.com
dll-host-udate.com
dll-host.com
dllupdate.info
drivers-check.com
drivers-get.com
drivers-update-online.com
genuine-check.com
genuineservicecheck.com
genuineupdate.com
microsoft-msdn.com
microsoftcheck.com
microsoftosupdate.com
mobile-update.com
ms-software-check.com
ms-software-genuine.com
ms-software-update.com
msgenuine.net
msinfoonline.org
msonlinecheck.com
msonlineget.com
msonlineupdate.com
new-driver-upgrade.com
nt-windows-check.com
nt-windows-online.com
nt-windows-update.com
os-microsoft-check.com
os-microsoft-update.com
osgenuine.com
services-check.com
svchost-check.com
svchost-online.com
svchost-update.com
update-genuine.com
win-check-update.com
win-driver-upgrade.com
windows-genuine.com
windowscheckupdate.com
windowsonlineupdate.com
wingenuine.com
wins-driver-update.com
wins-update.com
xponlineupdate.com
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新
功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
赞赏
看原图
赞赏
雪币:
留言: