| |
|
I-Worm.Magistr介绍 反病毒产品 命名 AVP I-Worm.Magistr 病毒详细信息英汉对照 This is a very dangerous memory resident Win32 worm combined with virus infection routines. It spreads over the Internet through infected emails, infects Windows executable files on affected machines (local machine) and is able to spread itself over a local network. The virus contains an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash memory in the same way as the Win95.CIH virus I-Worm.Magistr是一个非常危险的内存驻留型WIN32蠕虫,并结合了病毒传染例程。它通过INTERNET邮件广泛传播,它在受其影响的机器上感染可执行文件。它同样能通过本地网络将自身传播。 它包含了非常危险的破坏功能,并且在不同的触发条件下象WIN95.CIH病毒那样删除硬盘数据、CMOS信息和FLASH MEMORY(应指采用软件更新的BIOS) The virus contains the "copyright" text in its body: ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden) (原文v1rus不知是否是virus,因为没有接触到病毒样本,还无法判断) 这个病毒中包含“版权信息” 大意似乎是 汪汪!我抓住你了!病毒:Judges Disemboweler(这可能是与宗教有关的一个典故,译者猜测) 编写:The Judges Disemboweler.在瑞典马尔摩编写。 The virus itself is about 30Kb of length and written in Assembler. The filesize is very large for a virus written in pure Assembler language. This large size however is caused by the virus' Win32 EXE files infection algorithm, email and network spreading routines, polymorphic engines (there are two), payload routines and many anti-debugging and other tricks used by the virus to make its detection and disinfection more difficult. Thus this virus is one of the most complex viruses that are known at the moment. The virus was found in-the-wild in the middle of March 2001. 这个病毒用汇编编写,长度约30K。对完全采用汇编编写的病毒来说,这个长度是有些臃肿了。但这个庞大的体积中包含了WIN32 EXE 文件感染算法,电子邮件和网络传播例程,变形引擎(有两个),破坏例程和许多的增加检测和解毒难度的反跟踪手段和其他的陷阱技术。因此这个病毒是一个当前已知的最复杂病毒之一。 这个病毒在2001年3月中旬开始流行。 Running an infected file When the virus is run (from infected message for example, if a user clicks on infected attach) it installs itself memory resident to Windows memory, then runs in the background, sleeps for a few minutes then run its routines: local and network Win32 EXE files infection, email spreading, e.t.c. 运行一个感染文件 当这个病毒运行时(例如从一个被感染信息运行,如果用户点击了被感染附件)它将自身驻留到windows系统内存中,并在后台运行,休眠数分钟后,它开始运行它的例程:本地和网络的Win32 EXE文件感染,电子邮件传播等等。 To install itself memory resident the virus gets access to the EXPLORER.EXE process memory (EXPLORER.EXE program image that is actually run and active in Win32 memory), patches it with a short 110-bytes "loader" routine that will then run the main virus' code in EXPLORER's memory. So the virus installs itself memory resident as a component of EXPLORER.EXE's process and then operates in the background (running as EXPLORER's thread). Before running its routines the virus sleeps for 3 minutes. 为了自身能够内存驻留,这个病毒取得了对EXPLORER.EXE进程内存的控制(EXPLORER.EXE的程序映象事实上是运行并活动在WIN32内存当中的),病毒通过一个110字节左右短小的“加载”例程,将病毒主程序代码在EXPLORER的内存空间中运行。所以这个病毒将自身驻留内存就象EXPLORER.EXE进程的一个组成部分一样。然后它在后台操作(作为EXPLORER的线程)。在运行其系列例程前,这个病毒休眠3分钟。 The virus then gets a file (usually the first file) in Windows directory, infects it and registers that file in the Windows auto-run Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and in the WIN.INI file in the [windows] section in "run=" instruction. So the virus code is activated during each Windows restart. 这个病毒在windows目录下找到一个文件(通常是搜索到的第一个文件),感染之并将其添加到WINDOWS注册表的自动运行项 HKLM\Software\Microsoft\Windows\CurrentVersion\Run 下,同时将其添加到WIN.INI配置文件[windows]节,"run="项上。所以这个病毒在每一次windows重新启动后都被激活。 That file is infected so that the host program is not activated after the virus runs (control is not returned back to host program, and the affected application just exits). Thus the virus activates itself from the system Registry or from the WIN.INI file without any side effect (as an unasked application run on Windows startup). 那个文件这样被感染以保证在病毒运行后宿主程序不被激活(控制权并不返回给宿主程序,受影响应用会马上退出)所以这个病毒通过系统注册表和win.ini文件激活自身,没有造成任何副作用(象一个未经请求的应用运行在Windows启动时) The virus then runs its infection routines that scan directories and available drives for Win32 PE .EXE and .SCR files and infect them. First of all the virus tries WINNT, WINDOWS, WIN95 and WIN98 directories and infects files in there. That routine is randomly activated in 3 times of 4. 病毒然后运行传染例程扫描目录和可用驱动器,查找Win32 PE .EXE和.SCR文件并传染之。首先病毒尝试传染WINNT,WINDOWS,WIN95和WIN98 目录中的文件。该例程以3/4的概率随机运行。 Next the virus scans all local drives and infects files on them. 接着病毒扫描所有本地驱动器感染其上的文件。 Then the virus enumerates network resources that are shared for full access, looks for WINNT, WINDOWS, WIN95, WIN98 directories in there, and infects files in these directories. The virus also registers itself in there by writing a "run=" instruction to WIN.INI file. So remote Win9x systems will get infected on the next Windows startup. 然后病毒枚举具有完全访问权限的共享网络资源,查找WINNT,WINDOWS,WIN95,WIN98目录,并感染这些目录里的文件。它还会在WIN.INI文件 中写入"run="项来登记自己。所以远程Win9x系统会在下次Windows启动时被感染。 While processing the drives the virus creates a special .DAT file for its own use. The file name and location depends on the network name of the current machine, for example: 在处理驱动器的同时,病毒建立了一个自己使用的特殊.DAT文件。文件名和位置取决于当前机器的网络名,例如: Machine name File name 机器名 文件名 WIN98 -> CQL98.DAT PUPKIN -> JEJOQL.DAT CS-GOAT -> WG-SKYF.DAT That file is created in the Windows directory, in ProgramFiles directory, in the root directory of C: drive, or in the root directory of the system drive. 该文件建立在Windows目录,ProgramFiles目录,C盘根目录,或者系统驱动器的根目录中。 Infecting Files The virus affects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with its polymorphic engine and writes that to the end of the file. To get control when an infected file starts the virus patches the victim program's entry code with one more polymorphic routine that passes control to the end of the file to the main encrypted virus code. 感染文件 病毒用一种复杂难以解毒的方法感染PE EXE文件(Win32可执行程序)。病毒用它的变形引擎加密主代码并写入文件尾。为了在感染文件启动时 获得控制权,病毒用另一个变形例程替换染毒程序的入口代码,该例程将控制权传给位于文件尾的主加密病毒代码。 File header Program Code section program entry routine lt;------- Data section And other File header Program Code section program entry routine virus polymorphic code #1 <------| <------- ------->control Flow Data section And other | | virus polymorphic code #2 | lt------------------ main virus code (encrypted) Spreading by Email To send infected emails the virus reads the installed Email client's settings for the follwing Email clients from the system registry: 通过电子邮件传播 为了发送被感染邮件,病毒从系统注册表中读取下列已安装的邮件客户端的设置: Outlook Express Netscape Messenger Internet Mail and News The virus then scans email database files, fetches email addresses from there and sends its copies to those addresses. The Subject is randomly constructed from words and sentences that are found in .DOC and .TXT files in the system (the virus also scans local drives for these files and get texts from there). Randomly as well the virus uses words and sentences from the list: Outlook Express Netscape Messenger Internet Mail and News 病毒然后扫描邮件数据库文件,获得邮件地址向这些地址发送自身的拷贝。 主题由系统中.DOC和.TXT文件中找到的词和句子随机构造(病毒同样扫描本地驱动器找这些文件从中得到文本)。病毒同样会随机使用列表中 的词和句子: sentences you ayant délibéré sentences him to le présent arrêt sentence you to vu l',27h,'arrêt ordered to prison conformément à la loi convict exécution provisoire , judge rdonn circuit judge audience publique trial judge a fait constater found guilty cadre de la procédure find him guilty magistrad affirmed apelante judgment of conviction recurso de apelaci verdict pena de arresto guilty plea y condeno trial court mando y firmo trial chamber calidad de denunciante sufficiency of proof costas procesales sufficiency of the evidence diligencias previas proceedings antecedentes de hecho against the accused hechos probados habeas corpus sentencia jugement comparecer condamn juzgando trouvons coupable dictando la presente à rembourse los autos sous astreinte en autos aux entiers dépens denuncia presentada aux d閜ens The messages may have no body (no text in the message), or contain randomly constructed text like the message subject (see above). The attached file's name is variable. The virus searches for a PE .EXE or .SCR file up to 132K of length in the system, infects it and attaches it to the message. 信息可以没有主体(信息中没有文字),或者象信息主题一样包含随机构造的文字(见上述)。 附件文件名是可变的。病毒在系统中查找一个最大132K的.EXE或.SCR文件传染它作为信息附件。 In one case of five the virus also attaches a .DOC or .TXT file that was found in the system while the virus was scanning files for Subject and MessageBody texts. So, randomly selected .DOC or .TXT file may escape the system. This may cause disclosure of confidential information. 1/5的情况中病毒还会将在扫描文件以取得主题和信息体文字的同时找到的一个.DOC或.TXT文件也作为附件。这会导致秘密信息的泄露。 When sending infected messages the virus connects to one of three email servers using the SMTP protocol, and sends messages to there. 发送感染信息时,病毒会使用SMTP协议连接三个邮件服务器中的一个,将信息发送到那。 The virus also randomly corrupts the second letter in the sender name in 4 cases of 5. 4/5的情况中病毒也会随机的破坏发送人姓名的第二个字母。 The virus stores ten email addresses of already infected users (like a history of spreading - the 10 latest email addresses the virus was spreading from) in its body. While spreading the virus compares the victim email address with that list and does not send messages to addresses that have already been used. 病毒会在病毒体中保存10个已感染用户的邮件地址(就像传播历史记录 - 最后10个病毒传播源电子邮件地址)。传播时,病毒比较目标邮件 地址与列表中的地址,如果使用过则不会发送信息。 Payload Depending on its internal counters the virus manifests itself in the following way: it gets access to the Windows desktop and does not allow to access icons on the desktop using the mouse. When the mouse cursor is moved to an icon, the virus moves the icon away from the cursor. It looks as if the desktop icons try to "escape" the mouse cursor. One month after infecting the computer the virus runs its payload routine that overwrites all disk files with the text "YOUARESHIT" on all local and network drives. Under Win9x the virus also erases CMOS, Flash and hard drive data. 破坏例程 取决于它的内部计数器,病毒会以下列方法发作:它会取得Windows桌面的访问权禁止使用鼠标访问桌面上的图标。当鼠标指针移到一个图标时,病毒会将图标移离指针处。看起来就好像桌面图标在逃离鼠标指针。 感染计算机一个月以后,病毒会运行它的破坏例程用"YOUARESHIT"文本覆盖所有本地和网络驱动器上的磁盘文件。在Win9x下,病毒还会删除 CMOS,Flash和硬盘数据。 The virus then displays the message: Another haughty bloodsucker....... YOU THINK YOU ARE GOD , BUT YOU ARE ONLY A CHUNK OF SHIT 病毒然后显示信息: 又一个傲慢的吸血鬼....... 你自以为你是上帝, 但是你只是一大块狗屎 |
| Copyright By「黑白网络工作室」2002 All Rights Reserve |