baba_yu
2005-02-01, 02:17 PM
NOD 啟發式報
此變種主要通過病毒網站,利用IE瀏覽器的MHT漏洞和CODEBASE漏洞傳播。
病毒會記錄用戶鍵盤輸入,盜取天堂遊戲的帳號密碼,通過其自帶的SMTP引擎把獲得的非法信息通過電子郵件發送給病毒作者。同時,病毒還會自動升級,並會刪除用戶硬盤上的多種媒體文件,造成數據破壞。
病毒運行後,將創建三個文件user.txt/svchost.exe/ie.txt, 其中user.txt是帳號密碼記錄文件, svchost.exe,ie.txt是病毒自身病毒版本信息文件。病毒同時修改註冊表啟動項,以使自身與Windows同時啟動。
病毒會刪除微軟Media文件夾中所有後綴為rmi,mid,wav的媒體文件,造成Windows聲音方案失效;掛接Windows鉤子,監視用戶當前窗口,當窗口標題為"Lineage Windows Client"等字串時,記錄用戶的鍵盤輸入,定時通過SMTP引擎把竊取的信息通過電子郵件發送給病毒作者。病毒還會通過訪問病毒網站進行自身的版本更新。
1/31 還不能偵測的情況 自己測了一下 是病毒的行為 看看吧 防護不夠的小心點
1. 加入WINDOWS 下
http://img1.imagevenue.com/loc184/b47_e1.png
2. 聯網 橘子
http://www.imagevenue.com/loc108/43d_e2.png
3.加入啟動項
http://www.imagevenue.com/loc291/3d2_e3.png
病毒
http://rapidshare.de/files-en/488840/svchost.rar.html
PS: vir
(2/1 已加入)
http://img2.imagevenue.com/loc142/a1b_d26.png
KAV 的回答
Greetings.
Trojan-PSW.Win32.Lineage.aw was found in the attached file.
It's detection will be included in the next antivirus bases.
Thank you for your help.
-----------------
Regards, Alexey Malanov
Virus Analyst, Kaspersky Lab.
Ph.: +7(095) 797-8700
E-mail: [email protected]
http://www.kaspersky.com http://www.viruslist.com
咖啡回复了,同时给了附加库
A.V.E.R.T. Sample Analysis
Virus Research Analyst: Patricia Ammirabile
Identified: PWS-Lineage Trojan
AVERT(tm) Labs, Sao Paulo, SP
Thank you for submitting your suspicious file.
Synopsis -
Attached is a file for extra detection, which will be included in a future
DAT set.
In order to get the fastest possible response, you may wish to submit future
virus-samples to <http://www.webimmune.net>. In most cases it can respond
almost instantly with a solution.
For other virus-related information, please see the AVERT homepage at:
<http://vil.mcafeesecurity.com/vil/default.asp>
Solution -
To ensure that you have the maximum available capability of detecting and
cleaning this malware on your system, please make sure you have the latest
engine.
Engine and DAT updates are available at:
<http://www.mcafeesecurity.com/us/downloads/updates>
EXTRA.DAT
This should be used with any of the McAfee AV Scanners.
The file should be copied into the directory where the other DAT files
reside.
Using the find/search utility on your computer search for the following
file:
SCAN.DAT
Then copy the Extra.dat we have sent you to the same folder where one of the
above is located.
Once you have copied the file, reboot the system for the driver to be
loaded.
Further information about Extra.DATs can be found at
http://vil.mcafeesecurity.com/vil/systemhelpdocs/extradat.htm.
Support -
Virus Research accepts file-samples for analysis and possible inclusion into
AV signature DAT sets. We are also prepared to answer general virus
questions.
All product-related questions and comments can be addressed through
technical support and customer service, including:
* Product installation and update questions
* Product usage questions
* Specific operating system/version questions
* Assistance with detection and cleaning or removal of viruses or trojans
Please use the following links to reach our technical support group for
McAfee products.
Corporate Customers:
<https://mysupport.mcafeesecurity.com/>
Single User/Retail Customers:
<http://www.mcafeehelp.com>
Regards,
Patricia Ammirabile
Virus Research Analyst
McAfee AVERT (TM)
A division of McAfee, Inc.
此變種主要通過病毒網站,利用IE瀏覽器的MHT漏洞和CODEBASE漏洞傳播。
病毒會記錄用戶鍵盤輸入,盜取天堂遊戲的帳號密碼,通過其自帶的SMTP引擎把獲得的非法信息通過電子郵件發送給病毒作者。同時,病毒還會自動升級,並會刪除用戶硬盤上的多種媒體文件,造成數據破壞。
病毒運行後,將創建三個文件user.txt/svchost.exe/ie.txt, 其中user.txt是帳號密碼記錄文件, svchost.exe,ie.txt是病毒自身病毒版本信息文件。病毒同時修改註冊表啟動項,以使自身與Windows同時啟動。
病毒會刪除微軟Media文件夾中所有後綴為rmi,mid,wav的媒體文件,造成Windows聲音方案失效;掛接Windows鉤子,監視用戶當前窗口,當窗口標題為"Lineage Windows Client"等字串時,記錄用戶的鍵盤輸入,定時通過SMTP引擎把竊取的信息通過電子郵件發送給病毒作者。病毒還會通過訪問病毒網站進行自身的版本更新。
1/31 還不能偵測的情況 自己測了一下 是病毒的行為 看看吧 防護不夠的小心點
1. 加入WINDOWS 下
http://img1.imagevenue.com/loc184/b47_e1.png
2. 聯網 橘子
http://www.imagevenue.com/loc108/43d_e2.png
3.加入啟動項
http://www.imagevenue.com/loc291/3d2_e3.png
病毒
http://rapidshare.de/files-en/488840/svchost.rar.html
PS: vir
(2/1 已加入)
http://img2.imagevenue.com/loc142/a1b_d26.png
KAV 的回答
Greetings.
Trojan-PSW.Win32.Lineage.aw was found in the attached file.
It's detection will be included in the next antivirus bases.
Thank you for your help.
-----------------
Regards, Alexey Malanov
Virus Analyst, Kaspersky Lab.
Ph.: +7(095) 797-8700
E-mail: [email protected]
http://www.kaspersky.com http://www.viruslist.com
咖啡回复了,同时给了附加库
A.V.E.R.T. Sample Analysis
Virus Research Analyst: Patricia Ammirabile
Identified: PWS-Lineage Trojan
AVERT(tm) Labs, Sao Paulo, SP
Thank you for submitting your suspicious file.
Synopsis -
Attached is a file for extra detection, which will be included in a future
DAT set.
In order to get the fastest possible response, you may wish to submit future
virus-samples to <http://www.webimmune.net>. In most cases it can respond
almost instantly with a solution.
For other virus-related information, please see the AVERT homepage at:
<http://vil.mcafeesecurity.com/vil/default.asp>
Solution -
To ensure that you have the maximum available capability of detecting and
cleaning this malware on your system, please make sure you have the latest
engine.
Engine and DAT updates are available at:
<http://www.mcafeesecurity.com/us/downloads/updates>
EXTRA.DAT
This should be used with any of the McAfee AV Scanners.
The file should be copied into the directory where the other DAT files
reside.
Using the find/search utility on your computer search for the following
file:
SCAN.DAT
Then copy the Extra.dat we have sent you to the same folder where one of the
above is located.
Once you have copied the file, reboot the system for the driver to be
loaded.
Further information about Extra.DATs can be found at
http://vil.mcafeesecurity.com/vil/systemhelpdocs/extradat.htm.
Support -
Virus Research accepts file-samples for analysis and possible inclusion into
AV signature DAT sets. We are also prepared to answer general virus
questions.
All product-related questions and comments can be addressed through
technical support and customer service, including:
* Product installation and update questions
* Product usage questions
* Specific operating system/version questions
* Assistance with detection and cleaning or removal of viruses or trojans
Please use the following links to reach our technical support group for
McAfee products.
Corporate Customers:
<https://mysupport.mcafeesecurity.com/>
Single User/Retail Customers:
<http://www.mcafeehelp.com>
Regards,
Patricia Ammirabile
Virus Research Analyst
McAfee AVERT (TM)
A division of McAfee, Inc.