关注恶意软件：

• 名称：“暴风”蠕虫（Worm.VBS.Autorun.hi）
• 文件类型：VB Script 脚本
• 长度：19246字节
• 影响的平台：WIN9X/ME/NT/2000/XP/2003/Vista/Win7

具体表现：

被“暴风”蠕虫感染后，蠕虫会释放以下文件到计算机：

每个分区根目录下生成 3627480.vbs AutoRun.inf 并对每个文件夹都生成相应的快捷方式。

创建注册表：

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\exploreHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\explore\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\explore\command@hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,45 ,4d,43,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\openHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell\open\command@hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,4f ,4d,43,20,00,

修改注册表：

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\c ommand@""C:\Program Files\Internet Explorer\iexplore.exe" %1" hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,4f ,49,45,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command@ ""%1" %*"hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command@ ""C:\WINDOWS\hh.exe" %1"hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8- 08002B30309D}\shell@"none"""HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA- 08002B30309D}\shell\OpenHomePage\Command@hex (2):22,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,49,6e,74,65,72,6 e,65,74,20,45,78,70,6c,6f,72,65,72,5c,69,65,78,70,6c,6f,72,65,2e,65,78,65, 22,00,hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,4f ,49,45,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command@ ""%1" %*"hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command@ hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,6 9,6e,68,6c,70,33,32,2e,65,78,65,20,25,31,00,hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command@ hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,4 f,54,45,50,41,44,2e,45,58,45,20,25,31,00,hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command@ hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,4 f,54,45,50,41,44,2e,45,58,45,20,25,31,00,hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command@ "regedit.exe "%1""hex (2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,5 3,63,72,69,70,74,2e,65,78,65,20,22,43,3a,5c,57,49,4e,44,4f,57,53,5c,65,78, 70,6c,6f,72,65,72,2e,65,78,65,3a,33,36,32,37,34,38,30,2e,76,62,73,22,20,25 ,31,20,25,2a,20,00,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNGSeed hex:98,e5,e1,8b,32,cf,62,a7,86,8c,95,2b,00,ea,a4,ed,ea,d6,3c,60,10,4a,0e,7 d,81,35,77,70,98,07,0e,e8,d6,d5,fe,4a,f7,49,6f,f2,b2,00,df,b1,71,e3,9a,fb, 93,d1,ee,c6,1c,7a,27,cb,c2,05,52,84,02,2a,0f,a3,46,10,f2,2c,b9,69,3e,ed,8e ,d8,27,33,c9,3a,7e,3f, hex:ee,6e,57,05,5f,e5,e0,ce,a5,48,50,cd,1e,0b,97,65,65,a6,e1,ab,3d,0f,4f,e 2,55,30,78,42,8a,99,cf,cb,f6,fa,6f,f8,6e,0f,d9,2b,a0,c7,b0,a9,ac,92,fc,b6, 65,7d,10,da,6e,db,fe,23,39,86,2d,41,d1,32,e1,29,05,af,39,10,db,89,56,61,b1 ,ee,a5,de,d8,30,22,1d,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Adva nced\Folder\Hidden\NOHIDDENCheckedValuedword:00000002 dword:00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Adva nced\Folder\Hidden\SHOWALLCheckedValuedword:00000001 dword:00000002HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserA ssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\CountHRZR_PGYFRFFVBA hex:a8,1c,53,0e,04,00,00,00,hex:23,0f,54,0e,05,00,00,00,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserA ssist\{75048700-EF1F-11D0-9888-006097DEACF9}\CountHRZR_HVFPHG hex:01,00,00,00,17,00,00,00,d0,6d,c9,6b,e4,81,ca,01, hex:01,00,00,00,19,00,00,00,60,53,a2,7c,e4,81,ca,01,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserA ssist\{75048700-EF1F-11D0-9888-006097DEACF9}\CountHRZR_EHACNGU hex:01,00,00,00,23,00,00,00,70,b1,ea,6b,e4,81,ca,01, hex:01,00,00,00,26,00,00,00,60,c4,a4,7c,e4,81,ca,01,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserA ssist\{75048700-EF1F-11D0-9888-006097DEACF9}\CountHRZR_EHACNGU::: {20Q04SR0-3NRN-1069-N2Q8-08002O30309Q} hex:01,00,00,00,12,00,00,00,a0,fb,cc,04,95,63,ca,01, hex:01,00,00,00,13,00,00,00,60,53,a2,7c,e4,81,ca,01,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explo rerNoDriveTypeAutoRundword:000000dfdword:00000000HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows load"""%SystemRoot%\system\svchost.exe "C:\WINDOWS\system32 \smss.exe:3627480.vbs""

“暴风”蠕虫本身是一个加密的VBS脚本，加密后的病毒代码都以一个单引号开头。此蠕虫的加密方法不太复杂，只是颠倒了病毒源码中某些文字的位置。病毒运行后会首先还原这些单引号后的病毒代码，然后执行。此蠕虫功能较多，会感染分区根目录，删除免疫文件夹，创建目录快捷方式并隐藏原目录，创建autorun.inf感染，修改注册表关闭隐藏文件显示，修改文件类型关联程序。病毒运行时会每3秒检查并关闭系统中的进程"ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr","regedit.pif", "regedit.com", "msconfig.exe"，会在系统目录下创建BFAlert.hta告知用户病毒的存在，还会定时弹出收回光驱托盘等等。

专家预防建议:

• 1.建立良好的安全习惯，不打开可疑邮件和可疑网站。
• 2.不要随意接收聊天工具上传送的文件以及打开发过来的网站链接。
• 3.使用移动介质时最好使用鼠标右键打开使用，必要时先要进行扫描。
• 4.现在有很多利用系统漏洞传播的病毒，所以给系统打全补丁也很关键。
• 5.安装专业的防毒软件升级到最新版本，并开启实时监控功能。
• 6.为本机管理员帐号设置较为复杂的密码，预防病毒通过密码猜测进行传播，最好是数字与字母组合的密码。
• 7.不要从不可靠的渠道下载软件，因为这些软件很可能是带有病毒的。