svchost.exe应用程序错误。谁来帮帮我 - 一起来浆糊 - 浆糊论坛-RO小站

返回列表发帖

Eric..英雄

论坛元老

UID: 208480
帖子: 2783
精华: 0
威望: 30
阅读权限: 101
来自: The Ultimate
注册时间: 2004-8-6

论坛元老

16^# 跳转到 »

发表于 2006-8-15 01:41 | 只看该作者

原帖由 眼眼12 于 2006-8-15 01:37 发表

他说产品超过许可的升级次数．．无法升级
请等待新版本升级注意１套产品仅授权在１台机器上使用

你是自己买的瑞星还是人家给你共用的序列号?

Destiny Break
Life is like a roller coaster

TOP

NAGGAROK

浆糊会员

Rank: 1

UID: 273082
帖子: 1250
精华: 0
威望: 0
阅读权限: 100
来自: Naval Base Alpha
注册时间: 2005-3-11

15^#

发表于 2006-8-15 01:40 | 只看该作者

原帖由 眼眼12 于 2006-8-15 01:37 发表

他说产品超过许可的升级次数．．无法升级
请等待新版本升级注意１套产品仅授权在１台机器上使用

-_,-用我的这个吧。。虽说是国外的免费软件。。但是发现这个病毒升级病毒库比瑞星还要快一天。。

TOP

眼眼12

浆糊会员

Rank: 1

UID: 206833
帖子: 2352
精华: 1
威望: 0
阅读权限: 100
注册时间: 2004-7-12

14^#

发表于 2006-8-15 01:37 | 只看该作者

原帖由 Eric..英雄 于 2006-8-15 01:35 发表
怎么会升级不了?

他说产品超过许可的升级次数．．无法升级
请等待新版本升级注意１套产品仅授权在１台机器上使用

TOP

NAGGAROK

浆糊会员

Rank: 1

UID: 273082
帖子: 1250
精华: 0
威望: 0
阅读权限: 100
来自: Naval Base Alpha
注册时间: 2005-3-11

13^#

发表于 2006-8-15 01:35 | 只看该作者

Virus: Worm/IRCBot.9609
CME number: 482
Date discovered: 13/08/2006
Type: Worm
In the wild: Yes
Reported Infections: Low
Distribution Potential: Medium to high
Damage Potential: Medium
Static file: Yes
File size: 9.609 Bytes
MD5 checksum: 9928A1E6601CF00D0B7826D13FB556F0
VDF version: 6.35.01.85
IVDF version: 6.35.01.85

General Methods of propagation:
• Local network
• Messenger

Aliases:
•  Symantec: Backdoor.IRC.Bot
•  Mcafee: IRC-Mocbot!MS06-040
•  Kaspersky: Backdoor.Win32.IRCBot.st
•  TrendMicro: WORM_IRCBOT.JK
•  F-Secure: Backdoor.Win32.IRCBot.st

Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Disable security applications
• Lowers security settings
• Registry modification
• Makes use of software vulnerability
• Third party control

Files It copies itself to the following location:
• %SYSDIR%\wgareg.exe

It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg]
• Type = 110
• Start = 2
• ErrorControl = 0
• ImagePath = %SYSDIR%\wgareg.exe
• DisplayName = Windows Genuine Advantage Registration Service
• ObjectName = LocalSystem
• FailureActions = %hex values%
• Description = Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]
• Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum]
• 0 = Root\LEGACY_WGAREG\0000
• Count = 1
• NextInstance = 1

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
Old value:
• EnableDCOM = %user defined settings%
New value:
• EnableDCOM = n

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
Old value:
• restrictanonymous = %user defined settings%
• restrictanonymoussam = %user defined settings%
New value:
• restrictanonymous = 1
• restrictanonymoussam = 1

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
New value:
• autoshareserver = 0
• autosharewks = 0

– [HKLM\SOFTWARE\Microsoft\security center]
Old value:
• antivirusdisablenotify = %user defined settings%
• antivirusoverride = %user defined settings%
• firewalldisablenotify = %user defined settings%
• firewalldisableoverride = %user defined settings%
New value:
• antivirusdisablenotify = 1
• antivirusoverride = 1
• firewalldisablenotify = 1
• firewalldisableoverride = 1

Deactivate Windows XP Firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]
Old value:
• enablefirewall = %user defined settings%
New value:
• enablefirewall = 0

– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]
Old value:
• enablefirewall = %user defined settings%
New value:
• enablefirewall = 0

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
Old value:
• Start = %user defined settings%
New value:
• Start = 4

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploit:
–MS06-040 (Vulnerability in Server Service)

IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bniu.house**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1

Server: ypgw.wall**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1

– Furthermore it has the ability to perform actions such as:
• Launch DDoS SYN flood
• Launch DDoS UDP flood
• Download file
• Execute file
• Start spreading routine

Miscellaneous Mutex:
It creates the following Mutex:
• wgareg

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Inserted by Philipp Wolf on Sun, 13 Aug 2006 15:49 (GMT+1)
Updated by Andrei Gherman on Mon, 14 Aug 2006 13:00 (GMT+1)

楼主说的应该是这个吧。。可耻的瑞星。。比人家老外的晚了一天。。难怪只好意思说是国内率先。。。

TOP

Eric..英雄