w32.jacksuf.a是蠕虫,通过网络传播股份. It copies itself to the root drive of all partitions and infects .exe files found on the local computer.它本身的根径副本各间隔及感染.可执行的档案,发现当地的电脑. It attempts to contact the internet in order to download additional files.它企图以接触互联网下载附加档案.
Type:类型: Worm蠕虫
Systems Affected :受影响系统: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP视窗2000,视窗95、视窗98、视窗我,视窗、视窗服务器2003、视窗XP
Virus Definitions (LiveUpdate™ Plus)病毒定义(liveupdate™+)
February 13, 20072007年2月13日
Virus Definitions (LiveUpdate™ Daily)病毒定义(每日liveupdate™)
February 13, 20072007年2月13日
Virus Definitions (LiveUpdate™ Weekly)病毒定义(每周liveupdate™)
February 14, 20072007年2月14日
Virus Definitions (Intelligent Updater)病毒定义(智能提升算)
February 13, 20072007年2月13日
Wild野生
Number of infections : 0 - 49感染人数:0-49
Number of sites : 0 - 2若干幅:0-2
Geographical distribution : Low地理分布:低
Threat containment : Easy威胁遏制:容易
Removal : Easy去除:容易
Threat Metrics威胁度量
Wild :野生:
Low低
Damage :损坏:
Medium中型
Distribution :分布:
Medium中型
Damage损坏
Payload Trigger : n/a有效载荷触发器:牛顿/一
Payload : Downloads potentially malicious code on to the compromised computer.有效载荷:下载潜在的恶意代码对电脑受损.
Large scale e-mailing : n/a大型电子邮件:牛顿/一
Deletes files : n/a删除档案:牛顿/一
Modifies files : Infects .exe files改动档案:感染.认证档案
Degrades performance : n/a降解性能:牛顿/一
Causes system instability : n/a造成系统不稳定:牛顿/一
Releases confidential info : n/a发布机密信息:牛顿/一
Compromises security settings : n/a安全设置妥协:牛顿/一
Distribution分布
Subject of email : n/a电子邮件主题:牛顿/一
Name of attachment : n/a实习名称:牛顿/一
Size of attachment : n/a大小附:牛顿/一
Time stamp of attachment : n/a邮票实习时间:牛顿/一
Ports : n/a港口:牛顿/一
Shared drives : n/a共享驱动:牛顿/一
Target of infection : Network shares.感染对象:网络股.
When W32.Jacksuf.A is executed, it performs the following actions:当w32.jacksuf.a执行,履行下列行动:
Copies itself as the following files:下列档案本身副本:
[DRIVE LETTER]\setup.exe[驾驶函]\-PE
%Windir%\system\internat.exe%windir%\系统\internat.exe
Creates the following file to execute [DRIVE LETTER]\setup.exe:造成执行下列档案[径信〕\-PE:
[DRIVE LETTER]\autorun.inf[驾驶函]\autorun.inf
Attempts to download a file from the following remote location:试图从互联网下载的档案如下偏僻地点:
[http://]mm.21380.com/tx[REMOVED][http://www.igsd.gov.hk]mm.21380.com/tx[删除]
Saves the downloaded file as the following file:节省档案下载的档案内容如下:
%Windir%\system\SYSTEM32.VXD%windir%\系统\system32.vxd
Note:注:
This encrypted file may contain URLs to download additional malicious software onto the local machine.这个档案加密定位器可能含有恶意下载软件纳入地方附加机器.
%Windir% is a variable that refers to the Windows installation folder.%windir%指的是一个变数,窗户安装文件夹. By default, this is C:\Windows or C:\Winnt.被拖欠,这是三:\窗户或C:\WINNT.
Creates the temporary file below in which to save a listing of executables on the local computer.下面造成的暂时档案中救了当地上市可执行的计算机.
%Windir%\win.log%windir%\win.log
Scans the compromised computer and infects any .exe files it finds.任何妥协的电脑扫描和感染.它认定程序可执行档案.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":赛门铁克安全响应鼓励所有用户和管理员遵循以下基本安全的"最佳做法":
Turn off and remove unneeded services.关掉,排除不需要的服务. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server.被拖欠,许多操作系统安装辅助服务,不批判,例如FTP服务、远程登录、一、WEB服务. These services are avenues of attack.这些服务渠道攻击. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.如果他们搬走了,混纺攻击和威胁的途径少服务少,你通过保持补丁更新.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.混纺威胁如果一个或多个网络服务的战功,武功,或者阻止进入,这些服务直到补丁适用.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.).随身补丁层次跟得上时代,特别是电脑相连,通过公共服务和东道主的防火墙如HTTP协议、文件传输、邮件、域名服务(例如所有窗口化服务,目前已为电脑安装包).. Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.另外,请报名提到任何安全更新,这writeup,安全可靠的子弹网站或卖主.
Enforce a password policy.强制密码政策. Complex passwords make it difficult to crack password files on compromised computers.密码复杂难以攻破密码档案失密电脑. This helps to prevent or limit damage when a computer is compromised.这有助于防止或减少损害当电脑受损.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.配置电子邮件服务器以阻止或删除你的电子邮件,包含附件档案,常用散布病毒例如.VBS.Stages,.蝙蝠.认证,.太平洋岛屿论坛以及.可控硅档案.
Isolate infected computers quickly to prevent further compromising your organization.感染的电脑迅速隔离,以防止进一步损害贵组织. Perform a forensic analysis and restore the computers using trusted media.演出用的电脑鉴证和恢复信任媒体.
Train employees not to open attachments unless they are expecting them.培训员工不要打开附件,除非是他们期待. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.同时,不执行就是从网上下载软件,除非得到扫描病毒. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.只是参观了妥协可造成感染,如果某些网站浏览器不补的弱点.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.下列指示所有有关当前和近期赛门铁克防毒产品赛门铁克诺顿防毒、防毒等产品系列.
Disable System Restore (Windows Me/XP).武功系统恢复(我的窗户/XP的).
Update the virus definitions.更新病毒定义.
Run a full system scan.办一个完整系统扫描.
Delete any values added to the registry.删除任何附加价值的档案.
For specific details on each of these steps, read the following instructions.对于每个步骤的具体细节,阅读以下指示.
1.1. To disable System Restore (Windows Me/XP)为了挽回系统失灵(视窗我/XP下)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore.如果你是我的视窗或视窗XP,建议您暂时关闭系统恢复. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged.我窗户/XP的利用这一特点,这是拜违约恢复你的电脑档案一旦变成破坏. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.如果一个病毒,蠕虫、木马或感染了计算机,系统可能恢复过来了病毒,蠕虫,在电脑或木马.
Windows prevents outside programs, including antivirus programs, from modifying System Restore.窗户外使节目,包括防毒程式,从体制改造恢复. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder.因此,反病毒程序或工具无法消除威胁的系统恢复文件夹. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.由于系统已经恢复,恢复一个潜在感染你的电脑档案,即使你被感染的档案清理所有其他地点.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.另外,病毒扫描可能威胁侦测系统的恢复,即使你删除文件夹的威胁.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:请示如何关掉系统恢复,阅读文件的门窗、物品或者下列条件之一:
How to disable or enable Windows Me System Restore如何恢复系统失灵或让我窗
How to turn off or turn on Windows XP System Restore如何打开或关掉视窗XP系统恢复
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.注:当你被完全清除完毕的程序和确信威胁已经消除,reenable系统恢复遵循上述指示的文件.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).增加资料、致残替代视窗系统恢复我见微软知识库文章:防毒工具不能干净感染的档案夹_restore(文章编号:q263455).
2.2. To update the virus definitions更新病毒定义
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers.赛门铁克安全响应全面测试所有病毒定义品质保证,才张贴的服务器. There are two ways to obtain the most recent virus definitions:有两个方法获取最新病毒定义:
Running LiveUpdate, which is the easiest way to obtain virus definitions:运行liveupdate,这是最容易获取病毒定义:
If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily.如果你使用诺顿防毒2006,防毒公司赛门铁克10.0版或更新的产品,liveupdate定义每日更新. These products include newer technology.这些产品包括新技术.
If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly.如果你使用诺顿防毒2005,防毒公司赛门铁克9.0版,还是较早的产品,liveupdate定义每周更新. The exception is major outbreaks, when definitions are updated more often.唯一的例外是大暴发时往往定义更新.
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily.7195利用智能提升算定义:智能提升算病毒定义每天都张贴. You should download the definitions from the Symantec Security Response Web site and manually install them.你应该下载定义赛门铁克安全响应从网站和手动安装. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater) .这一威胁的定义,以确定是否可通过智能提升算,指病毒定义(智能提升算).
The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions .最新病毒定义可智能提升算这里:智能提升算病毒定义. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater .详细阅读文件指示:如何使用智能更新病毒定义档案提升算.
3.3. To run a full system scan办好一个完整系统扫描
Start your Symantec antivirus program and make sure that it is configured to scan all the files.赛门铁克防毒程序启动你做到这配置为扫描所有档案.
For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files .诺顿防毒产品供消费者:经过文件:如何配置诺顿防毒扫描所有档案.
For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files .赛门铁克防毒产品的企业为:阅读文件:如何验证赛门铁克企业防毒产品是一个集扫描所有档案.
Run a full system scan.办一个完整系统扫描.
If any files are detected, follow the instructions displayed by your antivirus program.如果发现有任何档案,遵照展现贵防毒方案.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it.重要:如果你无法启动你赛门铁克防毒产品或者该产品的报告,它不能删除了侦破档案,你必须停止运行的风险,从为了消除它. To do this, run the scan in Safe mode.为此,在安全扫描方式经营. For instructions, read the document, How to start the computer in Safe Mode .请示阅读文件,如何在安全模式启动计算机. Once you have restarted in Safe mode, run the scan again.一旦启动安全模式,办一次扫描.
After the files are deleted, restart the computer in Normal mode.文件被删除后,在正常模式重启计算机. |
[复制链接]
发表于 2007-3-9 19:05:07
发表于 2007-3-9 19:10:20
楼主