电信公司防病毒通知
<FONT size=4>亲爱的上海电信用户:</FONT><P><FONT size=4> 12月28日,接信息产业部互联网应急处理协调办公室的通报, 12月15日截获一个可利用微软视窗操作系统最新高危漏洞——微软MS05-051传播的名为“黛蛇”(Dasher.B)的蠕虫。该蠕虫主要针对Windows 2000操作系统、部分Windows XP操作系统和部分WindowsServer2003操作系统,通过攻击TCP/1025端口获得远程执行命令的权限;此外,该蠕虫还可以针对微软MS04-045、MS04-039漏洞或利用SQL溢出工具进行攻击。Dasher.B蠕虫运行后,会扫描并试图利用漏洞攻击目标主机,目标主机的地址 </FONT><TABLE cellSpacing=0 cellPadding=0 align=left border=0><TBODY><TR><TD><SCRIPT language=JavaScript1.1 src="http://ads.online.sh.cn/js.ng/site=online.sh&size=360x300&cat=Newsinside&PagePos=9000"> </SCRIPT><!-- Sniffer Code for Flash version=50 --><SCRIPT language=VBScript> on error resume next ShockMode = ( IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5")))if ( ShockMode <= 0 ) then ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.6")))</SCRIPT><FONT size=4><OBJECT id=flashad codeBase=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0 height=300 width=360 classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000><PARAM NAME="_cx" VALUE="9525"><PARAM NAME="_cy" VALUE="7938"><PARAM NAME="FlashVars" VALUE=""><PARAM NAME="Movie" VALUE="http://adsp.online.sh.cn/05122808.swf?clickTag=http%3A//ads.online.sh.cn/event.ng/Type%3Dclick%26FlightID%3D5514%26AdID%3D6227%26TargetID%3D657%26Segments%3D1%2C89%2C442%2C691%2C980%26Targets%3D126%2C418%2C657%2C943%26Values%3D31%2C43%2C51%2C60%2C72%2C93%2C100%2C110%2C150%2C193%2C355%2C397%2C610%2C645%26RawValues%3D%26Redirect%3Dhttp%3A//adclient.dentsu.com.cn/html.ng/adspec%3DFlash%26adtype%3Dbutton%26affiliate%3Dshanghairexian%26campaignid%3D274%26channel%3DF1%26log%3D0%uFF1Fms.styles%3Dclickcmd%3F"><PARAM NAME="Src" VALUE="http://adsp.online.sh.cn/05122808.swf?clickTag=http%3A//ads.online.sh.cn/event.ng/Type%3Dclick%26FlightID%3D5514%26AdID%3D6227%26TargetID%3D657%26Segments%3D1%2C89%2C442%2C691%2C980%26Targets%3D126%2C418%2C657%2C943%26Values%3D31%2C43%2C51%2C60%2C72%2C93%2C100%2C110%2C150%2C193%2C355%2C397%2C610%2C645%26RawValues%3D%26Redirect%3Dhttp%3A//adclient.dentsu.com.cn/html.ng/adspec%3DFlash%26adtype%3Dbutton%26affiliate%3Dshanghairexian%26campaignid%3D274%26channel%3DF1%26log%3D0%uFF1Fms.styles%3Dclickcmd%3F"><PARAM NAME="WMode" VALUE="Window"><PARAM NAME="Play" VALUE="-1"><PARAM NAME="Loop" VALUE="-1"><PARAM NAME="Quality" VALUE="High"><PARAM NAME="SAlign" VALUE=""><PARAM NAME="Menu" VALUE="-1"><PARAM NAME="Base" VALUE=""><PARAM NAME="AllowScriptAccess" VALUE=""><PARAM NAME="Scale" VALUE="ShowAll"><PARAM NAME="DeviceFont" VALUE="0"><PARAM NAME="EmbedMovie" VALUE="0"><PARAM NAME="BGColor" VALUE=""><PARAM NAME="SWRemote" VALUE=""><PARAM NAME="MovieData" VALUE=""><PARAM NAME="SeamlessTabbing" VALUE="1"><PARAM NAME="Profile" VALUE="0"><PARAM NAME="ProfileAddress" VALUE=""><PARAM NAME="ProfilePort" VALUE="0"> <EMBED SRC="http://adsp.online.sh.cn/05122808.swf?clickTag=http%3A//ads.online.sh.cn/event.ng/Type%3Dclick%26FlightID%3D5514%26AdID%3D6227%26TargetID%3D657%26Segments%3D1%2C89%2C442%2C691%2C980%26Targets%3D126%2C418%2C657%2C943%26Values%3D31%2C43%2C51%2C60%2C72%2C93%2C100%2C110%2C150%2C193%2C355%2C397%2C610%2C645%26RawValues%3D%26Redirect%3Dhttp%3A//adclient.dentsu.com.cn/html.ng/adspec%3DFlash%26adtype%3Dbutton%26affiliate%3Dshanghairexian%26campaignid%3D274%26channel%3DF1%26log%3D0%uFF1Fms.styles%3Dclickcmd%3F" QUALITY=autohigh NAME=flashad swLiveConnect=TRUE WIDTH=360 HEIGHT=300 TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"></EMBED></OBJECT><NOEMBED><A HREF="http://ads.online.sh.cn/event.ng/Type=click&FlightID=5514&AdID=6227&TargetID=657&Segments=1,89,442,691,980&Targets=126,418,657,943&Values=31,43,51,60,72,93,100,110,150,193,355,397,610,645&RawValues=&Redirect=http://adclient.dentsu.com.cn/html.ng/adspec=Flash&adtype=button&affiliate=shanghairexian&campaignid=274&channel=F1&log=0?ms.styles=clickcmd?" target="_blank"><IMG SRC="http://adsp.online.sh.cn/05122806.swf" WIDTH=360 HEIGHT=300 BORDER=0></A></NOEMBED><NOSCRIPT><A HREF="http://ads.online.sh.cn/event.ng/Type=click&FlightID=5514&AdID=6227&TargetID=657&Segments=1,89,442,691,980&Targets=126,418,657,943&Values=31,43,51,60,72,93,100,110,150,193,355,397,610,645&RawValues=&Redirect=http://adclient.dentsu.com.cn/html.ng/adspec=Flash&adtype=button&affiliate=shanghairexian&campaignid=274&channel=F1&log=0?ms.styles=clickcmd?" target="_blank"><IMG SRC="http://adsp.online.sh.cn/05122806.swf" WIDTH=360 HEIGHT=300 BORDER=0></A></NOSCRIPT></FONT></TD></TR></TBODY></TABLE><FONT size=4>是根据该蠕虫自身携带的地址列表随机生成的,多数为中国用户。该蠕虫攻击目标主机成功后,会操纵目标主机自动连接到某控制服务器请求黑客指令,然后根据该黑客指令从某个ftp服务器下载并运行一个键盘记录软件和Dasher蠕虫文件包,从而完成传染过程。 </FONT></P><P><FONT size=4> 众多迹象表明,该蠕虫事件是一次有计划的,专门针对中国互联网用户的攻击,经过对蠕虫的整个传染过程分析,如果该蠕虫大规模感染扩散成功将造成以下几种危害:一、用户数据有被窃取的可能,如果被感染的是重要信息系统用户,还会存在信息失泄密的危险;二、伴随大量的扫描,会影响网络性能;三、键盘记录程序还会自动连接一个网站下载SDBOT僵尸程序,形成一个巨大的僵尸网络。 </FONT></P><P><FONT size=4> Dasher.B蠕虫运行后,会扫描并试图利用漏洞攻击目标主机,目标主机的地址是根据该蠕虫自身携带的地址列表随机生成的,多数为中国用户。</FONT></P><P><FONT size=4> 该蠕虫攻击目标主机成功后,会操纵目标主机自动连接到某控制服务器的53号端口请求黑客指令,然后根据该黑客指令从某个ftp服务器下载并运行一个键盘记录软件和Dasher蠕虫文件包,从而完成传染过程。其中存放恶意代码的ftp服务器的地址是由控制服务器动态指定的。</FONT></P><P><FONT size=4> 蠕虫从ftp服务器上下载的0.exe文件是可解压缩运行的键盘记录软件,该键盘记录软件会记录用户按键操作,并自动连接某网站下载执行sdbot僵尸程序,以加强对目标主机的控制。下载的1.exe文件经解压缩执行后,在系统目录(C:\windows\system32或C:\winnt\system32)下的wins目录释放出6个可执行文件,分别为Sqltob.exe,Sqlscan.exe,Sqlexp.exe, Sqlexp1.exe,Sqlexp2.exe, Sqlexp3.exe。其中:<BR> Sqlexp.exe攻击 MS04-045 wins服务漏洞,协议和端口为TCP/42<BR> Sqlexp1.exe攻击 MS05-039 upnp漏洞,协议和端口为TCP/445<BR> Sqlexp2.exe 攻击 MS05-051 msdtc漏洞,协议和端口为TCP/1025<BR> Sqlexp3.exe利用sql hello exploit工具攻击MS SQLServer漏洞,协议和端口为TCP/1433。<BR> 攻击日志保存在系统目录下的wins目录的result.txt。</FONT></P><P><FONT size=4> 解决方案:</FONT></P><P><FONT size=4> 1)手工检查:</FONT></P><P><FONT size=4> 查看系统上是否存在Sqltob.exe,Sqlscan.exe,Sqlexp.exe, Sqlexp1.exe, Sqlexp2.exe, Sqlexp3.exe文件,如果存在,将进程停止并删除相应文件。</FONT></P><P><FONT size=4> 2)升级补丁:<BR> 用户应立刻升级MS05-051、MS04-045、MS04-039补丁程序。补丁下载位置: </FONT></P><P><FONT size=4> </FONT><A href="http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx"><FONT size=4>http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx</FONT></A></P><P><FONT size=4> </FONT><A href="http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx"><FONT size=4>http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx</FONT></A></P><P><FONT size=4> </FONT><A href="http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx"><FONT size=4>http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx</FONT></A></P><P><FONT size=4> 漏洞详细信息请参考CNCERT/CC漏洞公告CN-VA05-063,地址:</FONT></P><P><FONT size=4> </FONT><A href="http://www.cert.org.cn/articles/vulnerability/common/2005101222484.shtml"><FONT size=4>http://www.cert.org.cn/articles/vulnerability/common/2005101222484.shtml</FONT></A><FONT size=4> </FONT></P><P><FONT size=4> 3)工具查杀:<BR>建议用户安装防病毒软件,并更新到最新版本,然后对系统进行彻底查杀</FONT></P>页:
[1]