Shunze 學園 >電腦資訊學系 >病毒追追追 > 《注意》中度安全性通告Win32/Zotob.A 蠕蟲 哈囉,還沒有註冊或者登入。請你[註冊|登入]
« 上一篇主題 下一篇主題 » 顯示成列印模式 | 增加到我的最愛
發表新主題 發表回覆
作者
主題
shunze
工友伯伯


註冊日期: 2002 04
來自: 潮汐終止之地
文章: 2380

shunze 離線
《注意》中度安全性通告Win32/Zotob.A 蠕蟲引用回覆 編輯/刪除文章 搜尋由  發表的其他文章 回報給版主 IP 位置 回此頁最上方

關於Win32/Zotob.A蠕蟲,微軟已知其流傳於Internet。

Zotob.A蠕蟲會利用Microsoft安全性公告MS05-039所解決的安全性問題,攻擊Windows2000以上系統。

此蠕蟲會安裝惡意軟體,然後伺機感染其他電腦。

重要事項:若您已安裝微軟安全性公告MS05-039發行更新的程式,則您已經對Zotob.A免疫。

如果您使用的Windows支援版本不是Windows 2000以上版本,您不會受到Zotob.A的威脅。

該蠕蟲目前正於網際網路上蔓延,該蠕蟲會利用Microsoft安全性公告MS05-039(2005年8月9日發行)中解決的Windows隨插即用弱點,進行惡意攻擊。
初步調查結果顯示此蠕蟲會遠端攻擊Windows 2000以上系統。


安全性公告MS05-039公佈之受影響的軟體如下:

• Microsoft Windows 2000 Service Pack 4 – 英文下載更新程式中文下載更新程式

• Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2 – 英文下載更新程式中文下載更新程式

• Microsoft Windows XP Professional x64 Edition – 英文下載更新程式

• Microsoft Windows Server 2003 和 Microsoft Windows Server 2003 Service Pack 1 – 英文下載更新程式中文下載更新程式

• Microsoft Windows Server 2003 for Itanium-based Systems
  及具備 SP1 的 Microsoft Windows Server 2003 for Itanium-based Systems – 英文下載更新程式

• Microsoft Windows Server 2003 x64 Edition – 英文下載更新程式


轉載自Microsoft TechNet 資訊安全


該安全性公告MS05-039會通知您下載一個安全更新KB899588。
若您發在『控制台』的『新增移除程式』中看見KB899588的安裝項目,
那麼您已遠該蠕蟲的威脅∼



♥順子老婆的網拍,請多關照∼

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2005-08-17, 23:36 shunze 的個人資料 把 shunze 加入好友列表 發送Email給 shunze 瀏覽 shunze 的網站 MSN : shunze@gmail.com
shunze
工友伯伯


註冊日期: 2002 04
來自: 潮汐終止之地
文章: 2380

shunze 離線
《注意》如何檢查是否遭到感染引用回覆 編輯/刪除文章 搜尋由  發表的其他文章 回報給版主 IP 位置 回此頁最上方

轉載自 認識 Zotob

當 Zotob.A 感染電腦時,會嘗試傳遞名為 Botzer.exe 的惡意檔案。
若您的電腦遭到感染,電腦內會有這個檔案,而且您的登錄也會顯示變更。
請用下列任一方式檢查電腦是否遭到感染。
(若您找到這個檔案,就不需要檢查登錄,您已中標啦∼
若登錄裡面顯示這個檔案,就不需要在電腦中尋找這個檔案,因為您您也中標啦∼)



在您的電腦內搜尋 Bozer.exe 檔案

1.按一下 [開始],指向 [搜尋],然後按一下 [所有檔案和資料夾]。

2.按一下 [使用進階搜尋選項]。在 [用下列任何或所有的搜尋條件] 下,輸入下列資訊:

 A. 在 [部份或完整的檔案名稱] 下: 輸入 Bozer.exe。

 B. 在 [尋找在] 下: 按一下 [本機硬式磁碟機]。

 C. 在 [進階選項] 下,選取 [搜尋系統資料夾] 和 [搜尋隱藏檔案及資料夾]。

3. 按一下 [搜尋]。


尋找登錄內新增的新機碼

•在登錄機碼 HKLM\Software\Microsoft\Windows\CurrentVersion\Run 中,
 WINDOWS SYSTEM 值新增了 botzor.exe 資料。

•在登錄機碼 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices 中,
 WINDOWS SYSTEM 值新增了 botzor.exe 資料。


找到以上資料的話....
恭禧您中標啦∼



♥順子老婆的網拍,請多關照∼

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2005-08-17, 23:45 shunze 的個人資料 把 shunze 加入好友列表 發送Email給 shunze 瀏覽 shunze 的網站 MSN : shunze@gmail.com
shunze
工友伯伯


註冊日期: 2002 04
來自: 潮汐終止之地
文章: 2380

shunze 離線
《注意》如何移除Zotob.A引用回覆 編輯/刪除文章 搜尋由  發表的其他文章 回報給版主 IP 位置 回此頁最上方


Manual Recovery

To manually recover from infection by Worm:Win32/Zotob.A, follow these steps:
1.Install security update MS05-039.
2.Disconnect from the Internet.
3.End the worm process.
4.Delete the worm files from your computer.
5.Delete the worm registry entries.
6.Clean the system host file.
6.Restart your computer.
8.Take steps to prevent re-infection.


Install security update MS05-039

To install MS05-039 using Windows Update
1.Go to the Windows Update Web site at windowsupdate.microsoft.com.
2.On the Windows Update site, click Scan for Updates. Windows Update scans your computer and returns a list of critical updates, including service packs.
3.In the Pick updates to install list, click Critical Updates and Service Packs. Windows Update creates a list of the updates appropriate for your computer, including MS05-039 if it is not installed. Critical updates are selected for download automatically.
4.Click Review and install updates, and then click Install Now. You may need to restart your computer after installing the updates.


Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.


End the worm process

Ending the worm process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.

To end the worm process
1.Press CTRL+ALT+DEL once and click Task Manager.
2.Click Processes and click Image Name to sort the running processes by name.
3.Select the process botzor.exe, and click End Process.


Delete the worm files from your computer

To delete the worm files from your computer
1.Click Start, and click Run.
2.In the Open field, type the name of the system folder, for example, C:\Winnt\system32\
3.Click OK.
4.Click Name to sort files by name.
5.If botzor.exe is in the list, delete it.
6.On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
7.Click Yes.

If deleting the files fails, follow these steps to verify that botzor.exe is not running:
1.Press CTRL+ALT+DEL once and click Task Manager.
2.Click Processes and click Image Name to sort the running processes by name.
3.Confirm that botzor.exe is not in the list.


Delete the worm registry entries

Worm:Win32/Zotob.A creates entries in the Windows registry that attempt to run the worm every time your computer restarts. These entries should be deleted.

To delete the worm registry entries
1.On the Start menu, click Run.
2.Type regedit and click OK.
3.In the left pane, navigate to the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 In the right pane, right-click the following value, if it exists: WINDOWS SYSTEM
4.Click Delete and click Yes to delete the values.
5.Repeate steps 3-4 for HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.
6.Close Registry Editor.


Clean the system host file

The worm makes changes to the system host file to prevent access to certain Web sites.

To clean the system host file.
1.On the Start menu, click Run.
2.Type notepad.exe and click OK.
3.On the File menu, click Open…
4.In the File name text box, type the name of the Windows directory folder and \system32\drivers\etc\hosts, for example, C:\winnt\system32\drivers\etc\hosts.
5.Search for text that begins with "Botzor2005 Made By…"
6.Select this text and all text that follows. Delete the selected text and save the file.
7.Close Notepad.


Restart your computer

To restart your computer
1.On the Start menu, click Shut Down.
2.Select Restart from the drop-down list and click OK.


Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.


懶的翻...有需的話,自己看吧∼



♥順子老婆的網拍,請多關照∼

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2005-08-17, 23:58 shunze 的個人資料 把 shunze 加入好友列表 發送Email給 shunze 瀏覽 shunze 的網站 MSN : shunze@gmail.com
  « 上一篇主題 下一篇主題 »
發表新主題 發表回覆
跳到:

Powered by: Burning Board 1.1.1 2001 WoltLab GbR