| 本月文章推荐 |
Worm.Netsky.i发表日期:2007-12-23
|
|
病毒名称:
Worm.Netsky.i
类别: 蠕虫
病毒资料:
破坏方法:
蠕虫病毒,VC++编写,采用PE-PACK加壳,病毒长度为22016字节。文件标图像Html文件的图标。从C到Z驱动器中所有.eml、.txt等21种扩展名的文件中搜取email地址,并创建大量线程发送病毒邮件。病毒体内有如下字符串: "Skynet AntiVirus - MyDoom and Bagle are spammer" 一旦执行,病毒将执行以下操作: 1.本地首先将创建一个名为:"KO[SkyNet.cz]SystemsMutex"的互斥量来保证只运行病毒的一个副本; 2.复制自己到windows目录下: %WINDIR%\fooding.exe 3.添加如下键值: "Tiny AV" = "%WINDIR%\fooding.exe -antivirus service" 到注册表键: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩; 4.病毒将删除下列注册表键值<大都是其它病毒建立的键值>: 删除键: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下的如下键值: "Taskmon" "EXPlorer" "system." "msgsvr32" "DELETE ME" "service" "Sentry" "Windows Services Host" 删除键: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 下的如下键值: "system." 删除键: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下的如下键值: "Taskmon" "Explorer" "d3dupdate.exe" "au.exe" "OLE" "Windows Services Host" "gouday.exe" "rate.exe" "sysmon.exe" "srate.exe" "ssate.exe" 删除键: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch 删除子键: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 注: 这是病毒"SCO炸弹"建立的键值 5.病毒从带有下列扩展名的文件中搜索Email地址: ".eml" ".txt" ".PHP" ".pl" ".htm" ".html" ".vbs" ".rtf" ".uin" ".ASP" ".wab" ".doc" ".adb" ".tbb" ".dbx" ".sht" ".oft" ".msg" ".shtm" ".cgi" ".dhtm" 6.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件: 邮件带有如下特征: 标题为下列之一: "Re: Your briefing" "Re: Your picture" "Re: Your loveletter" "Re: Your TAN" "Re: Your PIN" "Re: Your bill" "Re: Your details" "Re: My details" "Re: Zipped folder" "Re: Secound Part" "Re: Part 3" "Re: Part 2" "Re: Your application" "Re: Your data" "Re: Index" "Re: Appending" "Re: Hello" "Re: Hi" "Re: Your encrypted file" "Re: Your folder" "Re: Your file" "Re: Yours" "Re: Here the file" "Re: Approved" "Re: Document" "Re: Samples" 消息正文为下列之一: "Your document is attached." "Here is the file." "See the attached file for details." "Please have a look at the attached file." "Please read the attached file." "Your file is attached." 附件名为下列之一: "your_document.scr" "document.scr" "message_part2.scr" "your_document.scr" "document_full.scr" "your_picture.pif" "message_details.scr" "your_file.scr" "your_picture.scr" "document_4351.scr" "yours.scr" "mp3music.scr" "application.scr" "all_document.scr" "my_details.scr" "document_Excel.scr" "document_Word.scr" "my_details.scr" "your_details.scr" "your_bill.scr" "your_pin_88.scr" "your_tan_33.scr" "your_letter.scr" "your_pic.scr" "your_briefing.scr" 该病毒不会向包含下列字符的地址发送邮件: "icrosoft" "antivi" "ymantec" "spam" "avp" "f-secur" "itdefender" "orman" "cafee" "aspersky" "f-pro" "orton" "fbi" "abuse" "messagelabs" "skynet" "andasoftwa" "freeav" "sophos" "antivir" "iruslis" 病毒的清除法: 使用光华反病毒软件,彻底删除。 病毒演示: 病毒FAQ: Windows下的PE病毒。 发现日期: 2004-3-9 |
| 上一篇:Harm.Win32.KillFiles.cr
人气:656 下一篇:Worm.Sober.d 人气:490 |
| 浏览全部病毒数据库的内容
Dreamweaver插件下载 网页广告代码 祝你圣诞节快乐 2009年新年快乐 |
