病毒别名:
处理时间:
威胁级别:★★★
中文名称:恶鹰av
病毒类型:蠕虫
影响系统:Win9x / WinNT
病毒行为:
该病毒通过邮件进行传播,用户运行邮件附件后,会尝试关闭计算机内的反病毒软件,并从网上下载一个后门。该蠕虫,还会在受感染的机器的文件中搜索电子邮件,并向搜索到的地址发送邮件。诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件,严重的堵塞用户网络。并且该病毒会感染可执行文件,建议用户开启防火墙来乐垢貌《镜那秩搿?
1.创建以下几个互斥量来防止NetSky病毒运行:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
2.在被感染的机器上创建以下文件:
%System%sysinit.exe
%System%sysinit.exeopen
%System%sysinit.exeopenopen
3.在注册表HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun中
增加"Syskey"="%System%sysinit.exe"
来确保自身能随计算机启动
4.从HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
删除包含以下字符串的键值:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
5.尝试结束以下进程:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe
kavsvc.exe
6.在包含"shar"字符串的目录下创建文件,文件名可能为下列字符:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
7.搜索以下列字符串为扩展名的文件来获得Email地址,并用自带的SMTP引擎发送带毒邮件
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
8.病毒发送的带毒邮件具有如下特征:
发件人:伪造的
主题:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
正文:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
如果附件有密码,则会显示在正文中显示密码
附件:
文件名可能为:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
扩展名可能为:
.exe
.scr
.com
.zip
.vbs
.hta
.cpl
9.该病毒不会向包含以下字符串的邮件地址发送邮件
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
10.尝试从下列网站下载文件
http://s**h.cc/
11.开启TCP2002端口做为后门
12、尝试感染可执行文件
13、2005年1月25日病毒自动停止运行