I-Worm/Diff是一个群发邮件的VBS脚本,传播途径为Email、映射驱动器和mIRC软件。此蠕虫使用了一个简单的编码,当它被执行时,首先自行解码,而后做如下动作:
1.创建下列文件:
C:Message.vbs
%Windir%Tasksys.vbs
%Windir%Message.vbs
%System%Message.vbs
%System%Helpdesk.vbs
%System%Asl.vbs
%System%Welcome.vbs
%System%Fwtwih.vbs
%Temp%Message.vbs
%System%Flps.vbs
注: %System% 一般为 C:WindowsSystem (Windows 95/98/Me),
C:WinntSystem32 (Windows NT/2000), or
C:WindowsSystem32 (Windows XP).
%Temp%
一般为 C:WindowsTEMP (Windows 95/98/Me), or
C:WINNTTemp (Windows NT/2000),
or C:Document and Settings<UserName>Local SettingsTemp (Windows XP).
%Windir% 一般为 C:Windows or C:Winnt)
2.在注册表 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun 下添加 "flps"="%system%flps.vbs" "tasksys"="%system%asksys.vbs" 键值
3.试图在局域网里传播,将自身以 Message.vbs 文件拷贝到映射驱动器下的所有文件夹里。
4.修改mIRC 的 Script.ini 文件,使蠕虫能自动发送病毒副本到每一个用户。
5.如果有机会,病毒会每隔20分钟复制自身一次,并保存到硬盘。
6.病毒会从windows 地址簿里首先选择100个尝试发送,邮件内容一般为系统退信如下:
主题: Mail delivery failed: returning message to sender
正文:This message was create automatically by mail delivery software.
A message that you sent could not be delivered to one or
more of its recipients [see above from address].
This is a permanent error. A copy of the message,
include all the headers, is attached.
附件: Message.vbs