病毒名称:
I-Worm.Skybag.a
类别: 蠕虫病毒
病毒资料:
破坏方法:
通过邮件传播自己的蠕虫病毒
病毒采用VC编写。
病毒运行后有以下行为:
一、创建名为"~~~Bloodred~~~owns~~~you~~~xoxo~~~2004"的互斥量,以确定只有一个病毒文件在运行。
二、将自己复制分别复制到%WINDIR%、%SYSDIR%目录下,文件名分别为"bloodred.exe"、"WINDOWS_KERNEL32.EXE"。
三、修改注册表以下键值以达到其自启动的目的:
1.
HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\Currentversion\Run
增加数据项:"Microsoft Kernel"
数据值为:"%SYSDIR%\WINDOWS_KERNEL32.EXE"
四、创建一个线程用于查看当前系统是否有以下进程在运行,如果有则将它们结束:
CCAPP.exe
ZONEALARM.EXE
ZONALM2601.EXE
ZAUINST.EXE
ZATUTOR.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WINRECON.EXE
W9X.EXE
W32DSM89.EXE
TCA.EXE
TC.EXE
TAUSCAN.EXE
TAUMON.EXE
TASKMON.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV530STBYB.EXE
ATGUARD.EXE
ATCON.EXE
APVXDWIN.EXE
APLICA32.EXE
APIMONITOR.EXE
ANTS.EXE
ANTIVIRUS.EXE
ANTI-TROJAN.EXE
AGENTSVR.EXE
……
五、创建一个线程用于关闭"Windows Task Manager"窗体。
六、创建以下互斥量,导致使用以下互斥量的进程无法运行:
SkyNet-Sasser
AdmSkynetJKIS003
[SkyNet.cz]SystemsMutex
LK[SkyNet.cz]SystemsMutex
Netsky AV Guard
MI[SkyNet.cz]SystemsMutex
KO[SkyNet.cz]SystemsMutex
……
七、感染C盘下所有扩展名为"EXE"的文件,感染的方式是将病毒数据插入到被感染的文件起始位置。
八、将自己复制到P2P软件的共享目录下,文件名有以下可能:
"Visual Studio.NET.zip.exe"
"DVD Xcopy XPress.exe"
"Britney spears naked.jpeg.exe"
"Teen Porn.mpeg.exe"
"Windows crack.zip.exe"
"Kazaa Lite.zip.exe"
"NETSKY SOURCE CODE.zip.exe"
"Battlefield 1942.exe"
"Norton AntiVirus 2004.exe"
"Brianna banks and jenna jameson.mpeg.exe"
"Snood new version.exe"
"Opera Registered version.exe"
"jenna jameson screensaver.scr"
"WINDOWS SOURCE CODE.zip.exe"
"Windows Longhorn Beta.exe"
"WinRAR.exe"
"WinAMP 6.exe"
"Cisco source code.zip .exe"
"Adobe Photoshop Full Version.exe"
"ACDSEE10.exe"
九、搜索C盘以下扩展名的文件:
"dbx"、
"adb"、
"ASP"、
"jsp"、
"rtf"、
"doc"、
"XML"、
"txt"、
"htm"、
"Html"
并从中提取包含以下字符串的邮件地址:
"@hotmail"、
"@fsecure"、
"@virusli"、
"@noreply"、
"@norton"、
"@norman"、
"@sopho"、
"@MSN"、
"@microsoft"、
"@avp"、
"@panda"、
"@symantec"
对所提取的邮件地址发送携带病毒的邮件:
邮件标题有以下可能:
"Email Account Information"
"User Information"
"Detailed Information"
"URGENT PLEASE READ!"
"User Info"
"Server Error"
"Urgent Update!"
邮件正文有以下可能:
"Our server is experiencing some latency in our email service. The attachment
contains details on how your account will be affected."
"Due to recent internet attacks, your Email account security is being upgraded.
The attachment contains more details"
"Our Email system has received reports of your account flooding email servers.
There is more information on this matter in the attachment"
"We regret to inform you that your account has been hijacked and used for
illegal purposes. The attachment has more information about what has happened."
"Your Email account information has been removed from the sys
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2005-1-10