病毒名称:
I-Worm.Win32.Rusty.b
类别: 蠕虫病毒
病毒资料:
破坏方法:
VB编写的蠕虫病毒
一旦感染,该病毒将执行如下操作:
1.复制到系统目录(多个文件):
%SYSDIR%\filename
比如:
C:\WINNT\SP00LSV.EXE
C:\WINNT\System32\NOTEPAD.EXE
C:\WINNT\System32\rusty.exe
C:\WINNT\System32\E-zU_W99k).EXE
2.修改系统注册表以图随系统自启动:
HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
"5Oe9gLtr)$n(cKG?P$" = "C:\WINNT\SP00LSV.EXE"
HKLM\Software\Microsoft\Windows
\CurrentVersion\RunServices
"1cZ)wPL6dTT" = "C:\WINNT\SP00LSV.EXE"
该键值是随机的
3.终止计算机防护进程:
终止包含如下字眼的进程:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2 -NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
....
4.病毒遍历系统文件,并尝试提取email地址,并向其发送带毒邮件.
邮件标题可能:
Merry Christmas
Merry X-Mas
Happy Christmas
Happy Holidays
Happy New Year
Ho Ho Ho
Merry Christmas Honey
Merry Christmas Sweetie
Season's Greetings
....
邮件正文:
Hope your holiday season is fun and festive.
Wishing you every happiness this holiday season and throughout the coming year.
Warmest thoughts and best wishes for a wonderful holiday and a very happy new year.
Season's greetings with all good wishes for the new year.
Warmest wishes for a happy holiday season and a wonderful new year.
May the Christmas season fill your home with joy your heart with love and your
life with laughter.
Wishing you a Merry Christmas and a Happy New Year.
Best wishes for the holidays and for health and happiness throughout the coming year.
.....
邮件附件名:
E-Card.pif
Christmas Surprise.bat
The Greet Santa Game.exe
Christmas CardMaker.cmd
....
请用户收到此类邮件不要上当,不要运行其附件。
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2005-1-20