病毒名称:
Worm.NetSky.b
类别: 蠕虫
病毒资料:
破坏方法:
该病毒是一个通过邮件传播的蠕虫病毒,它搜索本地驱动器和网络映射驱动器来获得Email地址并向这些地址发送带毒邮件来传播.
一旦执行,病毒将执行以下操作:
1.本地首先将创建一个名为:"AdmSkynetJklS003"的互斥量来保证只运行病毒的一个副本;
2.显示一个虚假的消息框:
消息为:"The file could not be opened!";
3.复制自己到windows目录下:
%WINDIR%\services.exe;
4.添加如下键值:
"service" = "%WINDIR%\services.exe -serv"
到注册表键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩;
病毒将删除下列注册表键值:
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
下的如下键值:
"Taskmon"
"EXPlorer"
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的如下键值:
"KASPerskyAV"
"System."
删除子键:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
5.病毒从带有下列扩展名的文件中搜索Email地址:
".eml"
".txt"
".PHP"
".pl"
".htm"
".Html"
".vbs"
".rtf"
".uin"
".asp"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
6.病毒从C:\到Z:\搜索带有如下字眼的文件夹:
"sharing"
"share"
只要该文件夹所在的驱动器不是CD_ROM,病毒就将复制自己到这个文件夹和此文件夹的所有子目录下
文件名可能为下列之一:
"winxp_crack.exe"
"dolly_buster.jpg.pif"
"strippoker.exe"
"Photoshop 9 crack.exe"
"matrix.scr"
"porno.scr"
"angels.pif"
"hardcore porn.jpg.exe"
"Office_crack.exe"
"serial.txt.exe"
"cool screensaver.scr"
"eminem - lick my pussy.mp3.pif"
"Nero.7.exe"
"virii.scr"
"e-book.archive.doc.exe"
"max payne 2.crack.exe"
"how to hack.doc.exe"
"programming basics.doc.exe"
"e.book.doc.exe"
"win longhorn.doc.exe"
"dictionary.doc.exe"
"rfc compilation.doc.exe"
"sex sex sex sex.doc.exe"
"doom2.doc.pif"
7.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件:
邮件带有如下特征:
From: (Spoofed)
标题为下列之一:
"hello"
"read it immediately"
"something for you"
"warning"
"information"
"stolen"
"fake"
"unknown"
消息正文为下列之一:
"anything ok?"
"what does it mean?"
"ok"
"i'm waiting"
"read the details."
"here is the document."
"read it immediately!"
"my hero"
"here"
"is that true?"
"is that your name?"
"is that your account?"
"i wait for a reply!"
"is that from you?"
"you are a bad writer"
"I have your passWord!"
"something about you!"
"kill the writer of this document!"
"i hope it is not true!"
"your name is wrong"
"i found this document about you"
"yes, really?"
"that is bad"
"here it is"
"see you"
"greetings"
"stuff about you?"
"something is going wrong!"
"information about you"
"about me"
"from the chatter"
"here, the serials"
"here, the introdUCtion"
"here, the cheats"
"that's funny"
"do you?"
"reply"
"take it easy"
"why?"
"thats wrong"
"misc"
"you earn money"
"you feel the same"
"you try to steal"
"you are bad"
"something is going wrong"
"something is fool"
附件名为下列之一:
"msg"
"doc"
"talk"
"message"
"creditcard"
"details"
"attachment"
"me"
"stuff"
"posting"
"textfile"
"concert"
"information"
"note"
"bill"
"swimmingpool"
"product"
"topseller"
"ps"
"shower"
"aboutyou"
"nomoney"
"fou
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2004-2-19