病毒名称:
VBS/Dracv.a@MM
类别: VBScript 蠕虫
病毒资料:
病毒特征:
此邮件病毒的附件为vcards.vbs,感染后会向地址簿中的所有收件人发送带毒邮件,其病毒邮件格式为:
主题:You have received a special VCard!
正文:Hi! Click the "vcards.vbs" to view your card! One of your friends is giving you a voyeuristic glimpse of their personal images. The images were randomly chosen and are totally uncensored! There is no telling what you will see! Click the "vcards.vbs" file that is attached to this email to see the uncensored images, and send your own images out to the people in your address book!
+ + + + + + + + + + + + + + + + + + + + + + + +
Message from your friend:
+ + + + + + + + + + + + + + + + + + + + + + + +
If you are not interested? Just delete this email. VCards "Lets get with hot communications"
附件:vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd
附件执行后,会弹出对话框:
用户若点击"否",病毒就不会继续运行下去,若点击"确定",则弹出对话框:
可在上述框内输入信息,若附件不是保存在同一目录下,又会弹出信息框:
病毒会创建C:vcache目录下,并将文件vcrd01.vcrd、vcrd02.vcrd及vcrd03.vcrd.保存在此目录下。它会进一步的搜索硬盘上三个.jpg文件,然后创建imgDisplay.Html文件来显示所找到的图片。
另外,病毒会检查注册表键HKEY_CURRENT_USERsoftwarevcardsmailed" = "1"(键值是否为1),若不等,它不会向外发送带毒邮件。而是编辑它,将其值设为1。
感染迹象:
感染后会出现如下文件:
1.vcards.vbs, vcrd01.vcrd, vcrd02.vcrd and vcrd03.vcrd
2.C:vcache
3.imgDisplay.html
及注册表键HKEY_CURRENT_USERsoftwarevcardsmailed, 1
传染方式:
运行vcards.vbs文件后,病毒就开始感染。
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
发现日期:
2002-4-23