病毒名称:
W32.Mytob.CF@mm
类别: 邮件病毒
病毒资料:
该病毒长度 56,832 字节,感染windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统。它是一个复合型邮件病毒,使用一个自带的SMTP引擎传播,在计算机里设置后门,利用Windows DCOM RPC缓冲区溢出漏洞(参见Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)和Windows 本地安全认证缓冲区溢出漏洞(参见Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)在局域网中传播,重写Hosts文件,屏蔽一些安全网站访问,当收到、打开此病毒时,有以下危害:
A 复制自身到以下文件
·系统目录的mprmsg32.exe
·C:\my_photo2005.scr
·C:\see_this!!.scr
·C:\funny_pic.scr
B 创建以下文件
·C:\hellMSN.exe
C 每次执行时,病毒创建注册表项"MPR MSG" = "mprmsg32.exe"到
·HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
·HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
·HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
使得每次开机病毒自动执行取得控制权。
病毒监视以上注册表,如果被删除马上自动重建。
D 从以下文件中搜索邮件地址传播
adb* .ASP* .dbx* .htm* .PHP* .sht* .tbb* .wab
病毒回避包含以下字符串的邮件地址
anyone bugs ca contact feste gold-certs help info me no nobody noone not nothing page postmaster privacy rating root samples service site soft somebody
someone submit the.bat webmaster you your
病毒回避包含以下字符串的主机名的邮件地址
.gov .mil acketst arin. berkeley borlan bsd example fido foo. fsf. gnu Google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel Linux math
mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. rusli secur sendmail sopho syma tanford.e unix usenet utgers.ed
病毒添加以下字符串到主机名的前缀查找SMTP服务器
gate mail mail1 mx mx1 mxs ns relay smtp
E 病毒向上述发现的邮件地址中发送以下特征(之一)的邮件来传播自身
发信人(以下之一):
adam alex alice andrew anna bill bob bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose
julie kevin leo linda maria mark matt michael mike peter ray robert sam serg smith stan steve ted tom
病毒也会使用邮件中发现的地址作为发信人
主题(以下之一):[空白] / Good day / hello / Mail Delivery System / Mail Transaction Failed / Server Report / Status / Error / [随机内容]
内容(以下之一):
·Mail transaction failed. Partial message is available.
·The message contains Unicode characters and has been sent as a binary attachment.
·The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
·The original message was included as an attachment.
·Here are your banks documents
附件名(以下之一):document readme doc text file data test message body [随机内容]
附件扩展名(以下之一):.pif .scr .exe .cmd .bat .zip
F 利用Windows DCOM RPC缓冲区溢出漏洞(参见Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)和Windows 本地安全认证缓冲区溢出漏洞(参见Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)在局域网中传播
G 在主机irc.secsnet.org 上打开一个后门连接到 IRC 频道 #hb,等待远程攻击命令,执行如下命令:
·下载并执行文件
·查询病毒版本
·删除终止更新病毒
H 启动FTP服务在一个随机的端口
I 重写Hosts文件,屏蔽以下网站访问
www.symantec.com securityresponse.symantec.com symantec.com www.virustotal.com virustotal.com www.oxyd.fr oxyd.fr www.sophos.com sophos.com www.McAfee.com
mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com kaspersky-labs.com www.avp.com
www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com
download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com
customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com www.grisoft.com www.microsoft.com
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2005-5-16
