病毒名称: Worm.Netsky.i.enc 类别: 蠕虫 病毒资料: 破坏方法:
蠕虫病毒,VC++编写,采用PE-PACK加壳,病毒长度为22016字节。文件标图像Html文件的图标。从C到Z驱动器中所有.eml、.txt等21种扩展名的文件中搜取email地址,并创建大量线程发送病毒邮件。病毒体内有如下字符串:
"Skynet AntiVirus - MyDoom and Bagle are spammer"
一旦执行,病毒将执行以下操作:
1.本地首先将创建一个名为:"KO[SkyNet.cz]SystemsMutex"的互斥量来保证只运行病毒的一个副本;
2.复制自己到windows目录下:
%WINDIR%\fooding.exe
3.添加如下键值:
"Tiny AV" = "%WINDIR%\fooding.exe -antivirus service"
到注册表键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩;
4.病毒将删除下列注册表键值<大都是其它病毒建立的键值>:
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的如下键值:
"Taskmon"
"EXPlorer"
"system."
"msgsvr32"
"DELETE ME"
"service"
"Sentry"
"Windows Services Host"
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
下的如下键值:
"system."
删除键:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的如下键值:
"Taskmon"
"Explorer"
"d3dupdate.exe"
"au.exe"
"OLE"
"Windows Services Host"
"gouday.exe"
"rate.exe"
"sysmon.exe"
"srate.exe"
"ssate.exe"
删除键:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
删除子键:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
注:
这是病毒"SCO炸弹"建立的键值
5.病毒从带有下列扩展名的文件中搜索Email地址:
".eml"
".txt"
".PHP"
".pl"
".htm"
".html"
".vbs"
".rtf"
".uin"
".ASP"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
".shtm"
".cgi"
".dhtm"
6.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件:
邮件带有如下特征:
标题为下列之一:
"Re: Your briefing"
"Re: Your picture"
"Re: Your loveletter"
"Re: Your TAN"
"Re: Your PIN"
"Re: Your bill"
"Re: Your details"
"Re: My details"
"Re: Zipped folder"
"Re: Secound Part"
"Re: Part 3"
"Re: Part 2"
"Re: Your application"
"Re: Your data"
"Re: Index"
"Re: Appending"
"Re: Hello"
"Re: Hi"
"Re: Your encrypted file"
"Re: Your folder"
"Re: Your file"
"Re: Yours"
"Re: Here the file"
"Re: Approved"
"Re: Document"
"Re: Samples"
消息正文为下列之一:
"Your document is attached."
"Here is the file."
"See the attached file for details."
"Please have a look at the attached file."
"Please read the attached file."
"Your file is attached."
附件名为下列之一:
"your_document.scr"
"document.scr"
"message_part2.scr"
"your_document.scr"
"document_full.scr"
"your_picture.pif"
"message_details.scr"
"your_file.scr"
"your_picture.scr"
"document_4351.scr"
"yours.scr"
"mp3music.scr"
"application.scr"
"all_document.scr"
"my_details.scr"
"document_Excel.scr"
"document_Word.scr"
"my_details.scr"
"your_details.scr"
"your_bill.scr"
"your_pin_88.scr"
"your_tan_33.scr"
"your_letter.scr"
"your_pic.scr"
"your_briefing.scr"
该病毒不会向包含下列字符的地址发送邮件:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"
"orman"
"cafee"
"aspersky"
"f-pro"
"orton"
"fbi"
"abuse"
"messagelabs"
"skynet"
"andasoftwa"
"freeav"
"sophos"
"antivir"
"iruslis"
病毒的清除法: 使用光华反病毒软件,彻底删除。 病毒演示: 病毒FAQ: Windows下的PE病毒。
发现日期: 2004-3-9