Worm.Tanatos.e

病毒名称(中文):

病毒别名:

I-Worm.Tanatos.e[AVP]WORM_BUGBEAR.D[Trend]Wor

威胁级别:

★★☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

43

影响系统:

Win9xWinNTWin2000WinXPWin2003

病毒行为:

编写工具:VC6.0,UPX压缩

传染条件:通过网络发送邮件高速传播

发作条件:

系统修改:

A、在系统目录下释放如下文件：

%System%OYCACV.EXE

%System%gomamjo.dll

%System%mcyays.dll

%System%kguaupg.dll

B、在注册表主键：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

下添加以下键值：

"oycacv"="%System%oycacv.exe"

发作现象:

A、该病毒运行时会弹出以下欺骗性的对话框：

B、该病毒感染后会结束以下进程：

ZONEALARM.EXE

WFINDV32.EXE

WEBSCANX.EXE

VSSTAT.EXE

VSHWIN32.EXE

VSECOMR.EXE

VSCAN40.EXE

VETTRAY.EXE

VET95.EXE

TDS2-NT.EXE

TDS2-98.EXE

TCA.EXE

TBSCAN.EXE

SWEEP95.EXE

SPHINX.EXE

SMC.EXE

SERV95.EXE

SCRSCAN.EXE

SCANPM.EXE

SCAN95.EXE

SCAN32.EXE

SAFEWEB.EXE

RESCUE.EXE

RAV7WIN.EXE

RAV7.EXE

PERSFW.EXE

PCFWALLICON.EXE

PCCWIN98.EXE

PAVW.EXE

PAVSCHED.EXE

PAVCL.EXE

PADMIN.EXE

OUTPOST.EXE

NVC95.EXE

NUPGRADE.EXE

NORMIST.EXE

NMAIN.EXE

NISUM.EXE

NAVWNT.EXE

NAVW32.EXE

NAVNT.EXE

NAVLU32.EXE

NAVAPW32.EXE

N32SCANW.EXE

MPFTRAY.EXE

MOOLIVE.EXE

LUALL.EXE

LOOKOUT.EXE

LOCKDOWN2000.EXE

JEDI.EXE

IOMON98.EXE

IFACE.EXE

ICSUPPNT.EXE

ICSUPP95.EXE

ICMON.EXE

ICLOADNT.EXE

ICLOAD95.EXE

IBMAVSP.EXE

IBMASN.EXE

IAMSERV.EXE

IAMAPP.EXE

FRW.EXE

FPROT.EXE

FP-WIN.EXE

FINDVIRU.EXE

F-STOPW.EXE

F-PROT95.EXE

F-PROT.EXE

F-AGNT95.EXE

ESPWATCH.EXE

ESAFE.EXE

ECENGINE.EXE

DVP95_0.EXE

DVP95.EXE

CLEANER3.EXE

CLEANER.EXE

CLAW95CF.EXE

CLAW95.EXE

CFINET32.EXE

CFINET.EXE

CFIAUDIT.EXE

CFIADMIN.EXE

BLACKICE.EXE

BLACKD.EXE

AVWUPD32.EXE

AVWIN95.EXE

AVSCHED32.EXE

AVPUPD.EXE

AVPTC32.EXE

AVPM.EXE

AVPDOS32.EXE

AVPCC.EXE

AVP32.EXE

AVP.EXE

AVNT.EXE

AVKSERV.EXE

AVGCTRL.EXE

AVE32.EXE

AVCONSOL.EXE

AUTODOWN.EXE

APVXDWIN.EXE

ANTI-TROJAN.EXE

ACKWIN32.EXE

_AVPM.EXE

_AVPCC.EXE

_AVP32.EXE

非凡说明:

A、该病毒感染系统后，会从系统的本地盘中具有以下后缀的文件中扫描Email地址：

.SHT

.ASP

.ODS

.MMF

.MBX

.TBB

.TXT

.HTM

.NCH

.EML

.DBX

B、该病毒感染后会使用其自带的SMTP引擎来向搜索到的Email地址发送邮件，邮件具有以下特征：

发件人：(从以下字符串中选择一个)

george

georg

garry

gabriele

funds

frederic

franz

frank

franco

francisco

finance

fernand

felix

ernst

erika

erick

erich

erica

emmanuel

ellen

elizabeth

eduardo

ecommerce

earth

e-gold

dsmith

douglas

donna

dominik

debby

david

daniela

daniel

customerservice

contact

company

collins

colin

claudia

claude

cindy

christopher

christoph

christine

chris

check

center

catherine

caroline

carol

carlos

carina

cards

calvin

bruno

bruce

brother

bridge

brian

brent

brenda

brave

brandon

brain

boris

bonny

judge

jsmith

johannes

johann

johan

jimmy

bernhard

bernard

becky

beauty

beatrice

beach

balance

archives

antonio

anton

anthony

answer

another

anita

anger

angelo

angela

alive

alison

alicia

kontakt

kimberly

kevin

alice

alfred

alexander

albert

agree

agency

adrian

accounts

marcus

marco

manuel

lucia

lawrence

gerhard

gerard

gerald

laurence

laura

larry

kristine

kristin

krista

tobias

allen

henry

henrik

helpdesk

helmut

helga

helene

helen

thomas

terry

terri

sylvia

susan

support

steven

steve

stephen

andrew

andres

andreas

stephane

stefano

stefan

sophie

smith

simon

silvia

silver

sharon

service

serge

scott

sandra

sabine

sabina

russell

rudolf

rubber

rsmith

ronald

roland

gordon

glenn

gerry

roger

roberto

robert

robbie

andrea

andre

ricardo

randy

ralph

rachel

questions

peter

pedro

paulo

patrick

patricia

patrice

paolo

pamela

oliver

norbert

nicole

nicolas

nicola

netbank

nancy

nadine

monica

molly

miguel

michel

michaela

michael

metal

member

melanie

melania

mauro

maurizio

maureen

matti

wolfgang

william

werner

wendy

walter

wagner

voice

vladimir

vincent

vanessa

tomas

matthew

mathias

martin

markus

marketing

market

dominic

doctor

diane

diana

dennis

denise

denis

marion

mario

marina

marie

linda

leopold

leonardo

mariano

marianna

maria

margit

marge

margaretha

margareta

kerry

kenneth

kendra

kelly

katrin

katri

kathy

kathryn

kathleen

karin

karen

justin

julio

julien

julie

julia

juhani

juergen

juerg

jerry

jerome

jennifer

jason

joseph

josef

jorgen

jorge

jonathan

janne

janna

janice

janet

james

isaac

irina

irene

ingrid

howard

hernan

hermann

herman

herbert

heinz

harrison

harbor

harald

gregory

gregor

后面的域名为以下字符串串中的一个：

yahoo.com

msn.com

worldnet.att.net

excite.com

ntlworld.com

hotmail.com

microsoft.com

usa.com

freesurf.ch

earthlink.net

btopenworld.com

btinternet.com

bluewin.ch

bigpond.com

bellsouth.net

aol.com

主题：(以下字符串中选择一个)

Hello!

trojan

virus

lyris

noreply

recipients

undisclosed

remove

please,readtheattachfile.

Seetheattachedfile

seeattachment

Peaseopenanattachmenttoseethemessage.

PleaseseeAttachment

Seetheattachedfileformoreinfo

Takealooktotheattachment

update

hmm..

Paymentnotices

Justareminder

historyscreen

Announcement

various

Introduction

Interesting...

Ineedphoto!!!

Stats

PleaseHelp...

Report

Greetings!

[Fwd:look];-)

TodayOnly

NewContests

Lost&Found

badnews

fantastic

Menude

Oldphotos

emptyaccount

photos

Isthatyourpassword?

Iloveyou!

newreading

Friendly

photo

Warning!

Youarefat!

Icannotforgetyou!

Sexpictures

YourGift

goodnews!

!!!WARNING!!!

Greets!

附件名：(以下字符串中选择一个)

000032.jpg.scr

song.wav.scr

music.mp3.scr

video.avi.scr

photo.jpg.scr

girls.jpg.scr

pic.jpg.scr

message.txt.scr

image.jpg.scr

news.doc.scr

myphoto.jpg.scr

you.jpg.scr

love.jpg.scr

readme.txt.scr

附件中的文件可能为双后缀名，第二个后缀名可能为以下字符串中的一个：

.EXE

.PIF

.SCR

• ·Win32.Troj.QQNark.a
• ·Win32.Hack.Harvester23.
• ·Win32.Hack.MSNCdFusion.
• ·Win32.Troj.PinkPigeon
• ·Worm.NetSky.S
• ·Worm.Wallon.f
• ·Worm.Nihilit.u
• ·Win32.Troj.mir2WLHA
• ·Win32.Hack.Agobot.Ge
• ·Win32.Troj.AnalyzeIE