病毒名称(中文):
病毒别名:
W32.Netsky.Q@mm[Symantec]W32/Netsky.p@MM[McAfee
威胁级别:
★★★☆☆
病毒类型:
蠕虫病毒
病毒长度:
29
影响系统:
Win9xWinNTWin2000WinXPWin2003
病毒行为:
编写工具:FSG压缩
传染条件:通过网络大量发送邮件传播
发作条件:利用系统漏洞IncorrectMIMEHeaderCanCauseIEtoExecuteE-mailAttachment来获得自动运行
系统修改:
A、创建一个名为"_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"的互斥体,来确定只运行它的一个进程;
B、拷贝其本身至系统安装目录:
%Windir%FVProtect.exe
C、在系统安装目录释放和创建如下文件:
%Windir%userconfig9x.dll
%Windir%ase64.tmp(40,520bytes):MIME-encodedversionoftheexecutable
%Windir%zip1.tmp(40,882bytes):MIME-encodedversionofwormina.ziparchive
%Windir%zip2.tmp(40,894bytes):MIME-encodedversionofwormina.ziparchive
%Windir%zip3.tmp(40,886bytes):MIME-encodedversionofwormina.ziparchive
%Windir%zipped.tmp(29,834bytes):Wormina.ziparchive
D、在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下添加如下键值:
"NortonAntivirusAV"="%Windir%FVProtect.exe"
在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下删除如下键值:
Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
下删除如下键值:
system
Video
在注册表主键:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
下删除以下键值:
Explorer
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
WindowsServicesHost
sysmon.exe
srate.exe
ssate.exe
winupd.exe
删除以下子键:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerPINF
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWksPatch
HKEY_CLASSES_ROOTCLSIDCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32
E、扫描被感染系统硬盘上的包含以下字符串的文件夹:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
mysharedfolder
shar
sharedfiles
upload
然后将其本身用以下名字拷贝至搜索出的文件夹中:
"1001Sexandmore.rtf.exe"
"3DStudioMax63dsmax.exe"
"ACDSee10.exe"
"AdobePhotoshop10crack.exe"
"AdobePhotoshop10full.exe"
"AdobePremiere10.exe"
"AheadNero8.exe"
"AltkinsDiet.doc.exe"
"AmericanIdol.doc.exe"
"ArnoldSchwarzenegger.jpg.exe"
"BestMatrixScreensavernew.scr"
"Britneysexxxx.jpg.exe"
"BritneySpearsandEminemporn.jpg.exe"
"BritneySpearsblowjob.jpg.exe"
"BritneySpearscumshot.jpg.exe"
"BritneySpearsfuck.jpg.exe"
"BritneySpearsfullalbum.mp3.exe"
"BritneySpearsporn.jpg.exe"
"BritneySpearsSexyarchive.doc.exe"
"BritneySpearsSongtextarchive.doc.ex"...
"BritneySpears.jpg.exe"
"BritneySpears.mp3.exe"
"CloneDVD6.exe"
"Cloning.doc.exe"
"Cracks&WarezArchiv.exe"
"DarkAngelsnew.pif"
"DictionaryEnglish2004-France.doc.ex"...
"DivX8.0final.exe"
"Doom3release2.exe"
"E-BookArchive2.rtf.exe"
"Eminemblowjob.jpg.exe"
"Eminemfullalbum.mp3.exe"
"EminemPoster.jpg.exe"
"Eminemsexxxx.jpg.exe"
"EminemSexyarchive.doc.exe"
"EminemSongtextarchive.doc.exe"
"EminemSpearsporn.jpg.exe"
"Eminem.mp3.exe"
"Fullalbumall.mp3.pif"
"Gimp1.8FullwithKey.exe"
"HarryPotter1-6book.txt.exe"
"HarryPotter5.mpg.exe"
"HarryPotteralle.book.doc.exe"
"HarryPotterebook.doc.exe"
"HarryPottergame.exe"
"HarryPotter.doc.exe"
"Howtohacknew.doc.exe"
"InternetExplorer9setup.exe"
"KazaaLite4.0new.exe"
"Kazaanew.exe"
"Keygen4allnew.exe"
"LearnProgramming2004.doc.exe"
"Lightwave9Update.exe"
"MagixVideoDeluxe5beta.exe"
"Matrix.mpg.exe"
"MicrosoftOffice2003Crackbest.exe"
"MicrosoftWinXPCrackfull.exe"
"MSServicePack6.exe"
"netskysourcecode.scr"
"NortonAntivirus2005beta.exe"
"Opera11.exe"
"Partitionsmagic10beta.exe"
"PornoScreensaverbritney.scr"
"RFCcompilation.doc.exe"
"Ringtones.doc.exe"
"Ringtones.mp3.exe"
"SaddamHussein.jpg.exe"
"Screensaver2.scr"
"Serialsedition.txt.exe"
"Smashingthestackfull.rtf.exe"
"StarOffice9.exe"
"TeenPornjpg.pif"
"TheSims4beta.exe"
"UleadKeygen2004.exe"
"VisualStudioNetCrackall.exe"
"WinLonghornre.exe"
"WinAmp13full.exe"
"Windows2000Sourcecode.doc.exe"
"Windows2003crack.exe"
"WindowsXPcrack.exe"
"WinXPeBooknewest.doc.exe"
"XXXhardcorepics.jpg.exe"
发作现象:
非凡说明:
A、在系统C-Z盘具有以下后缀的文件中查找Email地址:
.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml
B、用其自带的SMT引擎向查到的Email地址中发信,具有以下特征:
发件人:<随机的具有诱惑性的名字>
主题:<以下字符串中任选一个>:
Re:EncryptedMail
Re:ExtendedMail
Re:Status
Re:Notify
Re:SMTPServer
Re:MailServer
Re:DeliveryServer
Re:BadRequest
Re:Failure
Re:Thankyoufordelivery
Re:Test
Re:Administration
Re:MessageError
Re:Error
Re:ExtendedMailSystem
Re:SecureSMTPMessage
Re:ProtectedMailRequest
Re:ProtectedMailSystem
Re:ProtectedMailDelivery
Re:Securedelivery
Re:DeliveryProtection
Re:MailAuthentification
MailDelivery(failure)
正文:<以下字符串中任选一个>:
Pleaseseetheattachedfilefordetails
Pleasereadtheattachedfile!
Yourdocumentisattached.
Pleasereadthedocument.
Yourfileisattached.
Yourdocumentisattached.
Pleaseconfirmthedocument.
Pleasereadtheimportantdocument.
Seethefile.
Requestedfile.
Authenticationrequired.
Yourdocumentisattachedtothismail.
Ihaveattachedyourdocument.
Ihavereceivedyourdocument.Thecorrecteddocumentisattached.
Yourdocument.
Yourdetails.
该病毒还会将以下文件放入文件正文后:
+++Attachment:NoVirusfound
+++MessageLabsAntiVirus-www.messagelabs.com
+++Attachment:NoVirusfound
+++BitdefenderAntiVirus-www.bitdefender.com
+++Attachment:NoVirusfound
+++MC-AfeeAntiVirus-www.mcafee.com
+++Attachment:NoVirusfound
+++KasperskyAntiVirus-www.kaspersky.com
+++Attachment:NoVirusfound
+++PandaAntiVirus-www.pandasoftware.com
++++Attachment:NoVirusfound
++++NormanAntiVirus-www.norman.com
++++Attachment:NoVirusfound
++++F-SecureAntiVirus-www.f-secure.com
++++Attachment:NoVirusfound
++++NortonAntiVirus-www.symantec.de
附件名:<为以下字符串中的一个>:
document05
websites03
game_xxo
your_document
后跟以下字符串中的一个:
.txt<很长的空白空间>
.doc<很长的空白空间>
最后的后缀名为以下字符串中的一个:
.exe
.pif
.scr
.zip
假如文件后缀为.zip,那么里面为以下文件中的一个:
document.txt.exe
data.rtf.scr
details.txt.pif
C、该病毒将不会给包含以下字符串的Email地址发送邮件:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@