Worm.NetSky.P

病毒名称(中文):

病毒别名:

W32.Netsky.Q@mm[Symantec]W32/Netsky.p@MM[McAfee

威胁级别:

★★★☆☆

病毒类型:

蠕虫病毒

病毒长度:

29

影响系统:

Win9xWinNTWin2000WinXPWin2003

病毒行为:

编写工具:FSG压缩

传染条件:通过网络大量发送邮件传播

发作条件:利用系统漏洞IncorrectMIMEHeaderCanCauseIEtoExecuteE-mailAttachment来获得自动运行

系统修改:

A、创建一个名为"_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"的互斥体，来确定只运行它的一个进程；

B、拷贝其本身至系统安装目录：

%Windir%FVProtect.exe

C、在系统安装目录释放和创建如下文件：

%Windir%userconfig9x.dll

%Windir%ase64.tmp(40,520bytes):MIME-encodedversionoftheexecutable

%Windir%zip1.tmp(40,882bytes):MIME-encodedversionofwormina.ziparchive

%Windir%zip2.tmp(40,894bytes):MIME-encodedversionofwormina.ziparchive

%Windir%zip3.tmp(40,886bytes):MIME-encodedversionofwormina.ziparchive

%Windir%zipped.tmp(29,834bytes):Wormina.ziparchive

D、在注册表主键：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

下添加如下键值：

"NortonAntivirusAV"="%Windir%FVProtect.exe"

在注册表主键：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

下删除如下键值：

Explorer

system.

msgsvr32

winupd.exe

direct.exe

jijbl

service

Sentry

在注册表主键：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

下删除如下键值：

system

Video

在注册表主键：

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

下删除以下键值：

Explorer

au.exe

direct.exe

d3dupdate.exe

OLE

gouday.exe

rate.exe

Taskmon

WindowsServicesHost

sysmon.exe

srate.exe

ssate.exe

winupd.exe

删除以下子键：

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerPINF

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWksPatch

HKEY_CLASSES_ROOTCLSIDCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32

E、扫描被感染系统硬盘上的包含以下字符串的文件夹：

bear

donkey

download

ftp

htdocs

http

icq

kazaa

lime

morpheus

mule

mysharedfolder

shar

sharedfiles

upload

然后将其本身用以下名字拷贝至搜索出的文件夹中：

"1001Sexandmore.rtf.exe"

"3DStudioMax63dsmax.exe"

"ACDSee10.exe"

"AdobePhotoshop10crack.exe"

"AdobePhotoshop10full.exe"

"AdobePremiere10.exe"

"AheadNero8.exe"

"AltkinsDiet.doc.exe"

"AmericanIdol.doc.exe"

"ArnoldSchwarzenegger.jpg.exe"

"BestMatrixScreensavernew.scr"

"Britneysexxxx.jpg.exe"

"BritneySpearsandEminemporn.jpg.exe"

"BritneySpearsblowjob.jpg.exe"

"BritneySpearscumshot.jpg.exe"

"BritneySpearsfuck.jpg.exe"

"BritneySpearsfullalbum.mp3.exe"

"BritneySpearsporn.jpg.exe"

"BritneySpearsSexyarchive.doc.exe"

"BritneySpearsSongtextarchive.doc.ex"...

"BritneySpears.jpg.exe"

"BritneySpears.mp3.exe"

"CloneDVD6.exe"

"Cloning.doc.exe"

"Cracks&WarezArchiv.exe"

"DarkAngelsnew.pif"

"DictionaryEnglish2004-France.doc.ex"...

"DivX8.0final.exe"

"Doom3release2.exe"

"E-BookArchive2.rtf.exe"

"Eminemblowjob.jpg.exe"

"Eminemfullalbum.mp3.exe"

"EminemPoster.jpg.exe"

"Eminemsexxxx.jpg.exe"

"EminemSexyarchive.doc.exe"

"EminemSongtextarchive.doc.exe"

"EminemSpearsporn.jpg.exe"

"Eminem.mp3.exe"

"Fullalbumall.mp3.pif"

"Gimp1.8FullwithKey.exe"

"HarryPotter1-6book.txt.exe"

"HarryPotter5.mpg.exe"

"HarryPotteralle.book.doc.exe"

"HarryPotterebook.doc.exe"

"HarryPottergame.exe"

"HarryPotter.doc.exe"

"Howtohacknew.doc.exe"

"InternetExplorer9setup.exe"

"KazaaLite4.0new.exe"

"Kazaanew.exe"

"Keygen4allnew.exe"

"LearnProgramming2004.doc.exe"

"Lightwave9Update.exe"

"MagixVideoDeluxe5beta.exe"

"Matrix.mpg.exe"

"MicrosoftOffice2003Crackbest.exe"

"MicrosoftWinXPCrackfull.exe"

"MSServicePack6.exe"

"netskysourcecode.scr"

"NortonAntivirus2005beta.exe"

"Opera11.exe"

"Partitionsmagic10beta.exe"

"PornoScreensaverbritney.scr"

"RFCcompilation.doc.exe"

"Ringtones.doc.exe"

"Ringtones.mp3.exe"

"SaddamHussein.jpg.exe"

"Screensaver2.scr"

"Serialsedition.txt.exe"

"Smashingthestackfull.rtf.exe"

"StarOffice9.exe"

"TeenPornjpg.pif"

"TheSims4beta.exe"

"UleadKeygen2004.exe"

"VisualStudioNetCrackall.exe"

"WinLonghornre.exe"

"WinAmp13full.exe"

"Windows2000Sourcecode.doc.exe"

"Windows2003crack.exe"

"WindowsXPcrack.exe"

"WinXPeBooknewest.doc.exe"

"XXXhardcorepics.jpg.exe"

发作现象:

非凡说明:

A、在系统C-Z盘具有以下后缀的文件中查找Email地址：

.adb

.asp

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.html

.jsp

.msg

.oft

.php

.pl

.rtf

.sht

.shtm

.tbb

.txt

.uin

.vbs

.wab

.wsh

.xml

B、用其自带的SMT引擎向查到的Email地址中发信，具有以下特征：

发件人：<随机的具有诱惑性的名字>

主题：<以下字符串中任选一个>：

Re:EncryptedMail

Re:ExtendedMail

Re:Status

Re:Notify

Re:SMTPServer

Re:MailServer

Re:DeliveryServer

Re:BadRequest

Re:Failure

Re:Thankyoufordelivery

Re:Test

Re:Administration

Re:MessageError

Re:Error

Re:ExtendedMailSystem

Re:SecureSMTPMessage

Re:ProtectedMailRequest

Re:ProtectedMailSystem

Re:ProtectedMailDelivery

Re:Securedelivery

Re:DeliveryProtection

Re:MailAuthentification

MailDelivery(failure)

正文：<以下字符串中任选一个>：

Pleaseseetheattachedfilefordetails

Pleasereadtheattachedfile!

Yourdocumentisattached.

Pleasereadthedocument.

Yourfileisattached.

Yourdocumentisattached.

Pleaseconfirmthedocument.

Pleasereadtheimportantdocument.

Seethefile.

Requestedfile.

Authenticationrequired.

Yourdocumentisattachedtothismail.

Ihaveattachedyourdocument.

Ihavereceivedyourdocument.Thecorrecteddocumentisattached.

Yourdocument.

Yourdetails.

该病毒还会将以下文件放入文件正文后：

+++Attachment:NoVirusfound

+++MessageLabsAntiVirus-www.messagelabs.com

+++Attachment:NoVirusfound

+++BitdefenderAntiVirus-www.bitdefender.com

+++Attachment:NoVirusfound

+++MC-AfeeAntiVirus-www.mcafee.com

+++Attachment:NoVirusfound

+++KasperskyAntiVirus-www.kaspersky.com

+++Attachment:NoVirusfound

+++PandaAntiVirus-www.pandasoftware.com

++++Attachment:NoVirusfound

++++NormanAntiVirus-www.norman.com

++++Attachment:NoVirusfound

++++F-SecureAntiVirus-www.f-secure.com

++++Attachment:NoVirusfound

++++NortonAntiVirus-www.symantec.de

附件名:<为以下字符串中的一个>:

document05

websites03

game_xxo

your_document

后跟以下字符串中的一个：

.txt<很长的空白空间>

.doc<很长的空白空间>

最后的后缀名为以下字符串中的一个：

.exe

.pif

.scr

.zip

假如文件后缀为.zip，那么里面为以下文件中的一个：

document.txt.exe

data.rtf.scr

details.txt.pif

C、该病毒将不会给包含以下字符串的Email地址发送邮件：

@antivi

@avp

@bitdefender

@fbi

@f-pro

@freeav

@f-secur

@kaspersky

@mcafee

@messagel

@microsof

@norman

@norton

@pandasof

@skynet

@sophos

@spam

@symantec

@viruslis

abuse@

noreply@

ntivir

reports@

spam@

• ·Hack.Win32.AgoBot.hn
• ·PE.Voodoo.1537
• ·Win32.Troj.Mir2SoS
• ·Worm.Beagle.o
• ·Worm.Raleka.a
• ·Worm.Opasoft.q
• ·Win32.Hack.Tonerok
• ·COM.Dead.327
• ·Worm.Beagle.u
• ·DOS.OCTT1.0