病毒名称(中文):
病毒别名:
I-Worm.Mydoom.q[AVP]
威胁级别:
★★★☆☆
病毒类型:
蠕虫病毒
病毒长度:
27136
影响系统:
Win9xWinNTWin2000WinXPWin2003
病毒行为:
蠕虫
编写工具:UPX加壳
传染条件:网络传播。
发作条件:
系统修改:
a、将自身复制到:
%Windows%
asor32a.dll
%System%winpsd.exe
b、在注册表主键:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
添加如下键值:
"winpsd"="%System%winpsd.exe"
C、在注册表主键:
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorer
添加如下键名:
"InstaledFlashhMX""="1"
假如该键名已存在,表示计算机已经感染,病毒不会再运行。
D、创建互斥量:43jfds93872
E、从
http://www.ricolour.com/ispy.1.jpg
http://www.ricolour.com/coco3.jpg
http://www.ricolour.com/guestbook/temp/temp587.gif
http://zenandjce.com/guestbook/temp/temp728.gif
下载后门程序winvpn32.exe(Win32.Hack.Surila.g)并运行该后门。
发作现象:
通过以下注册表键值函获得,SMTP地址
HKEY_CURRENT_USERSoftwareMicrosoftInternetAccountManagerAccounts
"SMTPEmailAddress"
HKEY_CURRENT_USERSoftwareMicrosoftOfficeOutlookOMIAccountManagerAccounts
"SMTPEmailAddress"
在如下后缀名文件中搜索邮件地址
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.wab
.pl
假如搜索的邮件地址含有以下字符
"syma"
"icrosof"
"msn."
"hotmail"
"panda"
"sopho"
"borlan"
"inpris"
"example"
"mydomai"
"nodomai"
"ruslis"
".gov"
"gov."
".mil"
"foo."
"unix"
"math"
"bsd"
"mit.e"
"gnu"
"fsf."
"ibm.com"
"google"
"kernel"
"linux"
"fido"
"usenet"
"iana"
"ietf"
"rfc-ed"
"sendmail"
"arin."
"ripe."
"isi.e"
"isc.o"
"secur"
"acketst"
"pgp"
"tanford.e"
"utgers.ed"
"mozilla"
"icrosoft"
"support"
"ntivi"
"unix"
"bsd"
"linux"
"listserv"
"certific"
"google"
"accoun"
"abuse"
"upport"
"www"
则不发送给该地址
邮件发信人,为如下之一:
"alex"
"michael"
"james"
"mike"
"kevin"
"david"
"george"
"sam"
"andrew"
"jose"
"leo"
"maria"
"jim"
"brian"
"serg"
"mary"
"ray"
"tom"
"peter"
"robert"
"bob"
"jane"
"joe"
"dan"
"dave"
"matt"
"steve"
"smith"
"stan"
"bill"
"bob"
"jack"
"fred"
"ted"
"adam"
"brent"
"alice"
"anna"
"brenda"
"claudia"
"debby"
"helen"
"jerry"
"jimmy"
"julie"
"linda"
"sandra"
发件域名为如下之一:
t-online.de
mail.com
yahoo.com
hotmail.com
从HKEY_CURRENT_USERSoftwareMicrosoftInternetAccountManager读到的域名
邮件主题为:photos
邮件内容为:LOL!;))))
病毒附件名:photos_arc.exe
2004年8月20日21点后自动停止运行
非凡说明:
