病毒名称(中文):
病毒别名:
I-Worm.Mydoom.m[AVP]
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
28832
影响系统:
Win9xWinNTWin2000WinXPWin2003
病毒行为:
Mydoom变种
编写工具:
传染条件:通过电子邮件进行传播
发作条件:用户运行该病毒
系统修改:
A、复制自身到:
%SystemRoot%java.exe
%SystemRoot%services.exe
B、在注册表主键
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
添加如下键值:
"Services"=%SystemRoot%services.exe"
"JavaVM"=%SystemRoot%java.exe"
C、创建以下两个日志文件:
%Temp%zincite.log
%Temp%\%Rand%.log
发作现象:
病毒运行后
会在含有如下后缀名的文件种搜索电子邮件地址
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab
假如在这些文件中找到电子邮件地址,则病毒会利用以下的搜索引擎,搜索更多的电子邮件地址:
search.lycos.com
www.altavista.com
search.yahoo.com
www.google.com
病毒邮件的主题为下面之一:
sayhelotomylitlfriend
clickmebaby,onemoretime
hello
error
status
test
report
deliveryfailed
Messagecouldnotbedelivered
MailSystemError-ReturnedMail
Deliveryreportsaboutyoure-mail
Returnedmail:seetranscriptfordetails
Returnedmail:Dataformaterror
病毒邮件正文可能是以下内容之一
Dearuser{<接收者邮件地址>|of<接收者的网站域名>},{{{M|m}ail{system|server}administrator|administration}of<接收者的网站域名>wouldliketo{informyou{that{:|,}|}|letyouknow{that|thefollowing}{.|:|,}}|||||}
{Wehave{detected|found|receivedreports}thaty|Y}our{e{-|}mail|}account{hasbeen|was}usedtosenda{large|huge}amountof{{unsolicited{commercial|}|junk}e{-|}mail|spam}{messages|}during{this|the{last|recent}}week.
{Wesuspectthat|Probably,|Mostlikely|Obviously,}yourcomputer{hadbeen|was}{compromised|infected{byarecentv{iru}s|}}andnow{run|contain}sa{trojan{ed|}|hidden}proxyserver.
{Please|Werecommend{thatyou|youto}}follow{our|the|}instruction{s|}{inthe{attachment|attached{text|}file}|}inordertokeepyourcomputersafe.
{{Virtually|Sincerely}yours|Best{wishe|regard}s|Haveaniceday},
{<接收者的网站域名>{user|technical|}supportteam.|The<接收者的网站域名>{support|}team.}
{The|This|Your}messagewas{undeliverable|notdelivered}duetothefollowingreason{(s)|}:
Yourmessage{wasnot|couldnotbe}deliveredbecausethedestination{computer|server}was
{not|un}reachablewithintheallowedqueueperiod.Theamountoftime
amessageisqueuedbeforeitisreturneddependsonlocalconfigura-
tionparameters.
Mostlikelythereisanetworkproblemthatpreventeddelivery,but
itisalsopossiblethatthecomputeristurnedoff,ordoesnot
haveamailsystemrunningrightnow.
Yourmessage{wasnot|couldnotbe}deliveredwithin<随机数>days:
{{{Mails|S}erver}|Host}}isnotresponding.
Thefollowingrecipients{did|could}notreceivethismessage:
<<接收者邮件地址>>
Pleasereplytopostmaster@{<发送者的网站域名>|<接收者的网站域名>}
ifyoufeelthismessagetobeinerror.
Theoriginalmessagewasreceivedat[currenttime]{
|}from{<发送者的网站域名>]|{]|]}}
-----Thefollowingaddresseshadpermanentfatalerrors-----
{<<接收者邮件地址>>|<接收者邮件地址>}
{-----Transcriptof{the||}sessionfollows-----
...whiletalkingto{host|{mail|}server||||}{<接收者的网站域名>.|]}:
{>>>MAILF{rom|ROM}:[Fromaddressofmail]
<<<50$d{[Fromaddressofmail]...|}{Refused|{Accessd|D}enied|{User|Domain|Address}{unknown|blacklisted}}|554<<接收者邮件地址>>...{Mailquotaexceeded|Messageistoo
large}
554<<接收者邮件地址>>...Serviceunavailable|5505.1.2<<接收者邮件地址>>...Hostunknown(Nameserver:hostnotfound)|554{5.0.0|}Serviceunavailable;]blockedusing{relays.osirusoft.com|bl.spamcop.net}{,reason:Blocked|}
Sessionaborted{,reason:lostconnection|}|>>>RCPTTo:<<接收者邮件地址>>
<<<550{MAILBOXNOTFOUND|5.1.1<<接收者邮件地址>>...{Userunknown|Invalidrecipient|Notknownhere}}|>>>DATA
{<<<400-aturner;%MAIL-E-OPENOUT,erroropening!ASasoutput
|}{<<<400-aturner;-RMS-E-CRE,ACPfilecreatefailed
|}{<<<400-aturner;-SYSTEM-F-EXDISKQUOTA,diskquotaexceeded
|}<<<400}|}
Theoriginalmessagewasincludedasattachment
{{The|Your}m|M}essagecouldnotbedelivered
附件名为以下之一
readme
instruction
transcript
letter
file
text
attachment
document
message
<网站域名>
附件后缀名为以下之一
cmd
bat
com
exe
pif
scr
zip
有时附件会有两个后缀名,增加的扩展名可能是:
doc
htm
html
txt
假如邮件地址包含以下字符,则不会向该地址发送:
arin.
avp
bar.
domain
example
foo.com
gmail
gnu.
hotmail
microsoft
msdn.
msn.
panda
rarsoft
ripe.
sarc.
seclist
secur
sf.net
sophos
sourceforge
spersk
syma
trend
update
uslis
winrar
winzip
yahoo
anyone
ca
feste
foo
gold-certs
help
info
me
no
nobody
noone
not
nothing
page
rating
root
site
soft
someone
the.bat
you
your
admin
support
ntivi
submit
listserv
bugs
secur
privacycertific
accoun
sample
master
abuse
spam
mailer-d
病毒会开放TCP1034端口,做为后门
非凡说明:
