病毒名称(中文):
灾飞
病毒别名:
W32.Erkez.B@mm[NAV],I-Worm.Zafi.b[AVP],PE_ZAFI.B
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
12800
影响系统:
Win9xWinNT
病毒行为:
这是一个用FSG压缩,通过邮件传播的蠕虫病毒,同时该病毒还通过共享网络磁盘传播。病毒还会覆盖反病毒软件的可执行文件造成其不能使用。
1.病毒创建互斥体“_Hazafibb”,避免自身多次运行。
2.拷贝自身到%System%目录,文件名由八个随机字母组成,扩展名为.exe或.dll。
3.创建注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
同时在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
中添加键值:
"_Hazafibb"="%system%\<随机字符>.exe"
以便该病毒在每次重启Windows时运行。
4.病毒搜索硬盘上共享的网络映射盘,拷贝自身到共享文件夹并命名为:
winamp7.0full_install.exe或者TotalCommander7.0full_install.exe
5.随机打开一个web页面,地址从注册表以下主键中选取:
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\TypedURLs
6.病毒会通过连接下面两个网址之一来确定用户是否联网:
www.google.com
www.microsoft.com
7.病毒会向下列网站发送大量HTTPGet请求,进行拒绝服务(DoS)攻击:
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu
8.病毒阻止用户运行含有下面字符串的程序:
regedit
msconfig
task
这将直接造成中毒计算机的注册表治理器,系统配置实用程序,任务治理器等不能使用。
9.病毒搜索一些知名反病毒产品所在的目录,然后用自身覆盖其中的.exe文件。
10.病毒在扩展名为以下的文件中搜索Email地址,存储到%system%\<8位随机字符>.dll中:
.htm,.wab,.txt,.dbx,.tbb,.asp,.php,.sht,.adb,.mbx,.eml,.pmr,
不过,搜索中会跳过包含了以下字符串的Email地址,避免向治理员,大网站和反病毒公司发带毒邮件,隐蔽自己:
admi,cafee,google,help,hotm,info,kasper,micro,msn,panda,sopho,suppor,syma,trend,
use,vir,webm,win,yaho
11.然后病毒使用自带的SMTP引擎向搜索到的Email地址发送邮件。邮件内容为英文,不过当Email的主机为以下时,信的内容使用当地语言:
.hu,.sp,.ru,.dk,.ro,.se,.no,.fi,.lt,.pl,.pt,.de,.nl,.cz,.fr,.it,.mx,.at
12.带毒邮件的特征为:
发件人:伪装成带有欺骗性得发件人
主题:空
附件:文件名由随机字符构成,后缀名为:.com,.exe,或者.pif。
正文:根据邮件地址的域名变化。
也就是说,邮件内容根据上面一点中所提到得域名不同而不同,如下之一:
对于Anita
Subject:IngyenSMS!
Attachment:"regiszt.php?3124freesms.index777.pif"
Message:
------------------------hirdet=E9s-----------------------------
Asikeres777sms.hu=E9sazaxelero.hut=E1mogat=E1s=E1val=FAjra
indulazingyenessmsk=FCld=F5szolg=E1ltat=E1s!Jelenlegugyan
korl=E1tozottsz=E1mban,napi20ingyensmstlehetfelhaszn=E1lni.
K=FCldjteisSMST!Neh=E1nykattint=E1s=E9samell=E9keltregisztr=E1ci=F3s
lapkit=F6lt=E9seut=E1nazonnalig=E9nybevehet=F5!B=F5vebbinform=E1ci=F3t
awww.777sms.huoldalontal=E1lsz,desiess,mertazels=F5ezer
felhaszn=E1l=F3k=F6z=F6tt=E9rt=E9kesnyerem=E9nyeketsorsolunkki!
------------------------axelero.hu---------------------------
对于Claudia
Subject:Importante!
Attachment:"link.informacion.phpV23.text.message.pif"
Message:
Informacionimportantequedebesconocer,-
对于Katya
Subject:oKatya
Attachment:"view.link.index.image.phpV23.sexHdg21.pif"
对于Eva
Subject:E-Kort!
Attachment:"link.ekort.index.phpV7ab4.kort.pif"
Message:Mithjertebankerfordig!
对于Marica
Subject:Ecard!
Attachment:"link.showcard.index.phpAv23.ritm.pif"
Message:
Decandte-amcunoscutinimameaareunnouritm!
对于Anna
Subject:E-vykort!
Attachment:"link.vykort.showcard.index.phpBn23.pif"
Message:TillminAlskade...
对于Erica
Subject:E-Postkort!
Attachment:"link.postkort.showcard.index.phpAe67.pif"
Message:Vakreroserjegsammenlignermeddeg...
对于Katarina
Subject:E-postikorti!
Attachment:"link.postikorti.showcard.index.phpGz42.pif"
Message:Iloistakesaa!
对于Magdolina
Subject:Atviruka!
Attachment:"link.atviruka.showcard.index.phpGz42.pif"
Message:Linksmogimtadieno!ha
对于Beate
Subject:E-Kartki!
Attachment:"link.kartki.showcard.index.phpVg42.pif"
Message:WDniuimienin...
对于Eva
Subject:CartoeVirtuais!
Attachment:"link.cartoe.viewcard.index.phpYj39.pif"
Message:Content:Teamo...,
对于Alice
Subject:FlashcardfuerDich!
Attachment:"link.flashcard.de.viewcard34.php.2672aB.pif"
Message:
Hallo!
hatdireineelektronischeFlashcardgeschickt.
UmdieFlashcardansehenzukoennen,benutzeindeinemBrowser
einfachdennunfolgendenlink:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
VielSpassbeimLesenwuenschtIhnenihr...
对于Eva
Subject:ErstaateeneCardvooruklaar!
Attachment:"postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Message:
Hallo!
heeftueeneCardgestuurdviadewebsitenederlandse
taalinhetbasisonderwijs...
Ukuntdekaartophalendoordevolgendeurlaanteklikkenofte
kopireninuwbrowserlink:
http://postkaarten.nl/viewcard.show53.index=04abD1
Metvriendelijkegroet,
Deredactietaalsiteprimaironderwijs...
对于Hanka
Subject:Elektronickapohlednice!
Attachment:"link.seznam.cz.pohlednice.index.php2Avf3.pif"
Message:
Ahoj!
Elektronickpohlednicezeserveruhttp://www.seznam.cz-
对于Claudine
Subject:E-carte!
Attachment:"link.zdnet.fr.ecarte.index.php34b31.pif"
Message:
vousaenvoyeuneE-cartepartirdusitezdnet.fr
Vouslatrouverez,l"adressesuivantelink:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr,plusde3500cartesvirtuelles,vospagesweb
en5minutes,dudialogueendirect...
对于Francesca
Subject:TiestatainviataunaCartolinaVirtuale!
Attachment:"link.cartoline.it.viewcard.index.4g345a.pif"
Message:
Ciao!
havisitatoilnostrosito,cartolina.itehacreatouna
cartolinavirtualeperte!Pervederladevifareclick
sullinksottostante:http://cartolina.it/asp.viewcard=index4g345a
Attenzione,lacartolinasaravisibilesuinostriserverper
2giorniepoiverrarimossaautomaticamente.
对于Jennifer
Subject:You`vegot1VoiceMessage!
Attachment:"link.voicemessage.com.listen.index.php1Ab2c.pif"
Message:
DearCustomer!
You`vegot1VoiceMessagefromvoicemessage.comwebsite!
Sender:
YoucanlistenyourVirtualVoiceMessageatthefollowinglink:
http://virt.voicemessage.com/index.listen.php2=35affv
orbyclickingtheattachedlink.
SendVoiceMessage!TryournewvirtualVoiceMessageEmpire!
Bestregards:SNAF.Team(R).
对于Anita
Subject:Tessekmosolyogni!!!
Attachment:"meztelencsajokfociznak.flash.jpg.pif"
Message:
Haezak=E9psemtudfelviditani,akkorfeladom!
Sokpuszi:
对于Anita
Subject:SoxorCsok!
Attachment:"anita.image043.jpg.pif"
Message:
Szia!
Aranyosvagy,j=F3voltdumcsizniveledaneten!
Rem=E9lemtetszem,=E9sszeretn=E9mhateisk=FClden=E9lk=E9pet
magadr=F3l,addigiscs=F3k:
对于Jennifer
Subject:Don`tworry,behappy!
Attachment:"www.ecard.com.funny.picture.index.nude.php356.pif"
Message:
HiHoney!
I`minhurry,butistillloveya...
(asyoucanseeonthepicture)
Bye-Bye:
对于David
Subject:Checkthisoutkid!!!
Attachment:"jenniferthewildgirlxxx07.jpg.pif"
Message:
Sendmebackbro,whenyou`llbedone...(ifyouknowwhatimean...)
Seeya
