病毒名称(中文):
袋子变种B
病毒别名:
I-Worm.Bagz.b[AVP],I-Worm/Bagz.b[KV]
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
36861
影响系统:
Win9xWinNT
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒。该病毒会关闭Windows防火墙,从网络上下载文件并执行,从.txt、.htm、.dbx、.tbi、.tbb文件中收集邮件地址保存在一个临时文件中,再将病毒做为邮件附件发送到这些邮件接收者。该病毒发送的邮件带有较大的欺骗性,用户可能会受骗去打开里面的附件,从而导致系统感染该蠕虫病毒。
1)将病毒的副本拷贝到%System%\tutorial.doc<空格>.exe
2)建立文件%System%\dl.exe和%System%\syslogin.exe
3)在注册表中添加启动项:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"syslogin.exe"="syslogin.exe"
4)禁止Windows防火墙
5)从网络上下载文件并执行
6)将收集到的邮件地址、本地机器IP地址和邮件网关存放到下列3个临时文件中:
%System%\jobdb.dll
%System%\ipdb.dll
%System%\wdate.dll
7)从以下扩展名的文件中收集邮件地址:
.txt
.htm
.dbx
.tbi
.tbb
8)邮件:
From:[伪造的发信人]
Subject:[邮件主题]
Message:[正文]
Attachment:[附件名]
邮件主题列表:
Re:UserIDUpdate
Fwd:YourFundsareEligibleforWithdrawal
findasolutionwiththiscustomer
NoSubject
Re:HelpDeskRegistration
failurenotice
Fwd:Password
whenshouldicallyou?
RE:Re:Aquestion
KnowledgeBaseArticle
OpenInvoices
Returnedmail:seetranscriptfordetails
buildingmaintenance
[Fwd:Brokenlink]
WinXP
troublesarebackagain
Questions
OrderApproval
unitsavailable
progressnews
bigannouncements
Needhelppls
YouhaverecievedaneCard!
Whatisthis????
DeactivationNotice
Messagerecieved,pleaseconfirm
Myfunnystories
CostInquiry
Re:payment
referrences
WebmailInvite
RE:quoterequest
正文列表:
Hello,
Sorry,Iforgottoattachthenewcontactinformation.
Pleaseviewtheattached(.pdf)contactsheet.
Sincerely,
User
Hello,
Iresentthisemailasattachmentbecause
itwaspreviouslyblockedbyyouremailfilters.
Pleasereadtheattachmentandrespond.
Thanks,
User
Hello,
IwasinahurryandIforgottoattachanimportant
document.Pleaseseeattached.
BestRegards,
User
Hello,
Youremailwasreceived.
YOURREPLYISURGENT!
Pleaseviewtheattachedtextfileforinstructions.
Regards,
User
Hello,
YouremailwassentinanINVALIDformat.
Toverifythisemailwassentfromyou,
simplyopentheattachedemail(.eml)file
andclickyesinthesenderoptionsbox.
ThankYou,
User
Hello,
MyPCcrashedwhileIwassendingthatlastemail.
Ihavere-attachedthedocumentofyoursthatIdiscovered.
PleasereadattacheddocumentandrespondASAP.
Sincerely,
User
Hello,
Whatversionofwindowsyouareusing?
ThislastdocumentIreceivedfromyoucameoutweird.
Pleaseseetheattachedwordfileandresendthefiletome.
Manythanks,
User
***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***
Hello,
Thepreviousemailyousenthasbeenrecognizedasspam.
Thismeansyouremailwasnotdeliveredtoyourfriendorclient.
Youmustopentheattachedfiletoreceivemoreinformation.
***YOURMESSAGEHASBEENRECOGNIZEDASSPAM***
***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***
Youarecurrentlyunabletosendemails.
Thismaybeabillingissue.
Pleasecallthebillingcenter.
The#forthebillingofficeislocatedintheattached
contactlistforyourconvenience.
***ATTENTION:YOUREMAILISNOTBEINGDELIVERED!***
***URGENT:SERVICESHUTDOWNNOTICE***
Duetoyourfailuretocomplywithouremail
RulesandRegulations,youremailaccounthasbeen
temporarilysuspendedfor24hoursunlesswearecontactedregarding
thissituation.
Youmustreadtheattacheddocumentforfurther
instructions.Failuretocomplywillresultinterminationofyouraccount.
Regards,
NetOperator
***URGENT:SERVICESHUTDOWNNOTICE***
lastrequestbeforerefunding
附件名列表:
Ctutorial.doc<空格>.exe
doc.doc<空格>.exe
documents.doc<空格>.exe
atach.doc<空格>.exe
file.doc<空格>.exe
read.doc<空格>.exe
readme.doc<空格>.exe
contact.doc<空格>.exe
mail.doc<空格>.exe
att.doc<空格>.exe
warning.doc<空格>.exe
db.doc<空格>.exe
msg.doc<空格>.exe
message.doc<空格>.exe
messages.doc<空格>.exe
archive.doc<空格>.exe
arch.doc<空格>.exe
support.doc<空格>.exe
account.doc<空格>.exe
doc.zip
documents.zip
atach.zip
file.zip
read.zip
readme.zip
contact.zip
mail.zip
att.zip
warning.zip
db.zip
msg.zip
message.zip
messages.zip
archive.zip
arch.zip
support.zip
account.zip