Worm.Mytob.az

王朝other·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

邮件伪装者

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

49278

影响系统:

Win9xWinNT

病毒行为:

这是一个通过邮件传播的病毒,他会开启系统的后门,修改用户计算机的安全设置,并且会通过IRC远程控制机器,对其他的计算机进行攻击.对用户带来很多麻烦.

1.生成文件:

%system%\nec.exe

2.增加注册表项,使病毒开机运行.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WINDOWSSYSTEM

nec.exe

3.注册为服务项目:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

WINDOWSSYSTEM

nec.exe

4.设置连接共享服务,为其他病毒的传播埋下伏笔.

5.修改防火墙规则,使病毒不被防火墙阻拦.

6.修改host,延长病毒生命周期.

127.0.0.1www.trendmicro.com

127.0.0.1www.microsoft.com

127.0.0.1trendmicro.com

127.0.0.1rads.mcafee.com

127.0.0.1customer.symantec.com

127.0.0.1liveupdate.symantec.com

127.0.0.1us.mcafee.com

127.0.0.1updates.symantec.com

127.0.0.1update.symantec.com

127.0.0.1www.nai.com

127.0.0.1nai.com

127.0.0.1secure.nai.com

127.0.0.1dispatch.mcafee.com

127.0.0.1download.mcafee.com

127.0.0.1www.my-etrust.com

127.0.0.1my-etrust.com

127.0.0.1mast.mcafee.com

127.0.0.1ca.com

27.0.0.1www.ca.com

127.0.0.1networkassociates.com

127.0.0.1www.networkassociates.com

127.0.0.1avp.com

127.0.0.1www.kaspersky.com

127.0.0.1www.avp.com

127.0.0.1kaspersky.com

127.0.0.1www.f-secure.com

127.0.0.1f-secure.com

127.0.0.1viruslist.com

127.0.0.1www.viruslist.com

127.0.0.1liveupdate.symantecliveupdate.com

127.0.0.1mcafee.com

127.0.0.1www.mcafee.com

127.0.0.1sophos.com

127.0.0.1www.sophos.com

127.0.0.1symantec.com

27.0.0.1securityresponse.symantec.com

127.0.0.1www.symantec.com

7.结束上千种程序,包括以下的:

ACKWIN32.EXE

ADAWARE.EXE

ADVXDWIN.EXE

AGENTSVR.EXE

AGENTW.EXE

ALERTSVC.EXE

ALEVIR.EXE

ALOGSERV.EXE

AMON9X.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ARR.EXEATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATUPDATER.EXE

ATWATCH.EXE

AU.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVE32.EXE

AVGCC32.EXE

AVGCTRL.EXE

AVGNT.EXE

AVGSERV.EXE

AVGSERV9.EXE

AVGUARD.EXE

AVGW.EXE

AVKPOP.EXE

AVKSERV.EXE

AVKSERVICE.EXE

AVKWCTl9.EXE

AVLTMAIN.EXE

AVNT.EXE

AVP.EXE

AVP32.EXE

AVPDOS32.EXE

AVPM.EXE

AVPTC32.EXE

AVPUPD.EXE

AVPUPD.EXE

AVSCHED32.EXE

AVSYNMGR.EXE

AVWINNT.EXE

AVWUPD.EXE

AVWUPD32.EXE

AVWUPSRV.EXE

AVXMONITOR9X.EXE

AVXMONITORNT.EXE

AVXQUAR.EXE

AVXQUAR.EXE

BACKWEB.EXE

BARGAINS.EXE

WNAD.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXEWUPDATER.EXE

WUPDT.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZONALM2601.EXE

ZONEALARM.EXE

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

CMD.EXE

ASKMGR.EX

8.链接到irc.blackcarder.net的#skyline2,接收远程控制的命令.

9.在用户计算机上建立一个到137.118.240.20119091的ftp,使用户机器成为病毒中转站.

10.搜索下列文件中的邮箱地址:

.txt

.htmb

.shtl

.cgil

.jspl

.xmls

.phpq

.aspd

.dbxn

.tbbg

.adbh

.wab

.pl

并且会避免含有向以下字符的地址发送邮件:

avp

syma

microsof

msn.

hotmail

panda

sopho

borlan

.gov

.mil

berkeley

unix

math

bsd

mit.e

gnu

fsf.

ibm.com

google

kernel

linux

fido

11.下载HellBot::v3beta2并且启动.

12.SYN攻击.

13.发邮件:

发件人为以下随机的名字和搜索到的域名的组合:

root

info

samples

postmaster

webmaster

noone

nobody

nothing

anyone

someone

your

you

me

bugs

rating

privacy

service

help

admin

内容为以下五条随机一条:

Onceyouhavecompletedtheformintheattachedfile,youraccountrecordswillnotbeinterruptedandwillcontinueasnormal.

Theoriginalmessagehasbeenincludedasanattachment.

Weregrettoinformyouthatyouraccounthasbeensuspendedduetotheviolationofoursitepolicy,moreinfoisattached.

Weattachedsomeimportantinformationregardingyouraccount.

Pleasereadtheattacheddocumentandfollowit"sinstructions.

附件为以下格式:

.exe

.scr

.pif

.zip

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航