病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
36864
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒.
能释放病毒文件;修改注册表项,达到自启动的目的;关闭包括安全软件在内的大量软件;在用户机器上搜索电子邮件地址,把自身做为附件,通过自带的引擎发送出去;黑客还能通过irc控制用户机器,进行诸如下载病毒文件等恶意操作.
1,建立互斥量
H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H
保证单个程序运行
2,释放下列文件:
C:\WINNT\System32\nvhost.exe
3,增加改注册表项:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MessengerService"="nvhost.exe"
达到自启动的目的
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"MessengerService"="nvhost.exe"
达到注册为系统服务的目的
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start"="04,00,00,00"
关闭WindowsXP的防火墙功能
4,关闭下列进程:
AVXMONITORNT.EXE
AVXQUAR.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFGWIZ.EXE
CFIADMIN.EXE
DLLREG.EXE
DOORS.EXE
DRWATSON.EXE
ESCANHNT.EXE
ESCANV95.EXE
ETHEREAL.EXE
FIREWALL.EXE
FAST.EXE
FSAA.EXE
HXIUL.EXE
KAVPF.EXE
KAZZA.EXE
KERNEL32.EXE
LNETINFO.EXE
MAPISVC32.EXE
MSDM.EXE
REGEDIT.EXE
SCRSCAN.EXE
等
5,在以下列后缀名结尾的文件中,搜索电子邮件地址:
htmb
shtl
jspl
cgil
xmls
phpq
aspd
dbxn
tbbg
adbh
pl
html
wab
6,把病毒文件作为附件,利用自带引擎发送出去.
7,邮件内容为下列之一:
Dearuser%s
Youhavesuccessfullyupdatedthepasswordofyour%saccount.
Ifyoudidnotauthorizethischangeorifyouneedassistancewithyouraccount,
pleasecontact%scustomerserviceat:%s
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dearuser%s,
Ithascometoourattentionthatyour%sUserProfile(x)recordsareoutofdate.
Forfurtherdetailsseetheattacheddocument.
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dear%sMember,
Wehavetemporarilysuspendedyouremailaccount%s.
Thismightbeduetoeitherofthefollowingreasons:
1.Arecentchangeinyourpersonalinformation(i.e.changeofaddress).
2.Submitinginvalidinformationduringtheinitialsignupprocess.
3.Aninnabilitytoaccuratelyverifyyourselectedopti"onofsubscriptionduetoaninternalerrorwithinourprocessors.
Seethedetailstoreactivateyour%saccount.
Sincerely,The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dear%sMember,
Youre-mailaccountwasusedtosendahugeamountofunsolicitedspammessagesduringtherecentweek.Ifyoucouldpleasetake5-10minutesoutofyouronlineexperienceandconfirmtheattacheddocumentsoyouwillnotrunintoanyfutureproblemswiththeonlineservice.
Ifyouchoosetoignoreourrequest,youleaveusnochoicebuttocancelyourmembership.
Virtuallyyours,The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
8,修改文件,阻止用户访问特定网站:
127.0.0.1www.symantec.com
127.0.0.1securityresponse.symantec.com
127.0.0.1symantec.com
127.0.0.1www.sophos.com
127.0.0.1sophos.com
127.0.0.1www.mcafee.com
127.0.0.1mcafee.com
127.0.0.1liveupdate.symantecliveupdate.com
127.0.0.1www.viruslist.com
127.0.0.1viruslist.com
127.0.0.1viruslist.com
127.0.0.1f-secure.com
127.0.0.1www.f-secure.com
127.0.0.1kaspersky.com
127.0.0.1kaspersky-labs.com
127.0.0.1www.avp.com
127.0.0.1www.kaspersky.com
127.0.0.1avp.com
127.0.0.1www.networkassociates.com
127.0.0.1networkassociates.com
127.0.0.1www.ca.com
127.0.0.1ca.com
127.0.0.1mast.mcafee.com
127.0.0.1my-etrust.com
127.0.0.1www.my-etrust.com
127.0.0.1download.mcafee.com
127.0.0.1dispatch.mcafee.com
127.0.0.1secure.nai.com
127.0.0.1nai.com
127.0.0.1www.nai.com
127.0.0.1update.symantec.com
127.0.0.1updates.symantec.com
127.0.0.1us.mcafee.com
127.0.0.1liveupdate.symantec.com
127.0.0.1customer.symantec.com
127.0.0.1rads.mcafee.com
127.0.0.1trendmicro.com
127.0.0.1pandasoftware.com
127.0.0.1www.pandasoftware.com
127.0.0.1www.trendmicro.com
127.0.0.1www.grisoft.com
127.0.0.1www.microsoft.com
127.0.0.1microsoft.com
127.0.0.1www.virustotal.com
127.0.0.1virustotal.com
127.0.0.1www.amazon.com
127.0.0.1www.amazon.co.uk
127.0.0.1www.amazon.ca
127.0.0.1www.amazon.fr
127.0.0.1www.paypal.com
127.0.0.1paypal.com
127.0.0.1moneybookers.com
127.0.0.1www.moneybookers.com
127.0.0.1www.ebay.com
127.0.0.1ebay.com
9,黑客还可以通过irc控制用户机器,进行下载病毒文件,更新病毒等等操作.