病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
131104
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
该病毒是闻名蠕虫Sober的新变种。该病毒被运行是,回弹出没有病毒的窗口来迷惑用户,窗口标题为"AntiVirus",内容为"NoViruses,TrojansorSpywarefound!status:OK"。该病毒会释放病毒Worm.Sober.x.125600,并添加启动项,Worm.Sober.x.125600是一个通过电子邮件传播的蠕虫病毒。
1,生成文件
%windows%\hhbveeed.exe
%windows%\ConnectionStatus\Microsoft\services.exe
2,添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinCheck"="%windows%\ConnectionStatus\Microsoft\services.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"_WinCheck"="%windows%\ConnectionStatus\Microsoft\services.exe"
3,在以下后缀名文件中搜索电子邮件地址:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
4,过滤含有以下字符的电子邮件地址:
@genion
@worldonline
@planet-interkom.de
@ameritech
@omantel.
@debitel.n
@salzburg-online
@restena.l
@cityweb.d
@compuserve.d
@ainet.a
@tele2.
@ozemail.com.
@pb.ozemail
@bigpond.
@imail.
@eplus-online
@comcast.n
@fastwebnet.
@tutopia.c
@bluewin
@verizon
@earthlink
@mindspring
@tiscali.de
@tiscali.ch
@gmx.
@web.
@yaho
@arcor
@aol.
@optusnet
genion
worldonline
interkom.de
ameritech
omantel
debitel.net
salzburg-online
restena.
cityweb.d
compuserve.d
ainet.
tele2.
pb.ozemail
bigpond
eplus-online
imail.
comcast.
fastwebnet.
fastweb
tutopia.
bluewin
verizon
earthlink
mindspring
tiscali.de
tiscali.ch
web.de
yaho
arcor
aol.
optusnet
Michael
Jordan
Tina
Melanie
Christina
Pablo
David
Bobby
Angelica
Nicole
Bea
Anna
Susan
Kim
Peggy
John
Manfred
Regina
Thomas
Dirk
Marcel
Peter
Paul
Paula
Maria
Pam
Sue
Angel
Joey
Brian
Rachel
Rita
Simon
Carol
Clare
Nancy
Barbara
Stephen
5,该病毒的明显行为
弹出标题为"AntiVirus",内容为"NoViruses,TrojansorSpywarefound!status:OK"的窗口。
