病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
94208
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过irc和电子邮件传播的蠕虫病毒.
该病毒运行后,黑客可以通过irc控制用户机器,执行破坏操作,如下载病毒文件,重新启动用户机器等.还能利用自带的smtp引擎,把病毒作为附件发送到指定邮箱.还能屏蔽大量安全网站.
1,修改注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start"="04,00,00,00"
来关闭WindowsXP的防火墙功能
2,自动连接到下列irc服务器:
irc.unixirc.net
接受黑客控制,执行破坏操作,如下载病毒文件,并拷贝到系统目录等.
3,修改host文件,屏蔽下列安全网站:
"127.0.0.1""www.symantec.com"
"127.0.0.1""securityresponse.symantec.com"
"127.0.0.1""symantec.com"
"127.0.0.1""www.sophos.com"
"127.0.0.1""www.mcafee.com"
"127.0.0.1""www.viruslist.com"
"127.0.0.1""www.f-secure.com"
"127.0.0.1""www.avp.com"
"127.0.0.1""www.networkassociates.com"
"127.0.0.1""www.my-etrust.com"
"127.0.0.1""dispatch.mcafee.com"
"127.0.0.1""www.nai.com"
"127.0.0.1""liveupdate.symantec.com"
等
4,在以下列后缀名结尾的文件中寻找邮件地址:
htmb
shtl
jspl
xmls
cgil
phpq
aspd
tbbg
dbxn
adbh
pl
html
wab
5,邮件内容会出现下列当中的一种:
Dearuser
Youhavesuccessfullyupdatedthepasswordofyourcount.
Ifyoudidnotauthorizethischangeorifyouneedassistancewithyouraccount,pleasecontact%scustomerserviceat:
Pleasealsovisitourircserverirc.unixirc.net6667#ccpower
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
Dearuser
Ithascometoourattentionthatyour%sUserProfile(x)recordsareoutofdate.Forfurtherdetailsseetheattacheddocument.
Pleasealsovisitourircserverirc.unixirc.net6667#ccpower
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
Dear%sMember,
Wehavetemporarilysuspendedyouremailaccount%s.
Thismightbeduetoeitherofthefollowingreasons:
1.Arecentchangeinyourpersonalinformation(i.e.changeofaddress).
2.Submitinginvalidinformationduringtheinitialsignupprocess.
3.Aninnabilitytoaccuratelyverifyyourselectedoptionofsubscriptionduetoaninternalerrorwithinourprocessors.
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
6,病毒会被作为附件,利用自带的smtp引擎发送出去
7,避免发送到含有下列字符的邮箱:
ibm.com
linux
berkeley
foo
ruslis
nodomai
mydomai
example
hotmail
panda
sopho
someone
your
bugs
rating
service
privacy
help
等等.