Worm.ToyPet.a

病毒名称(中文):

玩偶之怒

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

49152

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个通过邮件传播的蠕虫病毒，该病毒会搜索被感染机器上的邮件地址并且把自己发送出去，会尝试下载该蠕虫的其他木马病毒。

1.创建互斥量:

"PeyotCodedByHALT"

2.添加注册表:

HKLC\Software\Microsoft\Windows\CurrentVersion\Run

mfcapi32u

mfcapi32u.exe

3.生成文件:

%WINNT%\System32\mfcapi32u.exe

%TEMP%\hack.txt

4.病毒运行时运行notpad.exe显示thisisthejoke

5.把自己加到防火墙答应里面

SYSTEM\ControlSet001

\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

6.修改注册表:

Software\MailPeyot

7.下载文件:

http://traffall.biz/adv/***/win32.exe

到"c:\autoexeck.exe"

8.发送邮件:

主题为:

ThankyouforyourpurchaseinBolero!

Thankyouforyourregistration!

Payforyourcredits!

It"simportant!!!Youstillhavenotpaidafine!

Tankyouforyourcharity

内容为:

Hello!

ThankyouforyourpurchaseinourInternet-shop.Wealwaysappreciatetomeetyouthereand

wouldliketoinformyouthatmoneywassuccessfullytransferredfromyourcreditcardtoouraccount.

Furtherinformationyoucanfindenclosed.Sincerelyyours,BoleroInetshopAdministration

Hello!

Thankyouforyourrewriteinourmailserver.Theconfirmationofyounewloginandpassword

youcanfindenclosed.Sincerelyyours,MailAdministrationService/MailSupportService

Hello!

Wehavetoremainyouthatyourcreditpaymentperiodwillbeexpiringnextweek.Ifyouwill

notmakeyourpaymenttillthattimewewillhavetowithdrawyoursavingsfromyourbankaccount.

All

detailsyoucanfindenclosed.USACreditGroup.

Hello!

Weremainyouthatyoustillhavenotpaidaparkingviolationfine.Youshouldtopayittill

thenextweekorwewillhavetoreachtrialthedeal.Wearesendingyouherewithallnecessary

documents.Sincerelyyours,RegionalPoliceDepartmentManagement/Administration

Hello!

TheSt.PatrickHomethanksyouforyourdonation.Weareveryobligedforyourassistance

withourSt.Patrick"sFoundandacknowledgethereceiptofyourtransferforitsaccount.Furtherto

ourletterwearesendingyoufullestimateofthattransfer.

发件人为:

MichelMadsen

NickConvers

JaneHoocks

FredDowland

EmelyHard

JohnHeckman

PietRoslen

OliverSimpson

PatrickRoberts

LorenceNewman

发件人地址为以下两部分组合:

night

bsd

sys

mr

big

bob

white

dark

black

oliver

yanli

brain

chan

katamoro

tsungli

killer

bug

bug

sun

tr0n

lion

bandit

andi

alert

02

03

2003

2001

2004

2002

2000

2006

m4n

man

chubakka

obivan

presli

songking

yantchi

smitt

westford

goldgong

manager

bengamin

cristofer

albert

antony

martin

enigma

aleph

elvis

john

robin

ghost

邮件域:

mail.com

msn.com

hotmail.com

gmail.com