Worm.Netsky.m

病毒别名：W32.Netsky.M@mm [Symantec] I-Worm.Netsky.m [Kaspersky] WORM_NETSKY.M [Trend]

处理时间：2004-03-11

威胁级别：★★

中文名称：网络天空变种M

病毒类型：蠕虫

影响系统：Win9x/WinNT/Win2000/WinXP/Windows Server 2003

病毒行为:

“网络天空”家簇病毒

编写工具:

VC编写，UPX压缩

传染条件:

该病毒通过使用自身的SMTP引擎通过邮件进行高速传播

发作条件:

系统修改:

A、建立互斥体“Rabbo_Mutex”，使蠕虫在系统中只运行一次；

B、自我复制到：%WinDir%AVprotect9x.exe

C、添加以下键值

"9xHtProtect"="%Windir%AVprotect9x.exe"

到

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

使病毒可随机自启动；

D、搜索从C到Z盘中的以下文件，并从中收集邮件地址：

.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml

E、使用自带的发信引擎发送病毒邮件，其邮件特征为：

发件人: <从收信的地址中选取或是自动随机成生>

可能的主题:

Re: <%s> Requested file

Re: <%s> My file

Re: <%s> My document

Re: <%s> My information

Re: <%s> My details

Re: <%s> Information

Re: <%s> Improved

Re: <%s> Requested document

Re: <%s> Document

Re: <%s> Details

Re: <%s> Your document

Re: <%s> Your details

Re: <%s> Approved

可能的内容：

Details for %s.

Document %s.

I have received your document. The improved document %s is attached.

I have attached your document %s.

Your document %s is attached to this mail.

Authentification for %s required.

Requested file %s.

See the file %s.

Please read the important message msg_%s.

Please confirm the document %s.

%s is attached.

Your file %s is attached.

Please read the document %s.

Your document %s is attached.

Please read the attached file %s.

Please see the attached file %s for details..

可能的附件名称:

improved_%s.pif

message_%s.pif

detailed_%s.pif

your_document_%s.pif

word_doc_%s.pif

doc_%s.pif

articel_%s.pif

picture_%s.pif

file_%s.pif

your_file_%s.pif

details_%s.pif

document_%s.pif

%s.pif

注：%s 为收件人地址的域名信息，及@后面的地址。

发作现象:

特别说明: