I-Worm/Netsky.p
I-Worm/Netsky.p
病毒长度:16,384 bytes
病毒类型:网络蠕虫
危害等级:**
影响平台:Win9X/2000/XP/NT/Me/2003
I-Worm/Netsky.p用UPX压缩过的邮件群发蠕虫,利用自带的SMTP引擎发送自身到从硬盘和网络映射驱动器上找到的邮件地址。邮件的发件人是伪造的,主题和正文都是可变的。
传播过程及特征:
1.复制自身为:%Windir%AVBgle.exe
2.生成文件:%Windir%ase64.bmp -- 22,456 bytes
3.修改注册表:
/添加键值:"MSInfo"="%Windir%AVBgle.exe"到注册表启动项:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun下
/删除注册表HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun下的键值:
Explorer
system.
msgsvr32
au.exe
service
DELETE ME
d3dupdate.exe
Sentry
Taskmon
Windows Services Host
/删除注册表HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices下的值system。
/删除注册表HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun下的值:
Explorer
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
/删除注册表HKEY_CLASSES_ROOTCLSIDCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}下的值:InProcServer32
/删除子键:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerPINF
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWksPatch
4.扫描从C到Z驱动器下的下列类型文件,用以发现合法的邮件地址。
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html
.jsp .msg .oft .php .pl .rtf .sht .shtm .tbb
txt .uin .vbs .wab .wsh .xml
并用自带的SMTP引擎发送自身到发现的所有邮件地址:
邮件特征:
发件人:伪造
主题:下列之一
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
附件:下列之一
readme.pif
document.pif
data.pif
details.pif
msg.pif
message.pif