Worm.NetSky.b.enc

2008-02-23 09:25:09来源：互联网阅读 ()

病毒名称: Worm.NetSky.b.enc 类别：蠕虫病毒资料：破坏方法：

该病毒是一个通过邮件传播的蠕虫病毒,它搜索本地驱动器和网络映射驱动器来获得Email地址并向这些地址发送带毒邮件来传播.

一旦执行,病毒将执行以下操作:

1.本地首先将创建一个名为:"AdmSkynetJklS003"的互斥量来保证只运行病毒的一个副本;

2.显示一个虚假的消息框:

消息为:"The file could not be opened!";

3.复制自己到windows目录下:

％WINDIR％\services.exe;

4.添加如下键值:

"service" = "％WINDIR％\services.exe -serv"

到注册表键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩;

病毒将删除下列注册表键值<这是病毒"SCO炸弹"的键值,该病毒是要清除"SCO炸弹">:

删除键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

下的如下键值:

"Taskmon"
"EXPlorer"

删除键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

下的如下键值:

"KASPerskyAV"
"System."

删除子键:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

5.病毒从带有下列扩展名的文件中搜索Email地址:

".eml"
".txt"
".PHP"
".pl"
".htm"
".Html"
".vbs"
".rtf"
".uin"
".asp"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"

6.病毒从C:\到Z:\搜索带有如下字眼的文件夹:

"sharing"
"share"
只要该文件夹所在的驱动器不是CD_ROM,病毒就将复制自己到这个文件夹和此文件夹的所有子目录下
文件名可能为下列之一:

"winxp_crack.exe"
"dolly_buster.jpg.pif"
"strippoker.exe"
"Photoshop 9 crack.exe"
"matrix.scr"
"porno.scr"
"angels.pif"
"hardcore porn.jpg.exe"
"Office_crack.exe"
"serial.txt.exe"
"cool screensaver.scr"
"eminem - lick my pussy.mp3.pif"
"Nero.7.exe"
"virii.scr"
"e-book.archive.doc.exe"
"max payne 2.crack.exe"
"how to hack.doc.exe"
"programming basics.doc.exe"
"e.book.doc.exe"
"win longhorn.doc.exe"
"dictionary.doc.exe"
"rfc compilation.doc.exe"
"sex sex sex sex.doc.exe"
"doom2.doc.pif"

7.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件:

邮件带有如下特征:

From: (Spoofed)

标题为下列之一:

"hello"
"read it immediately"
"something for you"
"warning"
"information"
"stolen"
"fake"
"unknown"

消息正文为下列之一:

"anything ok?"
"what does it mean?"
"ok"
"i'm waiting"
"read the details."
"here is the document."
"read it immediately!"
"my hero"
"here"
"is that true?"
"is that your name?"
"is that your account?"
"i wait for a reply!"
"is that from you?"
"you are a bad writer"
"I have your passWord!"
"something about you!"
"kill the writer of this document!"
"i hope it is not true!"
"your name is wrong"
"i found this document about you"
"yes, really?"
"that is bad"
"here it is"
"see you"
"greetings"
"stuff about you?"
"something is going wrong!"
"information about you"
"about me"
"from the chatter"
"here, the serials"
"here, the introdUCtion"
"here, the cheats"
"that's funny"
"do you?"
"reply"
"take it easy"
"why?"
"thats wrong"
"misc"
"you earn money"
"you feel the same"
"you try to steal"
"you are bad"
"something is going wrong"
"something is fool"

附件名为下列之一:

"msg"
"doc"
"talk"
"message"
"creditcard"
"details"
"attachment"
"me"
"stuff"
"posting"
"textfile"
"concert"
"information"

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有