Worm.NetSky.g

2008-02-23 09:26:27来源：互联网阅读 ()

病毒名称: Worm.NetSky.g 类别：蠕虫病毒资料：破坏方法：

蠕虫病毒,采用tEelock加壳,VC 编写

一旦执行,病毒将执行以下操作:

1.本地首先将创建一个名为:"Netsky AV Guard"的互斥量来保证只运行病毒的一个副本;

2.病毒体内有如下字符串:

"Netsky AntiVirus - Give up, bagle & mydoom, dude! You are fUCking your mother!
I want to meet you in the U,S.A, Road-App time enc:[fg.od.jgij], and the you will
know what pain is!"

3.复制自己到windows目录下:

％WINDIR％\avguard.exe;

4.添加如下键值:

"Special Firewall Service" = "％WINDIR％\avguard.exe -av service"

到注册表键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩;

病毒将删除下列注册表键值<大都是其它病毒建立的键值>:

删除键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

下的如下键值:

"Taskmon"
"EXPlorer"
"system."
"msgsvr32"
"DELETE ME"
"d3dupdate.exe"
"au.exe"
"OLE"
"Windows Services Host"
"gouday.exe"
"rate.exe"
"sysmon.exe"
"srate.exe"
"ssate.exe"
"sate.exe"

删除键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

下的如下键值:

"system."

删除键:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

下的如下键值:
"Taskmon"
"Explorer"
"system."
"msgsvr32"
"DELETE ME"
"service"
"Sentry"
"Windows Services Host"

删除键:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

删除子键:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

注:
这是病毒"SCO炸弹"建立的键值

5.病毒从带有下列扩展名的文件中搜索Email地址:

".eml"
".txt"
".PHP"
".pl"
".htm"
".Html"
".vbs"
".rtf"
".uin"
".ASP"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
".shtm"
".cgi"
".dhtm"
"0123456789"

6.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件:

邮件带有如下特征:

标题为下列之一:

"Re: Re: Document"
"Re: Re: Thanks!"
"Re: Thanks!"
"Re: Your document"

"Re: Here is the document"
"Re: Your picture"
"Re: Re: Message"
"Re: Hi"
"Re: Hello"
"Re: Re: Re: Your document"
"Re: Here"
"Re: Your music"
"Re: Your software"
"Re: Approved"
"Re: Details"
"Re: Excel file"
"Re: Word file"
"Re: My details"
"Re: Your details"
"Re: Your bill"
"Re: Your text"
"Re: Your archive"
"Re: Your letter"
"Re: Your product"
"Re: Your website"

消息正文为下列之一:

"Your document is attached."
"Here is the file."
"See the attached file for details."
"Please have a look at the attached file"
"Please read the attached file."
"Your file is attached."

附件名为下列之一:

"your_document.pif"
"document.pif"
"message_part2.pif"
"your_document.pif"
"document_full.pif"
"your_picture.pif"
"message_details.pif"
"your_file.pif"
"your_picture.pif"
"document_4351.pif"
"yours.pif"
"mp3music.pif"
"application.pif"
"all_document.pif"
"my_details.pif"
"document_excel.pif"
"document_word.pif"
"my_details.pif"
"your_details.pif"
"your_bill.pif"
"your_text.pif"
"your_archive.pif"
"your_letter.pif"
"your_product.pif"
"your_website.pif"

该病毒不会向包含下列字眼的地址发送邮件:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有