W32.Mytob.IK@mm

2008-02-23 09:37:15来源：互联网阅读 ()

病毒名称: W32.Mytob.IK@mm 类别：邮件病毒病毒资料：该病毒长度为 36,352 字节，感染 windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP系统，它打开后门并降低计算机安全设置，当收到、打开此病毒时，有以下危害：
A 复制自身到系统目录为 MSNl.exe
B 增加注册表项"WINDOWS SYSTEM" = "msnl.exe"
到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
和 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
使得病毒在每次开机后自动能够执行。
C 修改注册表项 "Start" = "4"
在 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
使得计算机安全设置降低
D 创建互斥量 H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H
使得病毒在感染的计算机中只执行一份
E 从地址簿和以下位置收集邮件地址
Windows目录的Temporary Internet Files
用户目录的Local Settings\Temporary Internet Files
系统目录
F 从C盘到Z盘的以下扩展名文件中收集邮件地址
.txt
.htm
.sht
.jsp
.cgi
.XML
.PHP
.ASP
.dbx
.tbb
.adb
.pl
.Html
.wab
G 在找到的邮件服务器名前增加以下前缀
mx.
mail.
smtp.
mx1.
mxs.
mail1.

relay.
ns.
gate.
H 使用自带的SMTP引擎发送病毒邮件到上述找到的邮件地址
发件人为邮件中的地址或以下之一:
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
frank
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
josh
julie
kevin
leo
linda
maria
mary
matt
michael
mike
paul
peter
ray
robert
sales
sam
sandra
serg
smith
stan
steve
ted
tom
I 主题为以下之一：
Your passWord has been updated
Your password has been sUCcessfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

J 内容为以下之一：
Dear user [用户名],
You have successfully [删除]

[主机名] Antivirus - www.[主机名]

Dear user [用户名],
It has come to [删除]
[主机名] Antivirus - www.[主机名]

Dear [主机名] Member,
We have temporarily [删除]
[主机名] Antivirus - www.[主机名]

Dear [主机名] Member,
Your e-mail account [删除]
[主机名] Antivirus - www.[主机名]

K 附件为以下之一：
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

L 附件扩展名为以下之一：
.bat
.cmd
.exe
.pif
.scr

M 病毒回避以下用户名的邮件地址
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
spm
spam
www
secur
abuse
N 病毒回避以下主机名的邮件地址
berkeley
unix
math
bsd
mit.e
gnu

fsf.
ibm.com
Google
kernel
Linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
O 连接到novi.bukers.org的 TCP 端口 8881 ，等待黑客下达以下命令
执行任意文件
下载文件
执行IRC命令
重启计算机
发送计算机资料

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有