Worm.Mytob.cn

Win 9x/ME,Win 2000/NT,Win XP,Win 2003

這是一個通過irc和電子郵件傳播的蠕蟲病毒.

該病毒運行後,黑客可以通過irc控制用戶機器,執行破壞操作,如下載病毒檔案,重新啟動用戶機器等.還能利用自帶的smtp引擎,把病毒作為附屬檔案傳送到指定信箱.還能禁止大量安全網站.

1,修改註冊表項:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

"Start"　 = 　"04, 00, 00, 00"

來關閉Windows XP 的防火牆功能

2,自動連線到下列irc伺服器:

irc.unixirc.net

接受黑客控制,執行破壞操作,如下載病毒檔案,並拷貝到系統目錄等.

3,修改host檔案,禁止下列安全網站:

等

4,在以下列後綴名結尾的檔案中尋找郵件地址:

htmb

shtl

jspl

xmls

cgil

phpq

aspd

tbbg

dbxn

adbh

pl

html

wab

5,郵件內容會出現下列當中的一種:

Dear user

You have successfully updated the password of your count.

If you did not authorize this change or if you need assistance with your account, please contact %s customer service at:

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using %s!

The %s Support Team

+++ Attachment: No Virus (Clean)

Dear user

It has come to our attention that your %s User Profile ( x ) records are out of date. For further details see the attached document.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using %s!

The %s Support Team

+++ Attachment: No Virus (Clean)

Dear %s Member,

We have temporarily suspended your email account %s.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).

2. Submiting invalid information during the initial sign up process.

3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

Thank you for using %s!

The %s Support Team

+++ Attachment: No Virus (Clean)

6,病毒會被作為附屬檔案,利用自帶的smtp引擎傳送出去

7,避免傳送到含有下列字元的信箱:

ibm.com

google

linux

berkeley

foo

ruslis

nodomai

mydomai

example

hotmail

panda

sopho

someone

your

bugs

rating

service

privacy

help

等等.