基本介紹
- 中文名:Worm.NetSky.P
- 威脅級別:★★★
- 病毒類型:蠕蟲
- 病毒別名:W32.Netsky.Q@mm
基本信息,病毒行為,
基本信息
處理時間:
影響系統:Win9x/WinMe/WinNT/Win2000/WinXP/Win2003
病毒行為
編寫工具:FSG壓縮
傳染條件:通過網路大量傳送郵件傳播
發作條件:利用系統漏洞Incorrect MIME Header Can Cause IE to Execute E-mail Attachment來獲得自動運行
系統修改:
A、創建一個名為"_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"的互斥體,來確定只運行它的一個進程;
B、拷貝其本身至系統安裝目錄:
%Windir%FVProtect.exe
C、在系統安裝目錄釋放和創建如下檔案:
%Windir%userconfig9x.dll
%Windir%ase64.tmp (40,520 bytes): MIME-encoded version of the executable
%Windir%zip1.tmp (40,882 bytes): MIME-encoded version of worm in a .zip archive
%Windir%zip2.tmp (40,894 bytes): MIME-encoded version of worm in a .zip archive
%Windir%zip3.tmp (40,886 bytes): MIME-encoded version of worm in a .zip archive
%Windir%zipped.tmp (29,834 bytes): Worm in a .zip archive
D、在註冊表主鍵:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下添加如下鍵值:
"Norton Antivirus AV"="%Windir%FVProtect.exe"
在註冊表主鍵:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下刪除如下鍵值:
Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
在註冊表主鍵:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
下刪除如下鍵值:
system
Video
在註冊表主鍵:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
下刪除以下鍵值:
Explorer
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe
刪除以下子鍵:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerPINF
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWksPatch
HKEY_CLASSES_ROOTCLSIDCLSIDInProcServer32
E、掃描被感染系統硬碟上的包含以下字元串的資料夾:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
然後將其本身用以下名字拷貝至搜尋出的資料夾中:
"1001 Sex and more.rtf.exe"
"3D Studio Max 6 3dsmax.exe"
"ACDSee 10.exe"
"Adobe Photoshop 10 crack.exe"
"Adobe Photoshop 10 full.exe"
"Adobe Premiere 10.exe"
"Ahead Nero 8.exe"
"Altkins Diet.doc.exe"
"American Idol.doc.exe"
"Arnold Schwarzenegger.jpg.exe"
"Best Matrix Screensaver new.scr"
"Britney sex xxx.jpg.exe"
"Britney Spears and Eminem porn.jpg.exe"
"Britney Spears blowjob.jpg.exe"
"Britney Spears cumshot.jpg.exe"
"Britney Spears fuck.jpg.exe"
"Britney Spears full album.mp3.exe"
"Britney Spears porn.jpg.exe"
"Britney Spears Sexy archive.doc.exe"
"Britney Spears Song text archive.doc.ex"...
"Britney Spears.jpg.exe"
"Britney Spears.mp3.exe"
"Clone DVD 6.exe"
"Cloning.doc.exe"
"Cracks & Warez Archiv.exe"
"Dark Angels new.pif"
"Dictionary English 2004 - France.doc.ex"...
"DivX 8.0 final.exe"
"Doom 3 release 2.exe"
"E-Book Archive2.rtf.exe"
"Eminem blowjob.jpg.exe"
"Eminem full album.mp3.exe"
"Eminem Poster.jpg.exe"
"Eminem sex xxx.jpg.exe"
"Eminem Sexy archive.doc.exe"
"Eminem Song text archive.doc.exe"
"Eminem Spears porn.jpg.exe"
"Eminem.mp3.exe"
"Full album all.mp3.pif"
"Gimp 1.8 Full with Key.exe"
"Harry Potter 1-6 book.txt.exe"
"Harry Potter 5.mpg.exe"
"Harry Potter all e.book.doc.exe"
"Harry Potter e book.doc.exe"
"Harry Potter game.exe"
"Harry Potter.doc.exe"
"How to hack new.doc.exe"
"Internet Explorer 9 setup.exe"
"Kazaa Lite 4.0 new.exe"
"Kazaa new.exe"
"Keygen 4 all new.exe"
"Learn Programming 2004.doc.exe"
"Lightwave 9 Update.exe"
"Magix Video Deluxe 5 beta.exe"
"Matrix.mpg.exe"
"Microsoft Office 2003 Crack best.exe"
"Microsoft WinXP Crack full.exe"
"MS Service Pack 6.exe"
"netsky source code.scr"
"Norton Antivirus 2005 beta.exe"
"Opera 11.exe"
"Partitionsmagic 10 beta.exe"
"Porno Screensaver britney.scr"
"RFC compilation.doc.exe"
"Ringtones.doc.exe"
"Ringtones.mp3.exe"
"Saddam Hussein.jpg.exe"
"Screensaver2.scr"
"Serials edition.txt.exe"
"Smashing the stack full.rtf.exe"
"Star Office 9.exe"
"Teen Porn jpg.pif"
"The Sims 4 beta.exe"
"Ulead Keygen 2004.exe"
"Visual Studio Net Crack all.exe"
"Win Longhorn re.exe"
"WinAmp 13 full.exe"
"Windows 2000 Sourcecode.doc.exe"
"Windows 2003 crack.exe"
"Windows XP crack.exe"
"WinXP eBook newest.doc.exe"
"XXX hardcore pics.jpg.exe"
發作現象:
特別說明:
A、在系統C-Z盤具有以下後綴的檔案中查找Email地址:
.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml
B、用其自帶的SMT引擎向查到的Email地址中發信,具有以下特徵:
發件人:<隨機的具有誘惑性的名字>
主題:<以下字元串中任選一個>:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Mail Delivery (failure )
正文:<以下字元串中任選一個>:
Please see the attached file for details
Please read the attached file!
Your document is attached.
Please read the document.
Your file is attached.
Your document is attached.
Please confirm the document.
Please read the important document.
See the file.
Requested file.
Authentication required.
Your document is attached to this mail.
I have attached your document.
I have received your document. The corrected document is attached.
Your document.
Your details.
該病毒還會將以下檔案放入檔案正文後:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
附屬檔案名:<為以下字元串中的一個>:
document05
websites03
game_xxo
your_document
後跟以下字元串中的一個:
.txt <很長的空白空間>
.doc <很長的空白空間>
最後的後綴名為以下字元串中的一個:
.exe
.pif
.scr
.zip
如果檔案後綴為.zip,那么裡面為以下檔案中的一個:
document.txt .exe
data.rtf .scr
details.txt .pif
C、該病毒將不會給包含以下字元串的Email地址傳送郵件:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@
