基本介紹
- 中文名:無
- 外文名:Worm.Netsky.Q
- 類型:病毒
- 作用:構造病毒郵件
簡介,系統修改,在Windows目錄下生成如下檔案:,註冊表修改:,· 發作現象:,現象一,現象二,解決方案:,
簡介
可使用戶在沒有打補丁的系統上預覽郵件時即可感染病毒。
系統修改
在Windows目錄下生成如下檔案:
%SystemRoot%\\FIREWALLLOGGER.TXT
%SystemRoot%\\SYSMONXP.EXE
%SystemRoot%\\ZIPO0.TXT
%SystemRoot%\\ZIPO1.TXT
%SystemRoot%\\ZIPO2.TXT
%SystemRoot%\\ZIPO3.TXT
註冊表修改:
在註冊表主鍵: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
下添加鍵值:
SysMonXP = "%System%\\SysMonXP.exe"
· 發作現象:
現象一
主題:<從以下字元串中選擇一個>
Deliver Mail <接受方郵件地址>
Delivered Message <接受方郵件地址>
Delivery <接受方郵件地址>
Delivery Bot <接受方郵件地址>
Delivery Error <接受方郵件地址>
Delivery Failed <接受方郵件地址>
Delivery Failure <接受方郵件地址>
Error <接受方郵件地址>
Failed <接受方郵件地址>
Failure <接受方郵件地址>
Mail Delivery failure <接受方郵件地址>
Mail Delivery System <接受方郵件地址>
Mail System <接受方郵件地址>
Server Error <接受方郵件地址>
Status <接受方郵件地址>
Unknown Exception <接受方郵件地址>
正文: <從以下字元串中選擇一個>
Message has been sent as a binary attachment.
Modified message has been sent as a binary attachment.
Note: Received message has been sent as a binary file.
Partial message is available and has been sent as a binary attachment.
Received message has been attached.
Received message has been sent as an encoded attachment.
The message has been sent as a binary attachment.
Translated message has been attached.
以上選擇的字元串後將跟隨以下的字元串:
------------- failed message -------------
<隨機字元> 其後將跟隨以下字元串:
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn\'t be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn\'t be represented
Mail Delivery Failure - This mail couldn\'t be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn\'t be converted
附屬檔案:<從以下字元串中選擇一個>
data <隨機數字>
data <隨機數字>
mail <隨機數字>
message
message <隨機數字>
msg <隨機數字>
附屬檔案後綴名:<從以下字元串中選擇一個>
PIF
SCR
ZIP
該郵件不會向包含以下字元串的Email地址傳送郵件:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@
現象二
該病毒會使以“信封”的圖示欺騙用戶:
在該病毒內部,還有經過加密的如下文字:
We are the only SkyNet, we don\'t have any criminal inspirations.
Due to many reports, we do not have any backdoors included for spam relaying.
and we aren\'t children. Due to this, many reports are wrong.
We don\'t use any virus creation toolkits, only the higher language
Microsoft Visual C++ 6.0. We want to prevent hacker,
cracking, sharing with illegal stuff and similar illegal content.
Hey, big firms only want to make a lot of money.
That is what we don\'t prefer. We want to solve and avoid it.
Note: Users do not need a new av-update, they need
a better education! We will envolope...
- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -
解決方案:
· 金山毒霸已經於3月29日對該病毒進行了應急處理,請升級最新版可完全查該病毒;
· 請一定留意收到的郵件,如果有附屬檔案,請不要打開附屬檔案,更不要執行附屬檔案中的可執行程式,注
意病毒程式偽裝的圖示,不要輕信圖示為“電子表格、文本檔案、資料夾”的附屬檔案。如果有必
要打開附屬檔案,請使用反病毒軟體檢測以後再打開;
· 強烈推薦各位網路用戶將瀏覽器“Internet Explorer”升級到6.0,並打上IE最新補丁,可防止
病毒的自動感染。
