基本介紹
病毒行為:,傳染條件,發作條件,防毒,
病毒行為:
“網路天空”系例
編寫工具:
彙編,PE-Pack壓縮
傳染條件
:
利用郵件高速傳播
發作條件
:
系統修改:
A、自我複製到 %System%svchost.exe
B、創建以下檔案:
%system%winsys.exeopen
該檔案是一個加過密的ZIP檔案包,密碼隨機生成,內容是病毒代碼;
C、添加以下鍵值
"Zone Labs Client Ex"="%windir%svchost.exe -antivirus service"
到
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
防毒
以便病毒可隨機自啟動;
刪除以下鍵值:
Explorer
KasperskyAV
system.
d3dupdate.exe
au.exe
OLE
Windows Service Host
gouday.exe
rate.exe
sysmon.exe
D、刪除以下註冊表鍵值:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerPINF
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWksPatch
E、查找後綴名為以下後綴的檔案,並從中提取電子郵件地址:
.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
F、病毒使用自己發信引擎發信,其郵件特徵為:
主題: (可能是以下字元串中的任意):
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
內容:(可能是以下字元串中的任意組合):
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
附屬檔案名: <可能是以下字元串中的任意>.zip:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
病毒會避免傳送病毒郵件到含有以下字元串的郵件地址
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
G、如果系統時間是在2004年3月2日上午6點至9點,則系統揚聲器將會循環地發出聲音,每次循環的時間隨機。
發作現象:
特別說明:
