Worm.Netsky.Q

Worm.Netsky.Q,病毒,利用微軟的瀏覽器已知的漏洞來構造病毒郵件。

名稱

Worm.Netsky.Q

相關資料

  利用微軟瀏覽器“Internet Explorer”已知的漏洞
  (該漏洞官房描述http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx)
  來構造病毒郵件,可使用戶在沒有打補丁的系統上預覽郵件時即可感染病毒。
  · 系統修改:
  A、在Windows目錄下生成如下檔案:
    %SystemRoot%\\FIREWALLLOGGER.TXT
    %SystemRoot%\\SYSMONXP.EXE
    %SystemRoot%\\ZIPO0.TXT
    %SystemRoot%\\ZIPO1.TXT
    %SystemRoot%\\ZIPO2.TXT
    %SystemRoot%\\ZIPO3.TXT
  B、在註冊表主鍵:
    HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
    下添加鍵值:
    SysMonXP = "%System%\\SysMonXP.exe"
· 發作現象:
A、該病毒感染系統後,會在本地磁碟上搜尋Email地址,並用其自帶的SMTP引擎傳送郵件給這些Email,傳送的郵件具有以下特徵:
主題:<從以下字元串中選擇一個>
Deliver Mail <接受方郵件地址>
Delivered Message <接受方郵件地址>
Delivery <接受方郵件地址>
Delivery Bot <接受方郵件地址>
Delivery Error <接受方郵件地址>
Delivery Failed <接受方郵件地址>
Delivery Failure <接受方郵件地址>
Error <接受方郵件地址>
Failed <接受方郵件地址>
Failure <接受方郵件地址>
Mail Delivery failure <接受方郵件地址>
Mail Delivery System <接受方郵件地址>
Mail System <接受方郵件地址>
Server Error <接受方郵件地址>
Status <接受方郵件地址>
Unknown Exception <接受方郵件地址>
正文: <從以下字元串中選擇一個>
Message has been sent as a binary attachment.
Modified message has been sent as a binary attachment.
Note: Received message has been sent as a binary file.
Partial message is available and has been sent as a binary attachment.
Received message has been attached.
Received message has been sent as an encoded attachment.
The message has been sent as a binary attachment.
Translated message has been attached.
以上選擇的字元串後將跟隨以下的字元串:
------------- failed message -------------
<隨機字元>
其後將跟隨以下字元串:
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn\'t be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn\'t be represented
Mail Delivery Failure - This mail couldn\'t be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn\'t be converted
附屬檔案:<從以下字元串中選擇一個>
data <隨機數字>
data <隨機數字>
mail <隨機數字>
message
message <隨機數字>
msg <隨機數字>
附屬檔案後綴名:<從以下字元串中選擇一個>
PIF
SCR
ZIP
該郵件不會向包含以下字元串的Email地址傳送郵件:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@
B、該病毒會使以“信封”的圖示欺騙用戶:
C、在該病毒內部,還有經過加密的如下文字:
We are the only SkyNet, we don\'t have any criminal inspirations.
Due to many reports, we do not have any backdoors included for spam relaying.
and we aren\'t children. Due to this, many reports are wrong.
We don\'t use any virus creation toolkits, only the higher language
Microsoft Visual C++ 6.0. We want to prevent hacker,
cracking, sharing with illegal stuff and similar illegal content.
Hey, big firms only want to make a lot of money.
That is what we don\'t prefer. We want to solve and avoid it.
Note: Users do not need a new av-update, they need
a better education! We will envolope...
- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -
解決方案:
· 金山毒霸已經於3月29日對該病毒進行了應急處理,請升級最新版可完全查該病毒;
· 請一定留意收到的郵件,如果有附屬檔案,請不要打開附屬檔案,更不要執行附屬檔案中的可執行程式,注
  意病毒程式偽裝的圖示,不要輕信圖示為“電子表格、文本檔案、資料夾”的附屬檔案。如果有必
  要打開附屬檔案,請使用反病毒軟體檢測以後再打開;
· 強烈推薦各位網路用戶將瀏覽器“Internet Explorer”升級到6.0,並打上最新補丁,可防止
  病毒的自動感染。以下是IE的最新補丁地址:
  http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx
· 該病毒不易手工清除,會造成清楚不乾淨的現象,請升級毒霸到2004年3月29日的病毒庫可處理
  該病毒。如沒有安裝金山毒霸,可以登錄http://online.kingsoft.net使用金山毒霸的線上查
  毒或是金山毒霸下載版來防止該病毒的入侵;或可以選擇登錄到
  http://www.duba.net/download/3/107.shtml下載“網路天空”專殺工具,以防止該病毒的肆虐。

相關詞條

相關搜尋

熱門詞條

聯絡我們