概要
病毒別名:W32.Netsky.M@mm 【Symantec】 I-Worm.Netsky.m 【Kaspersky】 WORM_NETSKY.M 【Trend】處理時間:2004-03-11
威脅級別:★★
中文名稱:網路天空變種M
病毒類型:蠕蟲
影響系統:Win9x/WinNT/Win2000/WinXP/Windows Server 2003
病毒行為:
“網路天空”家簇病毒
編寫工具:
VC編寫,UPX壓縮
傳染條件:
該病毒通過使用自身的SMTP引擎通過郵件進行高速傳播
發作條件:
系統修改:
A、建立互斥體“Rabbo_Mutex”,使蠕蟲在系統中只運行一次;
B、自我複製到:%WinDir%AVprotect9x.exe
C、添加以下鍵值
"9xHtProtect"="%Windir%AVprotect9x.exe"
到
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
使病毒可隨機自啟動;
D、搜尋從C到Z盤中的以下檔案,並從中收集郵件地址:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml
E、使用自帶的發信引擎傳送病毒郵件,其郵件特徵為:
發件人: <從收信的地址中選取或是自動隨機成生>
可能的主題:
Re: <%s> Requested file
Re: <%s> My file
Re: <%s> My document
Re: <%s> My information
Re: <%s> My details
Re: <%s> Information
Re: <%s> Improved
Re: <%s> Requested document
Re: <%s> Document
Re: <%s> Details
Re: <%s> Your document
Re: <%s> Your details
Re: <%s> Approved
可能的內容:
Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details..
可能的附屬檔案名稱:
improved_%s.pif
message_%s.pif
detailed_%s.pif
your_document_%s.pif
word_doc_%s.pif
doc_%s.pif
articel_%s.pif
picture_%s.pif
file_%s.pif
your_file_%s.pif
details_%s.pif
document_%s.pif
%s.pif
註:%s 為收件人地址的域名信息,及@後面的地址。