概述
病毒別名:處理時間:
威脅級別:★★★
中文名稱:惡郵差變種
病毒類型:蠕蟲
影響系統:Win9x/WinMe/WinNT/Win2000/WinXp/Win2003
病毒行為:
編寫工具:VC6.0
傳染條件:
發作條件:
簡介
系統修改:A、在系統目錄及系統安裝目錄下添加以下檔案:
%System%TkBellExe.exe
%System%Update_OB.exe
%System%hxdef.exe
%System%RAVMOND.exe
%System%IEXPLORE.EXE
%System%kernel66.dll
%System%ODBCdll
%System%msjdbc.dll
%System%MSSIGN30.dll
%System%NetMeeting.exe
%System%Spollsv.exe
%System%LMMIB20.DLL
%SystemRoot%Mediammc.exe
%SystemRoot%svchost.exe
B、在病毒第一次運行的目錄下生成一些RAR和ZIP壓縮的檔案:
如:bak.exe等
C、在C糟下生成以下檔案:
c:NetLog.txt
D、添加以下註冊表鍵值:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows run "RAVMOND.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
unServices SystemTra "%SystemRoot%SysTra.EXE"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun WinHelp "%System%TkBellExe.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Hardware Profile "%System%hxdef.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun VFW Encoder/Decoder Settings "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Microsoft NetMeeting Associates, Inc. "NetMeeting.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Program In Windows "%System%IEXPLORE.EXE"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Shell Extension "%System%spollsv.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Protected Storage "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
發作現象:
特別說明:
