概述
病毒別名:I-Worm.Mydoom.q【AVP】
處理時間:
威脅級別:★★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win9x/WinNT/Win2K/WinXP/Win2003
病毒行為:
蠕蟲
編寫工具:UPX加殼
傳染條件:網路傳播。
發作條件:
系統修改:
a、將自身複製到:
%Windows%
asor32a.dll
%System%winpsd.exe
b、在註冊表主鍵:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
添加如下鍵值:
"winpsd" = "%System%winpsd.exe"
C、在註冊表主鍵:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
添加如下鍵名:
"InstaledFlashhMX""="1"
如果該鍵名已存在,表示計算機已經感染,病毒不會再運行。
D、創建互斥量:43jfds93872
E、從
http://www.ricolour.com/ispy.1.jpg
http://www.ricolour.com/coco3.jpg
http://www.ricolour.com/guestbook/temp/temp587.gif
http://zenandjce.com/guestbook/temp/temp728.gif
下載後門程式winvpn32.exe(Win32.Hack.Surila.g)並運行該後門。
發作現象:
通過以下註冊表鍵值函獲得,SMTP地址
HKEY_CURRENT_USERSoftwareMicrosoftInternet Account ManagerAccounts
"SMTP Email Address"
HKEY_CURRENT_USERSoftwareMicrosoftOfficeOutlookOMI Account ManagerAccounts
"SMTP Email Address"
在如下後綴名檔案中搜尋郵件地址
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.wab
.pl
如果搜尋的郵件地址含有以下字元
"syma"
"icrosof"
"msn."
"hotmail"
"panda"
"sopho"
"borlan"
"inpris"
"example"
"mydomai"
"nodomai"
"ruslis"
".gov"
"gov."
".mil"
"foo."
"unix"
"math"
"bsd"
"mit.e"
"gnu"
"fsf."
"ibm.com"
"google"
"kernel"
"linux"
"fido"
"usenet"
"iana"
"ietf"
"rfc-ed"
"sendmail"
"arin."
"ripe."
"isi.e"
"isc.o"
"secur"
"acketst"
"pgp"
"tanford.e"
"utgers.ed"
"mozilla"
"icrosoft"
"support"
"ntivi"
"unix"
"bsd"
"linux"
"listserv"
"certific"
"google"
"accoun"
"abuse"
"upport"
"www"
則不傳送給該地址
郵件發信人,為如下之一:
"alex"
"michael"
"james"
"mike"
"kevin"
"david"
"george"
"sam"
"andrew"
"jose"
"leo"
"maria"
"jim"
"brian"
"Serg"
"mary"
"ray"
"tom"
"peter"
"robert"
"bob"
"jane"
"joe"
"dan"
"dave"
"matt"
"steve"
"smith"
"stan"
"bill"
"bob"
"jack"
"fred"
"ted"
"adam"
"brent"
"alice"
"anna"
"brenda"
"claudia"
"debby"
"helen"
"jerry"
"jimmy"
"julie"
"linda"
"sandra"
發件域名為如下之一:
t-online.de
mail.com
yahoo.com
hotmail.com
從HKEY_CURRENT_USERSoftwareMicrosoftInternet Account Manager讀到的域名
郵件主題為: photos
郵件內容為: LOL!;))))
病毒附屬檔案名: photos_arc.exe
2004年8月20日21點後自動停止運行
特別說明:
