“Worm.Mydoom.s”的意思、由来-中文百科全书

词条

Worm.Mydoom.s

释义

§ 概述

病毒别名：I-Worm.Mydoom.s【AVP】

处理时间：

威胁级别：★★

中文名称：

病毒类型：蠕虫

影响系统：Win9x/WinNT/Win2K/WinXP/Win2003

病毒行为:

Mydoom变种

编写工具:

传染条件:通过网络电子邮件传播

发作条件:用户误运行该文件。

§ 系统修改:

A、将自身复制到如下目录中

%System%winspf32.exe

%Userprofile%Start MenuPrograms开始

x32hh00.exe

B、尝试从以下地址下载后门病毒Win32.Hack.Nemoq.b

http://www.llc.unibo.it/guestbook/temp/temp754.dat

http://www.surrenderzeeland.nl/guestbook/temp/temp432.dat

http://www.mercyships.de/html/content/guestbook/temp/temp732.dat

http://www.hiw.kuleuven.ac.be/psychoanalyse/guestbook/temp/temp384.dat

http://www.ach.ch/Livredor/temp/temp284.dat http://vugs.geog.uu.nl/guestbook/temp/temp194.dat

http://www.planetboredom.net/bullshit/sucks/temp/temp184.dat

http://guttorm.hveem.no/blogg/wp-rss.css

C、在注册表主键

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

增加如下键值：

"WinSPF"="%System%winspf32.exe"

D、在注册表主键：

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser Agent

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser Agent

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent

添加如下键值：

"Version"="FrankenShteiN"

E、在注册表主键：

HKEY_CURRENT_USERSOFTWAREMicrosoftInternet Explorer

添加如下键值：

"FuckedInst"="1"

用户判断Win32.Hack.Nemoq.b 是否以感染

F、创建如下互斥量：

qwedefacedRDE

§ 发作现象:

A、从以下目录中获得

%Userprofile%Local SettingsTemporary Internet Files

%Userprofile%Desktop

%Userprofile%My Documents

%Userprofile%Application Data

%SystemRoot%Temporary Internet Files

%SystemRoot%Desktop

%SystemRoot%My Documents

%SystemRoot%Application Data

的如下扩展名文件中

.wab

.xls

.vbs

.uin

.txt

.tbb

.stm

.sht

.php

.msg

.mht

.jsp

.htm

.eml

.dht

.dbx

.cgi

.cfg

.asp

获得E-Mail地址

并过滤含有以下字符串的邮件地址

gold-certs

feste

submit

help

service

privacy

somebody

contact

site

someone

anyone

nothing

nobody

noreply

noone

webmaster

news

rating

postmaster

samples

info

root

www

upport

abuse

accoun

certific

listserv

bsd

ntivi

admin

icq.com

mozilla

utgers.ed

tanford.e

pgp

acketst

secur

isc.o

isi.e

ripe.

arin.

sendmail

rfc-ed

ietf

iana

usenet

fido

kernel

google

ibm.com

fsf.

gnu

mit.e

math

berkeley

support

messagelabs

antivi

kasp

linux

unix

spam

@iana

@foo.

.mil

gov.

.gov

icrosoft

ruslis

nodomai

mydomai

example

inpris

borlan

sopho

panda

icrosof

syman

avp

B、发件人从如下注册键值获得

HKEY_CURRENT_USERSoftwareMicrosoftOfficeOutlookOMI Account ManagerAccouts

HKEY_CURRENT_USERSoftwareMicrosoftInternet Account ManagerAccounts

如果获取失败，则按以下规则自动生成一个发件人地址

名为：

Leon

Tommy

Lloyd

Bill

Ronnie

Jon

Alex

Calvin

Tom

Jim

Jay

Oscar

Miguel

Clifford

Theodore

Micheal

Marcus

Francisco

Leroy

Mario

Bernard

Alexander

Barry

Randall

Troy

Ricky

Carl

Henry

Douglas

Harold

Peter

Patrick

Walter

Dennis

Jerry

Joshua

Gregory

Raymond

Andrew

Stephen

Eric

Scott

Frank

Jeffrey

Larry

Jose

Timothy

Gary

Matthew

Jason

Kevin

Anthony

Ronald

Brian

Edward

Steven

Kenneth

George

Donald

Mark

Paul

Daniel

Christopher

Thomas

Joseph

Charles

Richard

David

William

Michael

Robert

John

James

姓为：

Porter

Tucker

Stevens

Simpson

Webb

Wells

Freeman

Murray

Gomez

Ortiz

Marshall

Cruz

Parker

Campbell

Phillips

Turner

Roberts

Perez

Mitchell

Carter

Nelson

Gonzalez

Baker

Adams

Green

Hill

Lopez

Wright

King

Hernandez

Young

Allen

Hall

Walker

Lee

Lewis

Rodriguez

Clark

Robinson

Martinez

Garcia

Thompson

Martin

Harris

White

Jackson

Anderson

Taylor

Moore

Wilson

Miller

Davis

Brown

Jones

Williams

Johnson

Smith

域名为：

cox.net

yahoo.com

msn.com

yahoo.co.uk

t-online.de

gmx.net

hotmail.com

aol.com

mail.com

dailymail.co.uk

C、主题为以下之一：

You win!

thanks!

Thank you!

read it immediately

Re: Your document

Re: Status

Re: Question

Re: Proof of concept

Re: Message

Re: Hi

Re: Hello

Private document

Notice again

News

Information

important

Hi!

here

hello

D、内容分三部分

第一部分为以下内容之一

screensaverlol!

fun photos

New game

relax

Virus removal tool

You are infected by virus. Run this exe

apply this patch!

apply patch.

game

fun game!

fun!

lol!

See the file.

See attached file for details.

Please read the important document.

Please read the attached file.

Please confirm the document.

I have attached document.

Your requested mail has been attached.

Your archive is attached.

Waiting for a Response. Please read the attachment.

Thanks!

Please see the attached file for details

Please read the document.

Please read the attached file!

Please confirm!

Please answer quickly!

Monthly news report.

For more details see the attachment.

For further details see the attachment.

Can you confirm it?

第二部分为：

Attachment: No Virus found

第三部分为：

Norton AntiVirus - www.symantec.de

F-Secure AntiVirus - www.f-secure.com

Norman AntiVirus - www.norman.com

Panda AntiVirus - www.pandasoftware.com

Kaspersky AntiVirus - www.kaspersky.com

MC-Afee AntiVirus - www.mcafee.com

Bitdefender AntiVirus - www.bitdefender.com

MessageLabs AntiVirus - www.messagelabs.com

附件：

可能为以下文件之一：

message.zip

letter.zip

information.zip

info.zip

file.zip

details.zip

data.zip

bill.zip

new.zip

report.zip

doc.zip

document.zip

Message.html .pif

rep.txt .pif

bill.txt .pif

review.txt .pif

report.txt .pif

mesg.txt .pif

doc.txt .pif

bill.rtf .pif

review.rtf .pif

report.rtf .pif

mesg.rtf .pif

doc.rtf .pif

bill.doc .pif

review.doc .pif

report.doc .pif

mesg.doc .pif

doc.doc .pif

document.doc .pif

antivirus.exe

file.exe

fun.scr

game.exe

lol.scr

new.exe

patch.exe

photo.exe

pic.exe

特别说明:

随便看

百科全书收录594082条中文百科知识，基本涵盖了大多数领域的百科知识，是一部内容开放、自由的电子版百科全书。