| 词条 | Worm.Netsky.Q |
| 释义 | § 名称 Worm.Netsky.Q § 相关资料 利用微软的浏览器“Internet Explorer”已知的漏洞 (该漏洞官房描述http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx) 来构造病毒邮件,可使用户在没有打补丁的系统上预览邮件时即可感染病毒。 · 系统修改: A、在Windows目录下生成如下文件: %SystemRoot%\\\\FIREWALLLOGGER.TXT %SystemRoot%\\\\SYSMONXP.EXE %SystemRoot%\\\\ZIPO0.TXT %SystemRoot%\\\\ZIPO1.TXT %SystemRoot%\\\\ZIPO2.TXT %SystemRoot%\\\\ZIPO3.TXT B、在注册表主键: HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run 下添加键值: SysMonXP = "%System%\\\\SysMonXP.exe" · 发作现象: A、该病毒感染系统后,会在本地磁盘上搜索Email地址,并用其自带的SMTP引擎发送邮件给这些Email,发送的邮件具有以下特征: 主题:<从以下字符串中选择一个> Deliver Mail <接受方邮件地址> Delivered Message <接受方邮件地址> Delivery <接受方邮件地址> Delivery Bot <接受方邮件地址> Delivery Error <接受方邮件地址> Delivery Failed <接受方邮件地址> Delivery Failure <接受方邮件地址> Error <接受方邮件地址> Failed <接受方邮件地址> Failure <接受方邮件地址> Mail Delivery failure <接受方邮件地址> Mail Delivery System <接受方邮件地址> Mail System <接受方邮件地址> Server Error <接受方邮件地址> Status <接受方邮件地址> Unknown Exception <接受方邮件地址> 正文: <从以下字符串中选择一个> Message has been sent as a binary attachment. Modified message has been sent as a binary attachment. Note: Received message has been sent as a binary file. Partial message is available and has been sent as a binary attachment. Received message has been attached. Received message has been sent as an encoded attachment. The message has been sent as a binary attachment. Translated message has been attached. 以上选择的字符串后将跟随以下的字符串: ------------- failed message ------------- <随机字符> 其后将跟随以下字符串: Delivery Agent - Translation failed Delivery Failure - Invalid mail specification Mail Delivery - This mail couldn\\'t be displayed Mail Delivery Error - This mail contains unicode characters Mail Delivery Failed - This mail couldn\\'t be represented Mail Delivery Failure - This mail couldn\\'t be shown. Mail Delivery System - This mail contains binary characters Mail Transaction Failed - This mail couldn\\'t be converted 附件:<从以下字符串中选择一个> data <随机数字> data <随机数字> mail <随机数字> message message <随机数字> msg <随机数字> 附件后缀名:<从以下字符串中选择一个> PIF SCR ZIP 该邮件不会向包含以下字符串的Email地址发送邮件: @antivi @avp @bitdefender @fbi @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@ B、该病毒会使以“信封”的图标欺骗用户: C、在该病毒内部,还有经过加密的如下文字: We are the only SkyNet, we don\\'t have any criminal inspirations. Due to many reports, we do not have any backdoors included for spam relaying. and we aren\\'t children. Due to this, many reports are wrong. We don\\'t use any virus creation toolkits, only the higher language Microsoft Visual C++ 6.0. We want to prevent hacker, cracking, sharing with illegal stuff and similar illegal content. Hey, big firms only want to make a lot of money. That is what we don\\'t prefer. We want to solve and avoid it. Note: Users do not need a new av-update, they need a better education! We will envolope... - Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M - 解决方案: · 金山毒霸已经于3月29日对该病毒进行了应急处理,请升级最新版可完全查该病毒; · 请一定留意收到的邮件,如果有附件,请不要打开附件,更不要执行附件中的可执行程序,注 意病毒程序伪装的图标,不要轻信图标为“电子表格、文本文件、文件夹”的附件。如果有必 要打开附件,请使用反病毒软件检测以后再打开; · 强烈推荐各位网络用户将浏览器“Internet Explorer”升级到6.0,并打上最新补丁,可防止 病毒的自动感染。以下是IE的最新补丁地址: http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx · 该病毒不易手工清除,会造成清楚不干净的现象,请升级毒霸到2004年3月29日的病毒库可处理 该病毒。如没有安装金山毒霸,可以登录http://online.kingsoft.net使用金山毒霸的在线查 毒或是金山毒霸下载版来防止该病毒的入侵;或可以选择登录到 http://www.duba.net/download/3/107.shtml下载“网络天空”专杀工具,以防止该病毒的肆虐。 |
| 随便看 |
百科全书收录594082条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。