| 词条 | Worm.Zafi.b |
| 释义 | § 概述 病毒别名:W32.Erkez.B@mm【NAV】, I-Worm.Zafi.b【AVP】, PE_ZAFI.B【Trend】, W32/Zafi.b@MM【McAfee】, Zafi.B【CA】, W32/Zafi-B【Sophos】 处理时间:2004-06-10 威胁级别:★★ 中文名称:灾飞 病毒类型:蠕虫 影响系统:Win9x / WinNT § 病毒行为: 这是一个用FSG压缩,通过邮件传播的蠕虫病毒,同时该病毒还通过共享网络磁盘传播。病毒还会覆盖反病毒软件的可执行文件造成其不能使用。 1.病毒创建互斥体“_Hazafibb”,避免自身多次运行。 2.拷贝自身到%System%目录,文件名由八个随机字母组成,扩展名为.exe或.dll。 3.创建注册表键值: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\_Hazafibb 同时在注册表主键: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 中添加键值: "_Hazafibb"="%system%\\<随机字符>.exe" 以便该病毒在每次重启 Windows 时运行。 4.病毒搜索硬盘上共享的网络映射盘,拷贝自身到共享文件夹并命名为: winamp 7.0 full_install.exe 或者 Total Commander 7.0 full_install.exe 5.随机打开一个web页面,地址从注册表以下主键中选取: HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TypedURLs 6.病毒会通过连接下面两个网址之一来确定用户是否联网: www.google.com www.microsoft.com 7.病毒会向下列网站发送大量HTTP Get请求,进行拒绝服务(DoS)攻击: www.parlament.hu www.virusbuster.hu www.virushirado.hu www.2f.hu 8.病毒阻止用户运行含有下面字符串的程序: regedit msconfig task 这将直接造成中毒计算机的注册表管理器,系统配置实用程序,任务管理器等不能使用。 9.病毒搜索一些知名反病毒产品所在的目录,然后用自身覆盖其中的.exe文件。 10.病毒在扩展名为以下的文件中搜索Email地址,存储到%system%\\<8位随机字符>.dll中: .htm,.wab,.txt,.dbx,.tbb,.asp,.php,.sht,.adb,.mbx,.eml,.pmr, 不过,搜索中会跳过包含了以下字符串的Email地址,避免向管理员,大网站和反病毒公司发带毒邮件,隐蔽自己: admi,cafee,google,help,hotm,info,kasper,micro,msn,panda,sopho,suppor,syma,trend, use,vir,webm,win,yaho 11.然后病毒使用自带的SMTP引擎向搜索到的Email地址发送邮件。邮件内容为英文,不过当Email的主机为以下时,信的内容使用当地语言: .hu,.sp,.ru,.dk,.ro,.se,.no,.fi,.lt,.pl,.pt,.de,.nl,.cz,.fr,.it,.mx,.at 12.带毒邮件的特征为: 发件人:伪装成带有欺骗性得发件人 主题:空 附件:文件名由随机字符构成,后缀名为:.com, .exe,或者.pif。 正文:根据邮件地址的域名变化。 也就是说,邮件内容根据上面一点中所提到得域名不同而不同,如下之一: 对于Anita Subject: Ingyen SMS! Attachment: "regiszt.php?3124freesms.index777.pif" Message: ------------------------ hirdet=E9s ----------------------------- A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni. K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki! ------------------------ axelero.hu --------------------------- 对于Claudia Subject: Importante! Attachment: "link.informacion.phpV23.text.message.pif" Message: Informacion importante que debes conocer, - 对于Katya Subject: oKatya Attachment: "view.link.index.image.phpV23.sexHdg21.pif" 对于Eva Subject: E-Kort! Attachment: "link.ekort.index.phpV7ab4.kort.pif" Message: Mit hjerte banker for dig! 对于Marica Subject: Ecard! Attachment: "link.showcard.index.phpAv23.ritm.pif" Message: De cand te-am cunoscut inima mea are un nou ritm! 对于Anna Subject: E-vykort! Attachment: "link.vykort.showcard.index.phpBn23.pif" Message: Till min Alskade... 对于Erica Subject: E-Postkort! Attachment: "link.postkort.showcard.index.phpAe67.pif" Message: Vakre roser jeg sammenligner med deg... 对于Katarina Subject: E-postikorti! Attachment: "link.postikorti.showcard.index.phpGz42.pif" Message: Iloista kesaa! 对于Magdolina Subject: Atviruka! Attachment: "link.atviruka.showcard.index.phpGz42.pif" Message: Linksmo gimtadieno! ha 对于Beate Subject: E-Kartki! Attachment: "link.kartki.showcard.index.phpVg42.pif" Message: W Dniu imienin... 对于Eva Subject: Cartoe Virtuais! Attachment: "link.cartoe.viewcard.index.phpYj39.pif" Message: Content: Te amo... , 对于Alice Subject: Flashcard fuer Dich! Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif" Message: Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http:/ /flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr... 对于Eva Subject: Er staat een eCard voor u klaar! Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif" Message: Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http:/ /postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs... 对于Hanka Subject: Elektronicka pohlednice! Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif" Message: Ahoj! Elektronick pohlednice ze serveru http:/ /www.seznam.cz - 对于Claudine Subject: E-carte! Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif" Message: vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http:/ /zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct... 对于Francesca Subject: Ti e stata inviata una Cartolina Virtuale! Attachment: "link.cartoline.it.viewcard.index.4g345a.pif" Message: Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http:/ /cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente. 对于Jennifer Subject: You`ve got 1 VoiceMessage! Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif" Message: Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http:/ /virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R). 对于Anita Subject: Tessek mosolyogni!!! Attachment: "meztelen csajok fociznak.flash.jpg.pif" Message: Ha ez a k=E9p sem tud felviditani, akkor feladom! Sok puszi: 对于Anita Subject: Soxor Csok! Attachment: "anita.image043.jpg.pif" Message: Szia! Aranyos vagy, j=F3 volt dumcsizni veled a neten! Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet magadr=F3l, addig is cs=F3k: 对于Jennifer Subject: Don`t worry, be happy! Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif" Message: Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye: 对于David Subject: Check this out kid!!! Attachment: "jennifer the wild girl xxx07.jpg.pif" Message: Send me back bro, when you`ll be done...(if you know what i mean...) See ya |
| 随便看 |
百科全书收录594082条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。