词条 | Worm.Mydoom.m |
释义 | 简介病毒别名:I-Worm.Mydoom.m【AVP】 处理时间: 威胁级别:★★ 中文名称: 病毒类型:蠕虫 影响系统:Win9x/WinNT/Win2K/WinXP/Win2003 病毒行为: Mydoom 变种 编写工具: 传染条件:通过电子邮件进行传播 发作条件:用户运行该病毒 系统修改A、复制自身到: %SystemRoot%java.exe %SystemRoot%services.exe B、在注册表主键 HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun 添加如下键值: "Services" = %SystemRoot%services.exe" "JavaVM" = %SystemRoot%java.exe" C、创建以下两个日志文件: %Temp%zincite.log %Temp%\\%Rand%.log 发作现象病毒运行后 会在含有如下后缀名的文件种搜索电子邮件地址 .adb .asp .dbx .htm .php .pl .sht .tbb .txt .wab 如果在这些文件中找到电子邮件地址,则病毒会利用搜索引擎,搜索更多的电子邮件地址: 病毒邮件的主题为下面之一: say helo to my litl friend click me baby, one more time hello error status test report delivery failed Message could not be delivered Mail System Error - Returned Mail Delivery reports about your e-mail Returned mail: see transcript for details Returned mail: Data format error 病毒邮件正文可能是以下内容之一 Dear user {<接收者邮件地址>|of <接收者的网站域名>},{ {{M|m}ail {system|server} administrator|administration} of <接收者的网站域名> would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||} {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week. {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent vs|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server. {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe. {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {<接收者的网站域名> {user |technical |}support team.|The <接收者的网站域名> {support |}team.} {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}: Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message {was not|could not be} delivered within <随机数> days: {{{Mail s|S}erver}|Host} } is not responding. The following recipients {did|could} not receive this message: <<接收者邮件地址>> Please reply to postmaster@{<发送者的网站域名>|<接收者的网站域名>} if you feel this message to be in error. The original message was received at 【current time】{ | }from {<发送者的网站域名> 】|{】|】}} ----- The following addresses had permanent fatal errors ----- {<<接收者邮件地址>>|<接收者邮件地址>} {----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{<接收者的网站域名>.|】}: {>>> MAIL F{rom|ROM}:【From address of mail】 <<< 50$d {【From address of mail】... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <<接收者邮件地址>>... {Mail quota exceeded|Message is too large} 554 <<接收者邮件地址>>... Service unavailable|550 5.1.2 <<接收者邮件地址>>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; 】 blocked using {relays.osirusoft. com|bl.spamcop. net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<<接收者邮件地址>> <<< 550 {MAILBOX NOT FOUND|5.1.1 <<接收者邮件地址>>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded |}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered 附件名为以下之一 readme instruction transcript letter file text attachment document message <网站域名> 附件后缀名为以下之一 cmd bat com exe pif scr zip 有时 附件会有两个后缀名,增加的扩展名可能是: doc htm html txt 如果邮件地址包含以下字符,则不会向该地址发送: arin. avp bar. domain example foo. com gmail gnu. hotmail microsoft msdn. msn. panda rarsoft ripe. sarc. seclist secur sf. net sophos sourceforge spersk syma trend update uslis winrar winzip yahoo anyone ca feste foo gold-certs help info me no nobody noone not nothing page rating root site soft someone the.bat you your admin support ntivi submit listserv bugs secur privacycertific accoun sample master abuse spam mailer-d 病毒会开放TCP 1034端口,做为后门 |
随便看 |