词条 | Worm.Mytob.az |
释义 | 基本信息病毒别名: 处理时间: 威胁级别:★ 中文名称:邮件伪装者 病毒类型:蠕虫 影响系统:Win9x / WinNT 病毒描述这是一个通过邮件传播的病毒,他会开启系统的后门,修改用户计算机的安全设置,并且会通过IRC远程控制机器,对其他的计算机进行攻击.对用户带来很多麻烦. 行为分析1.生成文件: %system%\ec.exe 2.增加注册表项,使病毒开机运行. HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run WINDOWS SYSTEM nec.exe 3.注册为服务项目: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices WINDOWS SYSTEM nec.exe 4.设置连接共享服务,为其他病毒的传播埋下伏笔. 5.修改防火墙规则,使病毒不被防火墙阻拦. 6.修改host,延长病毒生命周期. 127.0.0.1 www.trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 trendmicro.com 127.0.0.1 rads.mcafee.com 127.0.0.1 customer.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 updates.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 secure.nai.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 mast.mcafee.com 127.0.0.1 ca.com 27.0.0.1 www.ca.com 127.0.0.1 networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 kaspersky.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 viruslist.com 127.0.0.1 www.viruslist.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 symantec.com 27.0.0.1 securityresponse.symantec.com 127.0.0.1 www.symantec.com 7.结束上千种程序,包括以下的: ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE CMD.EXE ASKMGR.EX 8.链接到irc.blackcarder.net的#skyline2,接收远程控制的命令. 9.在用户计算机上建立一个到137.118.240.201 19091的ftp,使用户机器成为病毒中转站. 10.搜索下列文件中的邮箱地址: .txt .htmb .shtl .cgil .jspl .xmls .phpq .aspd .dbxn .tbbg .adbh .wab .pl 并且会避免含有向以下字符的地址发送邮件: avp syma microsof msn. hotmail panda sopho borlan .gov .mil berkeley unix math bsd mit.e gnu fsf. ibm.com kernel linux fido 11.下载HellBot::v3 beta2并且启动. 12.SYN攻击. 13.发邮件: 发件人为以下随机的名字和搜索到的域名的组合: root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating privacy service help admin 内容为以下五条随机一条: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. 附件为以下格式: .exe .scr .pif .zip |
随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。