简介

病毒描述

行为分析(衍生下列副本与文件 新建注册表键值 病毒从包含下列扩展名的文件中搜索邮件地址 用户可能收到的邮件信息)

清除方案

简介

病毒名称：Email-Worm.Win32.NetSky.t

中文名称：网络天空变种

病毒类型：蠕虫

文件 MD5：F1EAC29A09279D51C81585AE47C5255D

公开范围：完全公开

危害等级：中等

文件长度：38,912 字节

感染系统：Win98以上系统

开发工具：Microsoft Visual C++ 6.0

加壳工具：LE-Exe Executable Image *

UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

命名对照：驱逐舰[Win32.HLLP.Secto]

瑞星[Win32.Sality.k]

病毒描述

“网络天空”04年起肆虐互联网络，至今仍存活。该病毒运行后，衍生病毒文件到系统目录下，添加注册表启动项以随机引导病毒体。病毒内建SMTP服务器，伪造大量发信地址，发送大量带有名为“主题名+随机数字.pif”的附件的垃圾邮件到指定地址。当用户点击附件时，即中毒。

行为分析

衍生下列副本与文件

%Windir%\\ uinmzertinmds.opm

%Windir%\\ EasyAV.exe

%System32%\\vcmgcd32.dll

%System32%\\vcmgcd32.dl

新建注册表键值

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

\\Run\\EasyAVValue: String: "%WINDir\\EasyAV.exe"

病毒从包含下列扩展名的文件中搜索邮件地址

.sht.adb .tbb.wab.dbx.oft.doc.msg

用户可能收到的邮件信息

发送邮件地址：

smoke@freenet.am

neox@pisem.net

oriontrooper@yahoo.com

gfplus@softhome.net

kzm@cisco.com

cryorb@tut.by

hubmib-request@ietf.org

msoe@microsoft.com

fkma@mmtools.ru

uri@lucent.com

raraghun@cisco.com

joe@joestewart.org

joespammer@example.com

bik78@mail.ru

case@snmp.com

crsky@yeah.net

gerrit@familiehaase.de

shag@apsvans.com

hanta@chiva.net

msoe@microsoft.com

smoke@freenet.am

fkma@mmtools.ru

waldbusser@lucent.com

ietfmibs@ops.ietf.org

dyk_158@163.com

gfplus@softhome.net

ts@polynet.lviv.ua

tbd@despammed.com

hoto@ipbcn.org

waldbusser@lucent.com

net-snmp-coders@lists.sourceforge.net

hanta@chiva.net

收件人地址：

cao_cong_hx@yahoo.com.cn

tbd@despammed.com

oriontrooper@yahoo.com

bmd2chen@tom.com

mario555@pisem.net

tbd@despammed.com

mario555@pisem.net

邮件主题：

Diggest

Archive

Request

Requested document

Re: Approved

Letter

Thank you!

Re: Movie document

Re: Text

Re: Thanks you!

Powerpoint document

Re: Photo document

Approved

Info

Hi

My details

Re: User list

Re: Hello

Re: Hi

Developement

Thank you!

Re: Movie document

My details

Re: Details

Re: Important

Your information

Your details

Sample

Homepage

Important

Excel document

Re: Old document

Re: Bill

Re: Important

Re: Your document

邮件内容：

Please notice the attached diggest.

The info.Thanks

I have spent much time for your document.

My number list.

My instructions.

My developement is attached.Yours sincerely

Your letter.Thank you

Your file is attached to this mail.Yours sincerely

Hello!Please see the text.

Hello!Please have a look at the attached document.Yours sincerely

Please read the attached document.

Hi!Please, old document.

Hi!Please, user list.

Hi!Please read quickly.

Hello!Please have a look at the info.

Hello!The bill.

Hello!The icq number.Thank you

Hello!Here is the document.Thanks

Here is the document.Yours sincerely

Hello!The note is attached.

Hello!Please have a look at the note.Thank you

Hello!Please notice the attached document.Thanks

Hello!See the document for details

Hi!Here is the document.

Please read the attached document.Thanks

Please read the summary.Yours sincerely

Please notice the attached postcard.

Please notice the attached document.Yours sincerely

Please have a look at the attached document.

Please see the requested document.

Please have a look at the archive

Please see the new document.

Please see the excel document.

Hello!Please notice the attached sample.Thank you

See the document for details.Yours sincerely

I have found the order.Thanks

Hi!For more details see the attached document.Thank you

Hi!Note that I have attached your document.

Hi!Please see the homepage.

注：% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\\Winnt\\System32，windows95/98/me中默认的安装路径是C:\\Windows\\System，windowsXP中默认的安装路径是C:\\Windows\\System32。

清除方案

1、使用安天木马防线可彻底清除此病毒(推荐)

2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线“进程管理”关闭病毒进程

EasyAV.exe

(2) 删除病毒释放文件

%Windir%\\ uinmzertinmds.opm

%Windir%\\ EasyAV.exe

%System32%\\vcmgcd32.dll

%System32%\\vcmgcd32.dl

(3) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

\\Run\\EasyAVValue: String: "%WINDir\\EasyAV.exe"