病毒名称:
Worm.Mail.Keco.b
类别: 蠕虫
病毒资料:
破坏方法:
通过邮件进行传播的蠕虫病毒
采用Delphi编写,UPX压缩。
病毒运行后有以下行为:
一、将自己复制到%SYSDIR%目录下,文件名为"WinShellc.exe"。
二、系统文件SYSTEM.INI中"Boot"节的"Shell"数据项,增加文件名"WinShellc.exe"。
三、在C盘根目录下生成一个名为的Coke.txt文件。
该文件包含以下字符串信息:
Coke worm is here to join the party
Notice to others :
FUCk you Bagel Your just a lucky ScriptKiddie
Fuck you MyDoom Your just a lame retard
Fuck you SkyNet You had luck to get into F-Sec
mail-list, nothing special tho.
You cant code worms, your not worth to
be called coders.
You lame niggers.
四、搜索*.htm文件并用以下内容将进行替换。
Coke worm is here to join the party
Notice to others :
Fuck you Bagel Your just a lucky ScriptKiddie
Fuck you MyDoom Your just a lame retard
Fuck you SkyNet You had luck to get into F-Sec
mail-list,nothing special tho.
You cant code worms, your not worth to be
called coders.
Download Now : Here
(注:病毒所代换的内容中"VirusFilePath"表示病毒文件所在路径及文件名)
五、读取当前系统注册表中的smtp服务器地址,并尝试用自己的引擎发送邮件。
邮件标题可能为以下字符串:
"Your details"、"Your File"、"Your document"、
"eCard sent to you"、"My File"、
"Your picture"、"My picture"、
"You got a pic ?"、"You got image ?"、
"You got picture?"、"Pic?"、"Image?"、
"age?"、"File?"、"File!"、"Document!"、
"The document"、"New document"、"New File"、
"Your ZIP"、"My private pics"、"My private files"、
"My private images"、"My private documents"、
"My private textes"、"the poem"、"a Poem"、
"Poem"、"a Text"、"a Picture"、"a Image"、
"My Text"、"My Poem"、"Did you like my poem?"、
"Did you like my text?"、
"some text"、"whos picture ?"......
邮件附件的文件扩展名为:
".exe"、".scr"、".cmd"、".com"、".bat"、".pif"
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2004-9-2
|
