病毒名称(中文):
邮件伪装者
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
49278
影响系统:
Win9xWinNT
病毒行为:
这是一个通过邮件传播的病毒,他会开启系统的后门,修改用户计算机的安全设置,并且会通过IRC远程控制机器,对其他的计算机进行攻击.对用户带来很多麻烦.
1.生成文件:
%system%\nec.exe
2.增加注册表项,使病毒开机运行.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWSSYSTEM
nec.exe
3.注册为服务项目:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWSSYSTEM
nec.exe
4.设置连接共享服务,为其他病毒的传播埋下伏笔.
5.修改防火墙规则,使病毒不被防火墙阻拦.
6.修改host,延长病毒生命周期.
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
27.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
27.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
7.结束上千种程序,包括以下的:
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXEATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
WNAD.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXEWUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
CMD.EXE
ASKMGR.EX
8.链接到irc.blackcarder.net的#skyline2,接收远程控制的命令.
9.在用户计算机上建立一个到137.118.240.20119091的ftp,使用户机器成为病毒中转站.
10.搜索下列文件中的邮箱地址:
.txt
.htmb
.shtl
.cgil
.jspl
.xmls
.phpq
.aspd
.dbxn
.tbbg
.adbh
.wab
.pl
并且会避免含有向以下字符的地址发送邮件:
avp
syma
microsof
msn.
hotmail
panda
sopho
borlan
.gov
.mil
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
11.下载HellBot::v3beta2并且启动.
12.SYN攻击.
13.发邮件:
发件人为以下随机的名字和搜索到的域名的组合:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
privacy
service
help
admin
内容为以下五条随机一条:
Onceyouhavecompletedtheformintheattachedfile,youraccountrecordswillnotbeinterruptedandwillcontinueasnormal.
Theoriginalmessagehasbeenincludedasanattachment.
Weregrettoinformyouthatyouraccounthasbeensuspendedduetotheviolationofoursitepolicy,moreinfoisattached.
Weattachedsomeimportantinformationregardingyouraccount.
Pleasereadtheattacheddocumentandfollowit"sinstructions.
附件为以下格式:
.exe
.scr
.pif
.zip
