病毒名称: Worm.NetSky.B
威胁级别:
发现日期: 2004.02.19
处理日期: 2004.02.19
病毒别名: W32/Netsky.b@MM [McAfee]
W32/Netsky.B.worm [Panda]
WORM_NETSKY.B [Trend Micro]
Moodown.B [F-Secure]
I-Worm.Moodown.b [Kaspersky]
病毒类型: 蠕虫
受影响系统: Win9x/WinMe/WinNT/Win2000/WinXP/Win2003
能处理的毒霸版本: 2004年02月19日
系统修改:
· 自我复制到Windows安装目录
%Windir%\services.exe;
· 在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
中添加如下键值:
"service" = "%Windir%\services.exe -serv"
在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
中删除如下键值:
"Taskmon"
"Explorer"
在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
中删除如下键值:
"KasperskyAV"
"System."
删除以下注册表键值:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-1F-9C87-00AA005127ED}\InProcServer32
· 在C盘到Z中搜索名字中含有"Share"或"Sharing"字符串的文件夹。如果找到的文件夹不是
CD-ROM, 则该病毒将它自己拷贝到该文件夹及其所有的字文件夹中,名字可能是以下所列名字
列表中的一个:
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
dolly_buster.jpg.pif
winxp_crack.exe
· 在Windows目录%SystemRoot%下创建一个名为40 .zip的文件,该压缩文件内为该病毒的众多拷
贝。这些拷贝的文件名为以下字符串列表中的一些:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
发作现象:
会弹出一个对话框,对话框上显示以下内容:
The file could not be opened!
病毒邮件:
A、会在以以下后缀结尾的文件中查找Email地址:
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
B、使用其自带的SMTP引擎将其自己作为附件发送到以上找到的Email地址中,邮件具有以下特
征:
发件人:<具有欺骗性的地址>
主题:(以下字符串之一)
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
正文:(以下字符串之一)
anything ok?
what does it mean?
ok
i@#m waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that@#s funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
附件名:(以下字符串之一)
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
附件扩展名1:(以下字符串之一)
.txt
.rtf
.doc
.htm
附件扩展名2:(以下字符串之一)
.exe
.scr
.com
.pif
下图为收到带毒邮件的截图:
解决方案:
· 请使用2004年02月19日的病毒库可完全处理该病毒;
· 请不要轻易点击陌生人的邮件以及下载和运行其所带附件,在运行可疑附件前最好先用毒霸扫
描;
· 手工解决方案:
对于系统是Windows9x,WindowsMe: |
对于系统是Windows NT,Windows2000,Windows XP,Windows 2003 sever: 步骤二,查找并删除病毒程序 |
文章来源于领测软件测试网 https://www.ltesting.net/