病毒名称: Worm.Netsky.x
中文名称: 网络天空变种X
威胁级别: 3C
病毒别名:Win32/Netsky.w@mm[norton]
I-Worm.NetSky.X[AVP]
病毒类型: 蠕虫
受影响系统: Windows 95, 98, ME, NT, 2000, XP
传染条件:
1、利用自身的SMTP发信引擎来发送病毒邮件,疯逛传播自己;
2、终于知名的反病毒软件和安全软件,降低系统安全性;
3、开启后门,等待攻击者连接,可自动下载并执行新的病毒。
技术特点:
1、当病毒获得运行后,向%system32%目录释放VISUALGUARD.EXE(为蠕虫自身拷贝)
2、生成下列文件到%system32%目录
BASE64.TMP
ZIP1.TMP
ZIP2.TMP
ZIP3.TMP
ZIP4.TMP
ZIP5.TMP
ZIP6.TMP
ZIPPED.TMP
这些是病毒发信时所必需的文件构成部分
3、通过向 注册表 添加以下键值而获得自动运行:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
NetDy = %Windows%\VISUALGUARD.EXE。
4、通过搜索本地硬盘扩展名为以下内容的文件内容而获得邮件地址:
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
5、通过自己的发信引擎向搜索到的邮件地址发送病毒邮件,内容为:
发件人: <具有欺骗性的地址>
标题:(随机选取其一)
Re:
Re: Re:
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately
邮件内容:(随机选取其一)
(内容第一部分)
Please read the attached file.
Your document is attached.
Please read the document.
Your file is attached.
Your document is attached.
Please confirm the document.
Please read the important document.
See the file.
Requested file.
Authentication required.
Your document is attached to this mail.
I have attached your document.
I have received your document. The corr...
Your document.
Your details.
(内容第二部分)
--------------------------------------------
: No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com
附件名称为:<随机字符串><随机数字>.PIF
随机字符串内容:
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all
邮件附件为蠕虫体的一个拷贝的MIME编码文件。扩展名为:
.PIF
.EXE
.SCR
.ZIP(待续)
|