I-Worm/NetSky.m

I-Worm/NetSky.m是“網路天空”最新變種,該病毒在感染計算機上的硬碟和網路映射驅動器上搜尋電子郵件地址,並利用其自帶的SMTP引擎通過傳送電子郵件傳播。帶毒電子郵件的主題、內容和附屬檔案名稱隨機變化,所有附屬檔案檔案都以·pif為擴展名。

基本介紹

其特徵如下:
·拷貝自身到%Windir%\AVProtect.exe。
·在註冊表啟動項HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run下創建:“9xHtProtect” = “%Windir%\AVProtect9x.exe” 這樣病毒在Windows啟動時就得以運行。
·遍歷盤符從C到Z的所有硬碟及映射驅動器,在下列種類的檔案中搜尋合法電子郵件地址:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm
.html .jsp .msg .oft .php .pl .rtf .sht .shtm
.tbb .txt .uin .vbs .wab .wsh .xml
·利用其自身的SMTP引擎向搜尋到的電子郵件地址傳送帶毒郵件。信件特徵如下:
發信人:<偽造>
主題為下列之一:
Re: <%s> Requested file
Re: <%s> My file
Re: <%s> My document
Re: <%s> My information
Re: <%s> My details
Re: <%s> Information
Re: <%s> Improved
Re: <%s> Requested document
Re: <%s> Document
Re: <%s> Details
Re: <%s> Your document
Re: <%s> Your details
Re: <%s> Approved
信件內容為下列之一:
Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details
附屬檔案即為病毒程式,以.pif為擴展名,可能為:
improved_%s.pif
message_%s.pif
detailed_%s.pif
your_document_%s.pif
word_doc_%s.pif
doc_%s.pif
articel_%s.pif
picture_%s.pif
file_%s.pif
your_file_%s.pif
details_%s.pif
document_%s.pif
%s.pif
主要特徵
具有欺騙性的是,上面的%s是收信人本身的郵件地址名,即郵件地址’@’前面的字串。

相關詞條

熱門詞條

聯絡我們