I-Worm/Torvil.a通過Microsoft Outlook、Outlook Express和檔案共享網路進行傳播。
基本介紹
- 外文名:I-Worm/Torvil.a
- 病毒類型::網路蠕蟲
- 危害等級::*
- 影響平台::Win9X/2000/XP/NT/Me/2003
傳播過程及特徵:
1.複製自身:
%Windir%\Spoolxx.exe
%windir%\SMSSxx.exe
%windir%\svchost.exe
2.修改註冊表:
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service Host" = "%windir%\spoolxx.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper]
"Service Host" = "%windir%\spoolxx.exe"
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Service Host" = "%windir%\svchost.exe"
[SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe spoolxx.exe"
3.複製自身到ed2k-it、Xolox、Kazaa等檔案共享軟體程式的已分享檔案夾以及%windir%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}資料夾下,檔案名稱為:
ACDSee32 v2.41 Cracker.exe
Adobe Encore DVD 1.0 Cracker.exe
BearShare Pro v4.0.1 Cracker.exe
BestCrypt v7.08.1 Cracker.exe
Cultures 3 Northland Cracker.exe
Colin McRae Rally 4 Cracker.exe
DivX Pro 5.1 Cracker.exe
DVD X Studios CloneDVD 1.25 Cracker.exe
Dragons Lair 3D Multilanguage Cracker.exe
Empereur L Cracker.exe
Empire du Milieu - Mise a Jour Cracker.exe
EasyRecovery v1.1.01 Cracker.exe
iMesh v3.0b Ad Remover Cracker.exe
Norton AntiVirus 2004 Cracker.exe
Star Wars Jedi Knight Jedi Academy Cracker.exe
Tony Hawks Pro Skater 4 Multilanguage NoCD Cracker.exe
You dont know Jack 4 Cracker.exe
Zone Alarm Pro 4.0 Cracker.exe
4.搜尋INBOX HTML MBOX等類型檔案,用以發現合法的郵件地址。用自帶的SMTP引擎或利用郵件帳號獲取的SMTP伺服器,傳送自身到上述地址,郵件特徵:
主題:變化
正文:
Hello,
You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It's important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours
The Security Team
附屬檔案:下列之一
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe
