基本介紹
- 中文名:Worm.Mytob.az
- 威脅級別 : ★
- 中 文名稱 : 郵件偽裝者
- 病毒類型 : 蠕蟲
- 傳播方式:郵件
基本信息,病毒描述,行為分析,
基本信息
病毒別名:
處理時間:
影響系統:Win9x / WinNT
病毒描述
行為分析
1.生成檔案:
%system%\nec.exe
2.增加註冊表項,使病毒開機運行.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe
3.註冊為服務項目:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe
4.設定連線共享服務,為其他病毒的傳播埋下伏筆.
5.修改防火牆規則,使病毒不被防火牆阻攔.
6.修改host,延長病毒生命周期.
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
27.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
27.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
7.結束上千種程式,包括以下的:
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
WNAD.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE WUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
CMD.EXE
ASKMGR.EX
8.連結到irc.blackcarder.net的#skyline2,接收遠程控制的命令.
9.在用戶計算機上建立一個到137.118.240.201 19091的ftp,使用戶機器成為病毒中轉站.
10.搜尋下列檔案中的信箱地址:
.txt
.htmb
.shtl
.cgil
.jspl
.xmls
.phpq
.aspd
.dbxn
.tbbg
.adbh
.wab
.pl
並且會避免含有向以下字元的地址傳送郵件:
avp
syma
microsof
msn.
hotmail
panda
sopho
borlan
.gov
.mil
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
11.下載HellBot::v3 beta2並且啟動.
12.SYN攻擊.
13.發郵件:
發件人為以下隨機的名字和搜尋到的域名的組合:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
privacy
service
help
admin
內容為以下五條隨機一條:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
附屬檔案為以下格式:
.exe
.scr
.pif
.zip