基本介紹
- 外文名:Worm.Mytob.s
- 別名:Email-Worm.Win32.Mytob.s[AVP]
- 病毒類型:蠕蟲
- 影響系統:Win9x / WinNT
病毒簡述,病毒行為,
病毒簡述
病毒別名:Email-Worm.Win32.Mytob.s[AVP]
處理時間:
威脅級別:★★
中文名稱:
病毒類型:蠕蟲
影響系統:Win9x / WinNT
病毒行為
該病毒可以通過Windows的本地安全認證服務遠程緩衝區溢出漏洞(MS04-011)和DCOM RPC接口緩衝區溢出漏洞(MS03-026)來進行傳播;病毒在某些特定的檔案中收集郵件地址,再使用自己的SMTP引擎將病毒傳送給這些郵件接收者。此外,該病毒還通過修改hosts檔案來禁止用戶訪問某些著名的反病毒網站。
1)釋放多個病毒副本:
C:\funny_pic.scr
C:\see_this!!.scr
C:\my_photo2005.scr
%System%\taskgmsr.exe
以及Worm.Mytob.f的一個副本:
C:\hellmsn.exe
2)建立一個互斥體H-E-L-L-B-O-T,防止病毒的多個實例同時運行。
3)將“"asdasd"="taskgmsr.exe"”添加到下列註冊表中以便實現病毒的開機自啟動:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\S-1-5-21-73586283-602609370-682003330-1000\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_USERS\S-1-5-21-73586283-602609370-682003330-1000\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_USERS\S-1-5-21-73586283-602609370-682003330-1000\SYSTEM\CurrentControlSet\Control\Lsa
4)通過修改hosts檔案,禁止用戶訪問安全軟體廠商的下列網站:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.microsoft.com
www.trendmicro.com
5)在下列擴展名的檔案中收集郵件地址:
.wab
.pl
.adb
.tbb
.dbx
.asp
.php
.sht
.htm
.txt
6)取下面的某一行做為郵件的正文:
Here are your banks documents.
The original message was included as an attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.