北京信息安全中心毒霸联合发布26日热门病毒

北京信息安全中心毒霸联合发布26日热门病毒

2004年02月26日14:49:05　金山毒霸安全资讯网　

　　北京信息安全测评中心、金山毒霸联合发布2004年02月26日热门病毒

　　据金山毒霸反病毒实验室介绍，今日提醒用户注意以下病毒：

　　目录：· 病毒信息　　 · 技术特点　　 · 解决方案

　　此次变种会继续大量发送病毒邮件，并且邮件主题、内容以及附件名称改头换面，使人更容易上当。更恶毒的是，它会搜索受感染系统的A 到Z盘，查找名字包含"shar"的文件夹，如果查到，它会释放一个病毒复本，使用工具软件和破解软件的名称。这样使病毒具备了通过P2P软件传播和通过局域网共享传播的能力。而那些具有欺骗性的病毒复本名称使人更容易中招。病毒的大量感染会造成更大量病毒邮件在网络中疯狂传播，严重浪费网络资源，最终导致邮件服务器极不稳定，甚至瘫痪，对企业用户的危害十分大。金山毒霸于当日完成应急处理，升级了病毒库，请升级到2004年2月26日的病毒库可完全处理该病毒。使用毒霸的用户请注意开启邮件防火墙和病毒防火墙来防止病毒的入侵。以下是病毒的技术特点：

　　病毒信息：

　　病毒名称: Worm.Netsky.c
　　中文名称: "网络天空"变种
　　威胁级别: 3A
　　病毒别名:W32.Netsky.c@MM [Symantec]
　　　　　　　I-Worm.Moodown.c [Kaspersky]
　　　　　　　WORM_NETSKY.C [Trend]
　　病毒类型: 蠕虫
　　受影响系统:Win9x/WinMe/WinNT/Win2000/WinXP/Win2003

　　技术特点：

　　· 将自己拷贝到 %Windir%\Winlogon.exe，病毒进入系统后所存在的位置；

　　· 在以下主键
　　　 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
　　　添加以下键值
　　　 "ICQ Net" = "%Windir%\winlogon.exe -stealth"
　　　以便病毒可随机自启动

　　· 在%Windir% 目录下生成ZIP包，包内就是病毒复本，病毒会将此包做为邮件的附件；

　　· 如本地系统时间在 2004.2.26 上午 6:00 到上午8:00间时，蠕虫将导致计算机将不停的响铃。

　　· 病毒会在硬盘中搜索并收集电子邮件地址；

　　· 在所有非光盘的分区中检查包含“shar”字样的文件夹，然后将自己以下列可能的名字拷贝到
　　　找到的文件夹中,使病毒具备了通过P2P软件传播和通过局域网共享传播的能力：

　　　 Microsoft WinXP Crack.exe
　　　 Teen Porn 16.jpg.pif
　　　 Adobe Premiere 9.exe
　　　 Adobe Photoshop 9 full.exe
　　　 Best Matrix Screensaver.scr
　　　 Porno Screensaver.scr
　　　 Dark Angels.pif
　　　 XXX hardcore pic.jpg.exe
　　　 Microsoft Office 2003 Crack.exe
　　　 Serials.txt.exe
　　　 Screensaver.scr
　　　 Full album.mp3.pif
　　　 Ahead Nero 7.exe
　　　 Virii Sourcecode.scr
　　　 E-Book Archive.rtf.exe
　　　 Doom 3 Beta.exe
　　　 How to hack.doc.exe
　　　 Learn Programming.doc.exe
　　　 WinXP eBook.doc.exe
　　　 Win Longhorn Beta.exe
　　　 Dictionary English - France.doc.exe
　　　 RFC Basics Full Edition.doc.exe
　　　 1000 Sex and more.rtf.exe
　　　 3D Studio Max 3dsmax.exe
　　　 Keygen 4 all appz.exe
　　　 Windows Sourcecode.doc.exe
　　　 Norton Antivirus 2004.exe
　　　 Gimp 1.5 Full with Key.exe
　　　 Partitionsmagic 9.0.exe
　　　 Star Office 8.exe
　　　 Magix Video Deluxe 4.exe
　　　 Clone DVD 5.exe
　　　 MS Service Pack 5.exe
　　　 ACDSee 9.exe
　　　 Visual Studio Net Crack.exe
　　　 Cracks & Warez Archive.exe
　　　 WinAmp 12 full.exe
　　　 DivX 7.0 final.exe
　　　 Opera.exe
　　　 IE58.1 full setup.exe
　　　 Smashing the stack.rtf.exe
　　　 Ulead Keygen.exe
　　　 Lightwave SE Update.exe
　　　 The Sims 3 crack.exe

　　· 病毒邮件特征：

可能使用以下邮件主题：
Delivery Failed
Status
report
question
trust me
hey
Re: excuse me
read it immediatelly
hi
Re: does it?
Yep
important
hello
dear
Re: unknown
fake?
warning
moin
what's up?
info
Re: information
Here is it
stolen
private?
good morning
illegal...
error
take it
re:
Re: Re: Re: Re:
you?
something for you
exception
Re: hey
excuse me
Re: hi
Re: does it?
Re: important
Re: hello
believe me
Question
denied!
notification
Re: <5664ddff?$??o2>
lol
last chance!
I'm back!
its me
notice!

可能使用以下邮件内容：

what means that?
help attached
<...>
ok...

that is interesting...
i wait for your comment about it.
such as yours?
read the details.
gonna?
here is the document.
*lol*
read it immediately!
i found that about you!
your hero in the picture?
yours?
here is it.
illegal st. of you?
is that true?
account?
is that your name?
picture?
message?
is that your account?
pwd?
I wait for an answer!
abuse?
is that yours?
you are a bad writer
I don't know your document!

I have your password!
you won the rk!
something about you!
classroom test of you?
kill the writer of this document!
old photos about you?
i hope thats not true!
your name is wrong!
does it match?
i found this document about you.
time to fear?
really?
do you know this????
i know your document!
did you sent it to me?
this file is bad!
why should I?
pages?
her.
another pic, have fun! ... :->
test it
child porn?
greetings
xxx ?
stuff about you?
your document is not good
something is going wrong!
your photo is poor
information about you?
the information is wrong!
doc about me?
kill him on the picture!
from the chatter (my photo!)
from your lover ;-)
love letter?
here, the serials
are you a teacherin the picture?
here, the introduction
is that criminal?
here, the cheats
i like your doc!
what do you think about it?
that's a funny text.
that's not the truth?
do you have?
instruct me about this!
i lost that
i am speachless about your document!
is that the reality?
reply
msg
your design is not good!
important?
your TAN number?
take it easy!
why?
you are naked in this document!
thats wrong!
your icq number?
i am desperate
modifications?
your personal record?
yes.
misc. and so on. see you!
your attachment? verify it.
you earn money, see the attachment!
is that your attachment?
is that your website?
you feel the same.
meaning of that?
possible?
you have tried to steal!
did you ask me for that?
you are bad
your job? (I found that!)
is that possible?
something is going ...
something is not ok
did you know from this document?
wrong calculation! (see the attachment!...
never!
poor quality!
good work!
excellent!
great!
i don't think so.
pretty pic about you?
docs?
schoolfriend?

<09580985869gj>
i want more...
here is the next one!
attachi#
did you see her already?
is that your wife?
is that your creditcard?
is that your photo?
do you think so?
do you have the bug also?
already?
forgotten?
drugs? ...
does it matter?
i have received this.
best?
the truth?
your body?
your eyes?
your face?
File is self-decryting.
File is damaged.
File is bad.
i saw you last week!
xxx service
your account is expired!
you cannot hide yourself! (see photo)
copyright?
what still?
who?
how?

only encrypted!
personal message!
my advice....
i've found it about you
<<>>

great xxx!
man or women?
child or adult?
here is yours!
a crazy doc about you
xxx about you?
i don't want your xxx pics!

doc?
trial?
what?
;-)
i need you!
correct it!
see this!
it's a secret!
this is nothing for kids!
it's so similar as yours!
is that your car?
do not give up!
great job!
here is the $%%454$
you are sexy in this doc!
incest?
let it!
you look like an ape!
you look like an rat?
be mad?
are you cranky?
bob the builder
did you know that?
money?
is that your car?
is this information about you?
is that your privacy?
is that your TAN?
is that your message?
is that your cd?
is that your finger?
your are naked?
is that your porn pic?
is that your work?
is that your family?
is that your beast?
is that your account?
is that your slip?
is that your domain?
are you the naked one?
are you the naked person!
are you the one?
does it belong to you?
do you have sex in the picture?
you have a sexy body in the pic!
your lie is going around the world!

lets talk about it!
do you know the thief?
are you a photographer?
you have done a mistake in the document...
its private from me
do not show this anyone!
new patch is available!
this is an attachment message!
in your mind?
Microsoft
fast food...
Your bill.
try this patch!
do you have an orgasm in the picture?

Transaction failed. Show the doc!
I 've found your bill!
see your name!
You are infected. Read the details!
here is my advice.
here is my photo!
here is the
feel free to use it.
does it belong to you?
Login required! Read the attachment!
your document is silly!
is the pic a fake?
Antispam is turned off. See file!
Authentification required. Read the att...
solve the problem!

do not use my document!
do not open the attachment!
do not visit the pages on the list I se...
explain!
tell me more about your document!
Your provider will be disabled!
Instant patches.

可能使用以下附件名称：
document
associal
msg
yours
doc
wife
talk
message
response
creditcard
description
details
attachment
pic
me
trash
card
stuff
poster
posting
portmoney
textfile
moonlight
concert
sexy
information
news
note
number_phone
bill
mydate
swimmingpool
class_photos
product
old_photos
topseller
ps
important
shower
myaunt
aboutyou
yours
nomoney
birth
found
death
story
worker
mails
letter
more
website
regards
regid
friend
unfolds
jokes
doc_ang
your_stuff
location
454543403
final
schock
release
webcam
dinner
intimate stuff
sexual
ranking
object
secrets
mail2
attach2
part2
msg2
disco
freaky
visa
party
material
misc
nothing
transfer
auction
warez
undefinied
violence
update
masturbation
injection
naked1
naked2
tear
music
paypal
id
privacy
word_doc
image
incest

附件扩展名可能为：
.txt
.rtf
.doc
.htm

另外，所有扩展名后面会在加上以下任意的扩展名：
.exe
.scr
.com
.pif

　　解决方案:

　　· 请使用金山毒霸2004年02月26日的病毒库可完全处理该病毒；

　　· 病毒会可能会在硬盘中生成很多病毒样本，不易手工清除，请使金山毒霸升级到最新病毒库来
　　　处理该病毒。
　　　如没有安装金山毒霸，可以登录http://online.kingsoft.net使用金山毒霸的在线查毒或是金
　　　山毒霸下载版来防止该病毒的侵入；
　　　金山公司的为广大用户提供反病毒咨询，求助热线为：010-82326868。