Worm.Mytob.cn
病毒别名:
处理时间:2005-09-02
威胁级别:★★
中文名称:
病毒类型:蠕虫
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个通过irc和电子邮件传播的蠕虫病毒.
该病毒运行后,黑客可以通过irc控制用户机器,执行破坏操作,如下载病毒文件,重新启动用户机器等.还能利用自带的smtp引擎,把病毒作为附件发送到指定邮箱.还能屏蔽大量安全网站.
1,修改注册表项:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess
"Start" = "04, 00, 00, 00"
来关闭Windows XP 的防火墙功能
2,自动连接到下列irc服务器:
irc.unixirc.net
接受黑客控制,执行破坏操作,如下载病毒文件,并拷贝到系统目录等.
3,修改host文件,屏蔽下列安全网站:
''127.0.0.1'' ''www.symantec.com''
''127.0.0.1'' ''securityresponse.symantec.com''
''127.0.0.1'' ''symantec.com''
''127.0.0.1'' ''www.sophos.com''
''127.0.0.1'' ''www.mcafee.com''
''127.0.0.1'' ''www.viruslist.com''
''127.0.0.1'' ''www.f-secure.com''
''127.0.0.1'' ''www.avp.com''
''127.0.0.1'' ''www.networkassociates.com''
''127.0.0.1'' ''www.my-etrust.com''
''127.0.0.1'' ''dispatch.mcafee.com''
''127.0.0.1'' ''www.nai.com''
''127.0.0.1'' ''liveupdate.symantec.com''
等
4,在以下列后缀名结尾的文件中寻找邮件地址:
htmb
shtl
jspl
xmls
cgil
phpq
aspd
tbbg
dbxn
adbh
pl
html
wab
5,邮件内容会出现下列当中的一种:
Dear user
You have successfully updated the password of your count.
If you did not authorize this change or if you need assistance with your account, please contact %s customer service at:
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
Dear user
It has come to our attention that your %s User Profile ( x ) records are out of date. For further details see the attached document.
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
Dear %s Member,
We have temporarily suspended your email account %s.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
6,病毒会被作为附件,利用自带的smtp引擎发送出去
7,避免发送到含有下列字符的邮箱:
ibm.com
linux
berkeley
foo
ruslis
nodomai
mydomai
example
hotmail
panda
sopho
someone
your
bugs
rating
service
privacy
help
等等.