Worm.Mytob.bi
病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
93696
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过irc和电子邮件传播的蠕虫病毒.
该病毒首先关闭大量安全软件,然后释放病毒文件到指定目录并运行,修改注册表,达到开机自启动的目的.然后连接到ric服务器,黑客可以通过irc控制用户机器,进行破坏操作,如下载病毒文件等.该病毒还能自动搜索用户机器上的邮件地址,然后把自身作为附件发送出去.
1,释放文件到以下目录:
C:\WINNT\System32\wID32.exe
2,增加注册表项:
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run
"WINDOWSIDSYSTEM"="\wID32.exe"
达到自启动的目的
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
"Start"="4"
关闭windows2000\xp的共享功能
3,关闭下列进程:
"ANTI-TROJAN.EXE"
"ANTIVIRUS.EXE"
"ATGUARD.EXE"
"AUTOTRACE.EXE"
"AVP32.EXE"
"AVWUPD.EXE"
"BEAGLE.EXE"
"BIPCPEVALSETUP.EXE"
"BLSS.EXE"
"BPC.EXE"
"CPF9X206.EXE"
"DLLCACHE.EXE"
"ETRUSTCIPE.EXE"
"FIH32.EXE"
"HOTPATCH.EXE"
"CMD.EXE"
"TASKMGR.EXE"
等等
4,修改host文件,导致用户无法访问特定网站:
127.0.0.1www.symantec.com
127.0.0.1securityresponse.symantec.com
127.0.0.1symantec.com
127.0.0.1www.sophos.com
127.0.0.1sophos.com
127.0.0.1www.mcafee.com
127.0.0.1mcafee.com
127.0.0.1liveupdate.symantecliveupdate.com
127.0.0.1www.viruslist.com
127.0.0.1viruslist.com
127.0.0.1viruslist.com
127.0.0.1f-secure.com
127.0.0.1www.f-secure.com
127.0.0.1kaspersky.com
127.0.0.1kaspersky-labs.com
127.0.0.1www.avp.com
127.0.0.1www.kaspersky.com
127.0.0.1avp.com
127.0.0.1www.networkassociates.com
127.0.0.1networkassociates.com
127.0.0.1www.ca.com
127.0.0.1ca.com
127.0.0.1mast.mcafee.com
127.0.0.1my-etrust.com
127.0.0.1www.my-etrust.com
127.0.0.1download.mcafee.com
127.0.0.1dispatch.mcafee.com
127.0.0.1secure.nai.com
127.0.0.1nai.com
127.0.0.1www.nai.com
127.0.0.1update.symantec.com
127.0.0.1updates.symantec.com
127.0.0.1us.mcafee.com
127.0.0.1liveupdate.symantec.com
127.0.0.1customer.symantec.com
127.0.0.1rads.mcafee.com
127.0.0.1trendmicro.com
127.0.0.1pandasoftware.com
127.0.0.1www.pandasoftware.com
127.0.0.1www.trendmicro.com
127.0.0.1www.grisoft.com
127.0.0.1www.microsoft.com
127.0.0.1microsoft.com
127.0.0.1www.virustotal.com
127.0.0.1virustotal.com
127.0.0.1www.amazon.com
127.0.0.1www.amazon.co.uk
127.0.0.1www.amazon.ca
127.0.0.1www.amazon.fr
127.0.0.1www.paypal.com
127.0.0.1paypal.com
127.0.0.1moneybookers.com
127.0.0.1www.moneybookers.com
等等.
5,自动搜索用户机器上的邮件地址,然后把自身作为附件发送出去.
邮件内容为下列之一
Dearuser%s,
Youhavesuccessfullyupdatedthepasswordofyour%saccount.
Ifyoudidnotauthorizethischangeorifyouneedassistancewithyouraccount,pleasecontact%scustomerserviceat:%s
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
Dearuser%s,
Ithascometoourattentionthatyour%sUserProfile(x)recordsareoutofdate.Forfurtherdetailsseetheattacheddocument.
Thankyouforusing%s!
The%sSupportTeam
+++Attachment:NoVirus(Clean)
+++%sAntivirus-www.%s
等等
6,然后连接到ric服务器,黑客可以通过irc控制用户机器,进行破坏操作,如下载病毒文件等.