名稱
相關資料
金山毒霸於7月27日下午截獲“MYDOOM”變種M蠕蟲病毒。該病毒利用郵件瘋狂傳播,最大的特點是會利用“GOOGLE”等搜尋引擎查找郵件地址,然後向這些郵件地址傳送帶毒郵件。該病毒已在國外大規模爆發。金山毒霸提醒各位用戶提高警惕,嚴防此病毒。金山毒霸於當日緊急更新病毒庫,升級病毒庫到最新可完全處理該病毒。
病毒信息㈠:
病毒名稱: Worm.Mydoom.m
中文名稱: “MYDOOM”
威脅級別: 3C
病毒別名: I-Worm.Mydoom.m 【AVP】
病毒類型: 蠕蟲、後門
受影響系統: Win9x/WinNT/Win2K/WinXP/Win2003
破壞方式:
A、使自帶發信引擎傳送病毒郵件
B、利用“GOOGLE”等搜尋引擎獲得郵件地址,並向這些郵件地址傳送病毒郵件
C、病毒會開放TCP 1034連線埠,做為後門,等待黑客連線
發作現象:
病毒運行後
會在含有如下後綴名的檔案種搜尋電子郵件地址
.adb .asp .dbx .htm .php .pl .sht .tbb .txt .wab
如果在這些檔案中找到電子郵件地址,則病毒會利用以下的搜尋引擎,搜尋更多的
電子郵件地址:
search.lycos.com
www.altavista.com
search.yahoo.com
www.google.com
病毒郵件的主題為下面之一:
say helo to my litl friend
click me baby, one more time
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
病毒郵件正文可能是以下內容之一
Dear user {<接收者郵件地址>|of <接收者的網站域名>},{ {{M|m}ail
{system|server} administrator|administration} of <接收者的網站域名>
would like to {inform you{ that{:|,} |}|let you know {that|the
following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail
|}account {has been|was} used to send a {large|huge} amount of
{{unsolicited{ commercial|}|junk} e{-|} mail|spam}{ messages|} during
{this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had
been|was} {compromised|infected{ by a recent vs|}} and now
{run|contain}s a {trojan{ed|} |hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the
|}instruction{s|} {in the {attachment|attached {text |}file} |}in order
to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{<接收者的網站域名> {user |technical |}support team.|The <接收者的網站域
名> {support |} team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the
following reason {(s)|}:
Your message {was not|could not be} delivered because the destination
{computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within <隨機數> days:
{{{Mail s|S}erver}|Host} } is not
responding.
The following recipients {did|could} not receive this message:
<<接收者郵件地址>>
Please reply to postmaster@{<傳送者的網站域名>|<接收者的網站域名>}
if you feel this message to be in error.
The original message was received at 【current time】{
| }from {<傳送者的網站域名> 】|{】|】}}
----- The following addresses had permanent fatal errors -----
{<<接收者郵件地址>>|<接收者郵件地址>}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{<接收者的網站域
名>.|】}:
{>>> MAIL F{rom|ROM}:【From address of mail】
<<< 50$d {【From address of mail】... |}{Refused|
{Accessd|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <<接收
者郵件地址>>... {Mail quota exceeded|Message is too large}
554 <<接收者郵件地址>>... Service unavailable|550 5.1.2 <<接收者郵件地
址>>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service
unavailable; 】 blocked using {relays.osirusoft.com|bl.spamcop.net}{,
reason: Blocked|}
Session Aborted{, reason: lost connection|}|>>> RCPT To:<<接收者郵件地
址>>
<<< 550 {MAILBOX NOT FOUND|5.1.1 <<接收者郵件地址>>... {User
unknown|Invalid recipient|Not known here}}|>>> DATA
{<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}<<< 400}|}
The original message was included as attachment
{{The|Your} m|M}essage could not be delivered
附屬檔案名為以下之一
readme
instruction
transcript
letter
file
text
attachment
document
message
<網站域名>
附屬檔案後綴名為以下之一
cmd
bat
com
exe
pif
scr
zip
有時 附屬檔案會有兩個後綴名,增加的擴展名可能是:
doc
htm
html
txt
如果郵件地址包含以下字元,則不會向該地址傳送:
arin. avp bar. domain example foo.com gmail gnu. google hotmail microsoft
msdn. msn. panda rarsoft ripe. sarc. seclist secur sf.net sophos
sourceforge spersk syma trend update uslis winrar winzip yahooanyone ca
feste foo gold-certs help info me no nobody noone not nothing page rating
root site soft someone the.bat you your admin support ntivi submit
listserv bugs secur privacycertific accoun sample master abuse spam
mailer-d
病毒會開放TCP 1034連線埠,做為後門
技術特點:
A、複製自身到:
%SystemRoot%\java.exe
%SystemRoot%\services.exe
B、在註冊表主鍵
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
添加如下鍵值:
"Services" = %SystemRoot%\services.exe"
"JavaVM" = %SystemRoot%\java.exe"
C、創建以下兩個日誌檔案:
%Temp%\zincite.log
%Temp%\%Rand%.log
解決方案:
A、請使用金山毒霸2004年07月27日的病毒庫可完全處理該病毒;
B、請開啟郵件防火牆,阻止病毒郵件流入系統;
C、養成良好習慣,不要輕易打開有附件的郵件。附屬檔案必須經過防毒軟體查殺後再打開使用。
