病毒信息
病毒別名:Email-Worm.Win32.Salga.a[AVP]
病毒行為
然後該蠕蟲病毒搜尋Outlook地址薄中的電子信箱地址,將自己以附屬檔案的形式傳送出去,以感染更多機器,附屬檔案名字頗有誘惑力的,由於名字中帶有多個
“.”,使得擴展名“exe”可能被隱藏,一不小心就能中招。病毒還將自身複製到區域網路中可寫網路磁碟以傳播,然後給區域網路中所有用戶發
送一條虛假信息以誘騙別的用戶點擊該病毒副本。該病毒還會顯示一些對話框,以交友和給系統打補丁為誘餌竊取用戶的電子信箱以及密碼。
發作過程
瘋狂複製自身
1)
%SystemRoot%\system\system copy.exe
%SystemRoot%\acdsee demo.exe
%SystemRoot%\system32\egywormo[gen1].exe
c:\Britny spears marrage with Bnladensun.zip
c:\hard core hook from web
c:\hard core hook from web\setup.zip.exe
%SystemRoot%\All Users\Desktop\sex cam
%SystemRoot%\All Users\Desktop\sex cam\sex photoes of monika.zip.exe
%SystemRoot%\All Users\Start Menu\Programs\StartUp\ana~1.exe
%SystemRoot%\Documents and Settings\All Users\Start Menu\Programs\Startup\egy~1
%SystemRoot%\Start Menu\inter net speeder.zip.exe
%SystemRoot%\start menu\programs\new chat prog.zip.exe
C:\Documents and Settings\All Users\DESKTOP\holywood stuff film.zip.exe
C:\Documents and Settings\All Users\Start Menu\nicole kidman sexy cam.zip.exe
C:\Documents and Settings\All Users\Start Menu\Programs\your sexy cam.zip.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\magic graphices maker.zip.exe
C:\Program Files\Accessories\BRITNY SPEARS MARRAGE.zip...............exe
C:\Program Files\Accessories\Details of new friends.zip...............exe
C:\Program Files\Accessories\Details.zip...............exe
C:\Program Files\Accessories\hard sex files.zip...............exe
C:\Program Files\Accessories\Is Bnladen realy cow boy.zip...............exe
C:\Program Files\Accessories\kasper2005.zip...............exe
C:\Program Files\Accessories\Nicole kidman.zip...............exe
d:\autorun.inf
########
[autorun]
open=FUN.ZIP.EXE
########
d:\FUN.ZIP.EXE
d:\girlfriends emails.zip.exe
d:\hook all sex movies from webs
d:\hook all sex movies from webs\setup.zip.exe
d:\new computer worm alert
d:\new computer worm alert\virus alert.txt
d:\NEW PROGRAMS
e:\autorun.inf
########
[autorun]
open=Messenger 9.00.ZIP.EXE
########
e:\Messenger 9.00.ZIP.EXE
e:\blood of fetch sex.zip.exe
e:\real sex telephones
e:\real sex telephones\call from me.zip.exe
2)
創建已分享資料夾以及已分享檔案:
C:\Britny
c:\Britny\NEW FILM.ZIP.EXE
3)
搜尋磁碟中地所有目錄和檔案,如搜到一個檔案或目錄為A,則在磁碟中同一位置生成病毒的副本A.exe.
不停地嘗試複製自身到以下目錄,複製後的檔案名稱隨機生成:
<系統盤>\<系統目錄名><隨機數字>.exe
c:\program files\
%SystemRoot%\system\
修改註冊表
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"windows"="%SystemRoot%\system\system copy.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"system xp"="%SystemRoot%\acdsee demo.exe"
HKEY_CURRENT_USER\Software\Kazaa\Transfer\
"StartKazaa -SilentRun"="C:\Program Files\Kazaa\My Shared Folder\Shared"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
"DisableConfig"=dword:1
"DisableSR"=dword:1
郵件感染擴散
3.搜尋OutLook地址薄中的郵件地址,將自己以附屬檔案的形式傳送出去,以感染更多機器。附屬檔案可能為以下名字:
huge sexy brests program v 1.7.00.zip.exe
3d msn version 10.1.zip................exe
this files is very secret files.zip.........exe
new film.zip.........exe
i robot.zip.........exe
anti virus.zip.........exe
fire wall.zip.........exe
news.zip.........exe
yahoo.zip.........exe
aol.zip.........exe
mirc.zip.........exe
hack.zip.........exe
virus.zip.........exe
animal photos.zip.........exe
USA secrets.zip.........exe
photo shop.zip.........exe
deutsh programs.zip.........exe
wwf.zip.........exe
tourism.zip.........exe
fear.zip.........exe
autocade.zip.........exe
3dstoudio.zip.........exe
scince of water.zip.........exe
office 2005.zip.........exe
antibiotics.zip.........exe
viagra.zip.........exe
visual basic projects.zip.........exe
FBI secrets.zip.........exe
FOOTBALL IN ENGLAND.zip.........exe
TOY 2006.zip.........exe
Britny Spears.zip.........exe
Dracola.zip.........exe
pebsi.zip.........exe
news paper.zip.........exe
cocacola.zip.........exe
songs.zip.........exe
norton 2005.zip.........exe
xxl plus.zip.........exe
lesbien.zip.........exe
hard core.zip.........exe
sex plus.zip.........exe
computers in 2010.zip.........exe
ssParis_Hilton_(Nude Screen Saver).scr.............exe
Win32System_Tweaks_v1.0.zip.........exe
ms games.zip.........exe
Virtual_3D_Pinball.zip.........exe
ssPamela_Anderson_(Naked Screen Saver).scr.........exe
Game_Crack_Genie_v0.5.zip.........exe
MsDos_PortScanner.zip.........exe
Wmplayer_Celebrity_Skins.zip.........exe
Shockwave Flash.zip.........exe
SWF_Movie.zip.........exe
FlashMovie.zip.........exe
XXX video.zip.........exe
Cat attacks child.zip.........exe
SWF.zip.........exe
Comedy video.zip.........exe
Simpsons Episode (#)..zip.........exe
Tutorial Video on Hacking.........exe
MacroMedia Flash 6.0.zip.........exe
[SWF] - The Fast and the Furious.zip.........exe
[SWF] - Swordfish.........exe
[SWF] - Harry Potter and the philosophers stone.zip.........exe
big one in the world.zip.........exe
new film.zip.........exe
Iraq war.zip.................exe
USA discvered water in mars yesterday.doc.zip.................exe
Britny spears and Madona sex viedio in 24 min only.zip.................exe
strong fire wall allover the world with thelast update of norton.zip.................exe
last messengers versions.zip.................exe
learn photo shop in 3 days only.zip.................exe
new girls emails with there phone numbers.zip.................exe
new cupied photos.zip.................exe
郵件主題:
Sir new victem
郵件內容:
Hi:sir i'm your server Egywormo[gen1] this is new victem who has own outlook machine i caputre his contacts and go there to infect them.... ok i'll go now and see you soon when i infect more ......bibi sir
磁碟感染擴散
將自身複製到可寫的網路磁碟中,以感染更多機器:
c$\windows\system32\pass word of hotmail store.zip................exe
c$\documment and settings\all users\documents\secret documents.zip......................exe
c$\money generator very dengerous and secrt.zip..........................exe
c$\shared\my sallary every mmonth increaser.................................exe
ipc$\secret photoes from my chat.zip...............................exe
c$\winnt\systemm32\speial films links in net.zip.............................exe
admin$\system32\see this it is very intersting.zip...................................exe
其它
向區域網路中的所有用戶傳送一下訊息:
hi welcome in our net cafe you can see the new film of Britny spears from the computer which shown it is very interesting film or see it from any shared folder <>
嘗試訪問網路中圖片並顯示。顯示2個對話框,提示用戶系統需要打補丁,欺騙用戶去下載並運行病毒。另一個以交友為誘餌竊取用戶的電子
信箱和密碼傳送到指定電子信箱。
