谨防网络蠕虫 Net-Worm.Win32.Mytob.x转帖:谨防网络蠕虫 Net-Worm.Win32.Mytob.x 来自安天实验室: http://www.antiy.com/index.htm 内容: 本周提醒广大用户注意Mytob病毒家族的最新变种:Net-Worm.Win32.Mytob.w ,该病毒是一中使用多种方式传播的蠕虫,他利用微软MS04-011传播,利用发送含有病毒附件的邮件传播。病毒盗用windows JPG图表,诱使用户点击,病毒运行后会释放一些病毒文件到%homedriver%下及%system%目录下,修改注册表文件,添加病毒副本到启动项,达到随系统启动的目的。病毒还会来接到IRC服务器,等待并接受恶意用户的控制。病毒还会修改感染系统的%System%\drivers\etc\hosts 文件,阻止用户访问某些反病毒及安全类网站,尽量阻止用户清除该病毒。 病毒运行后首先释放以下病毒文件: 对应的病毒名: %SystemDrive%\funny_pic.scr Net-Worm.Win32.Mytob.x %SystemDrive%\my_photo2005.scr Net-Worm.Win32.Mytob.x %SystemDrive%\see_this!!.scr Net-Worm.Win32.Mytob.x %SystemDrive%\hellmsn.exe Net-Worm.Win32.Mytob.f %System%\msvhost.exe 修改注册表文件,在以下位置新建键值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\WINTASK 键值: 字串: "msvhost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run\WINTASK 键值: 字串: "msvhost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices\WINTASK 键值: 字串: "msvhost.exe" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Control\Lsa\WINTASK 键值: 字串: "msvhost.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Lsa\WINTASK 键值: 字串: "msvhost.exe" HKEY_USERS\Software\Microsoft\OLE\WINTASK 键值: 字串: "msvhost.exe" HKEY_USERS\Software\Microsoft\Windows\CurrentVersion \Run\WINTASK 键值: 字串: "msvhost.exe" HKEY_USERS\SYSTEM\CurrentControlSet\Control\Lsa\WINTASK 键值: 字串: "msvhost.exe" 修改 %System%\drivers\etc\hosts 文件,在hosts文件中添加以下内容,阻止用户访问以下网站: 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 ispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com
病毒运行后通过搜索当前主机某些扩展名文件中的邮件地址,以及搜索windows地址簿中的地址来发送邮件,其中: 邮件标题可能为: Error hello Status Good day Server Report Mail Delivery System Mail Transaction Failed 邮件正文可能为: Here are your banks documents. The original message was included as an attachment. Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 病毒附件为双扩展名,其中: 第一扩展名可能为:DOC、TXT、HTM 第二扩展名可能为:PIF、SCR、EXE、ZIP 附: 安天木马防线2005+试用版下载地址: http://www.antiy.com/product/ghostbusters/index.htm 病毒上报信箱: submit@virusview.net
|