变种M(Worm.Mydoom.m)简介_变种M(Worm.Mydoom.m)个人资料_变种M(Worm.Mydoom.m)微博_百科网
A-A+

变种M(Worm.Mydoom.m)简介_变种M(Worm.Mydoom.m)个人资料_变种M(Worm.Mydoom.m)微博

2018-10-09 01:09:47 科学百科 阅读 84 次

名称/变种M(Worm.Mydoom.m) 编辑

 "MYDOOM"变种M(Worm.Mydoom.m)

相关资料/变种M(Worm.Mydoom.m) 编辑

金山毒霸于7月27日下午截获“MYDOOM”变种M蠕虫病毒。该病毒利用邮件疯狂传播,最大的特点是会利用“GOOGLE”等搜索引擎查找邮件地址,然后向这些邮件地址发送带毒邮件。该病毒已在国外大规模爆发。金山毒霸提醒各位用户提高警惕,严防此病毒。

  金山毒霸于当日紧急更新病毒库,升级病毒库到最新可完全处理该病毒。



  病毒信息㈠:

  病毒名称: Worm.Mydoom.m
  中文名称: “MYDOOM”
  威胁级别: 3C
  病毒别名: I-Worm.Mydoom.m 【AVP】
  病毒类型: 蠕虫、后门
  受影响系统: Win9x/WinNT/Win2K/WinXP/Win2003

  破坏方式:
  A、使自带发信引擎发送病毒邮件
  B、利用“GOOGLE”等搜索引擎获得邮件地址,并向这些邮件地址发送病毒邮件
  C、病毒会开放TCP 1034端口,做为后门,等待黑客连接

  发作现象:

  病毒运行后
  会在含有如下后缀名的文件种搜索电子邮件地址
  .adb .asp .dbx .htm .php .pl .sht .tbb .txt .wab

  如果在这些文件中找到电子邮件地址,则病毒会利用以下的搜索引擎,搜索更多的
  电子邮件地址:
  search.lycos.com
  www.altavista.com
  search.yahoo.com
  www.google.com
  病毒邮件的主题为下面之一:
  say helo to my litl friend
  click me baby, one more time
  hello
  error
  status
  test
  report
  delivery failed
  Message could not be delivered
  Mail System Error - Returned Mail
  Delivery reports about your e-mail
  Returned mail: see transcript for details
  Returned mail: Data format error

  病毒邮件正文可能是以下内容之一
  Dear user {<接收者邮件地址>|of <接收者的网站域名>},{ {{M|m}ail
  {system|server} administrator|administration} of <接收者的网站域名>   
  would like to {inform you{ that{:|,} |}|let you know {that|the
  following}{.|:|,}}|||||}
  {We have {detected|found|received reports} that y|Y}our {e{-|}mail
  |}account {has been|was} used to send a {large|huge} amount of     
  {{unsolicited{ commercial|}|junk} e{-|} mail|spam}{ messages|} during  
  {this|the {last|recent}} week.
  {We suspect that|Probably,|Most likely|Obviously,} your computer {had
  been|was} {compromised|infected{ by a recent vs|}} and now
  {run|contain}s a {trojan{ed|} |hidden} proxy server.
  {Please|We recommend {that you|you to}} follow {our |the
  |}instruction{s|} {in the {attachment|attached {text |}file} |}in order
  to keep your computer safe.
  {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
  {<接收者的网站域名> {user |technical |}support team.|The <接收者的网站域
  名> {support |} team.}

  {The|This|Your} message was{ undeliverable| not delivered} due to the
  following reason {(s)|}:
  Your message {was not|could not be} delivered because the destination
  {computer|server} was
  {not |un}reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configura-
  tion parameters.
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.


  Your message {was not|could not be} delivered within <随机数> days:
  {{{Mail s|S}erver}|Host} } is not
  responding.
  The following recipients {did|could} not receive this message:
  <<接收者邮件地址>>
  Please reply to postmaster@{<发送者的网站域名>|<接收者的网站域名>}
  if you feel this message to be in error.
  The original message was received at 【current time】{
  | }from {<发送者的网站域名> 】|{】|】}}
  ----- The following addresses had permanent fatal errors -----
  {<<接收者邮件地址>>|<接收者邮件地址>}
  {----- Transcript of {the ||}session follows -----
  ... while talking to {host |{mail |}server ||||}{<接收者的网站域
  名>.|】}:
  {>>> MAIL F{rom|ROM}:【From address of mail】
  <<< 50$d {【From address of mail】... |}{Refused|
  {Accessd|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <<接收
  者邮件地址>>... {Mail quota exceeded|Message is too large}
  554 <<接收者邮件地址>>... Service unavailable|550 5.1.2 <<接收者邮件地
  址>>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service
  unavailable; 】 blocked using {relays.osirusoft.com|bl.spamcop.net}{,
  reason: Blocked|}
  Session Aborted{, reason: lost connection|}|>>> RCPT To:<<接收者邮件地
  址>>
  <<< 550 {MAILBOX NOT FOUND|5.1.1 <<接收者邮件地址>>... {User  
  unknown|Invalid recipient|Not known here}}|>>> DATA
  {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
  |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
  |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
  |}<<< 400}|}
  The original message was included as attachment


  {{The|Your} m|M}essage could not be delivered

  附件名为以下之一
  readme
  instruction
  transcript
  mail
  letter
  file
  text
  attachment
  document
  message
  <网站域名>

  附件后缀名为以下之一
  cmd
  bat
  com
  exe
  pif
  scr
  zip
  有时 附件会有两个后缀名,增加的扩展名可能是:
  doc
  htm
  html
  txt

  如果邮件地址包含以下字符,则不会向该地址发送:
  arin. avp bar. domain example foo.com gmail gnu. google hotmail microsoft
  msdn. msn. panda rarsoft ripe. sarc. seclist secur sf.net sophos   
  sourceforge spersk syma trend update uslis winrar winzip yahooanyone ca
  feste foo gold-certs help info me no nobody noone not nothing page rating
  root site soft someone the.bat you your admin support ntivi submit
  listserv bugs secur privacycertific accoun sample master abuse spam
  mailer-d

  病毒会开放TCP 1034端口,做为后门

  技术特点:

A、复制自身到:
%SystemRoot%java.exe
%SystemRoot%services.exe

B、在注册表主键
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
添加如下键值:
"Services" = %SystemRoot%services.exe"
"JavaVM" = %SystemRoot%java.exe"

C、创建以下两个日志文件:
%Temp%zincite.log
%Temp%%Rand%.log

  解决方案:

  A、请使用金山毒霸2004年07月27日的病毒库可完全处理该病毒;

  B、请开启邮件防火墙,阻止病毒邮件流入系统;

  C、养成良好习惯,不要轻易打开有附件的邮件。附件必须经过杀毒软件查杀后再打开使用。