病毒信息:
病毒名称: Worm.NetSky.B
威胁级别: 4A
发现日期: 2004.02.19
处理日期: 2004.02.19
病毒别名: W32/Netsky.b@MM [McAfee]
W32/Netsky.B.worm [Panda]
WORM_NETSKY.B [Trend Micro]
Moodown.B [F-Secure]
I-Worm.Moodown.b [Kaspersky]
病毒类型: 蠕虫
受影响系统: Win9x/WinMe/WinNT/Win2000/WinXP/Win2003
能处理的毒霸版本: 2004年02月19日
系统修改:
· 自我复制到Windows安装目录
%Windir%\services.exe;
· 在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
中添加如下键值:
"service" = "%Windir%\services.exe -serv"
在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
中删除如下键值:
"Taskmon"
"Explorer"
在注册表主键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
中删除如下键值:
"KasperskyAV"
"System."
删除以下注册表键值:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
· 在C盘到Z中搜索名字中含有"Share"或"Sharing"字符串的文件夹。如果找到的文件夹不是
CD-ROM, 则该病毒将它自己拷贝到该文件夹及其所有的字文件夹中,名字可能是以下所列名字
列表中的一个:
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
dolly_buster.jpg.pif
winxp_crack.exe
· 在Windows目录%SystemRoot%下创建一个名为40 .zip的文件,该压缩文件内为该病毒的众多拷
贝。这些拷贝的文件名为以下字符串列表中的一些:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
发作现象:
会弹出一个对话框,对话框上显示以下内容:
The file could not be opened!
病毒邮件:
A、会在以以下后缀结尾的文件中查找Email地址:
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
B、使用其自带的SMTP引擎将其自己作为附件发送到以上找到的Email地址中,邮件具有以下特
征:
发件人:<具有欺骗性的地址>
主题:(以下字符串之一)
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
正文:(以下字符串之一)
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
附件名:(以下字符串之一)
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
附件扩展名1:(以下字符串之一)
.txt
.rtf
.doc
.htm
附件扩展名2:(以下字符串之一)
.exe
.scr
.com
.pif
下图为收到带毒邮件的截图:
解决方案:
· 请使用金山毒霸2004年02月19日的病毒库可完全处理该病毒;
· 请不要轻易点击陌生人的邮件以及下载和运行其所带附件,在运行可疑附件前最好先用毒霸扫
描;
· 手工解决方案:
对于系统是Windows9x,WindowsMe:
步骤一,删除病毒主程序
请使用干净的系统软盘引导系统到纯DOS模式,然后转到系统目录(默认的系统目录为
C:\windows),分别输入以下命令,以便删除病毒程序:
C:\windows\>del services.exe
完毕后,取出系统软盘,重新引导到Windows系统。
如果手中没有系统软件盘,可以在引导系统时按“F5”键也可进入纯DOS模式。
步骤二,清除病毒在注册表里添加的项
打开注册表编辑器: 点击开始>运行, 输入REGEDIT, 按Enter;
在左边的面板中, 双击(按箭头顺序查找,找到后双击):
HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion>Run
在右边的面板中, 找到并删除如下项目:
"service" = "%Windir%\services.exe -serv"
关闭注册表编辑器。