2024年3月7日发(作者:)
.M@mm邮件蠕虫病毒
一、基本介绍:
类型: Worm (蠕虫病毒)
感染长度: 28,800 bytes
受感染的系统: Windows 2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows XP
.M@mm 是群发邮件蠕虫,它使用自己的 SMTP 引擎通过电子邮件传播,该蠕虫使用 UPX 打包。
附件名称: Varies with .cmd, .bat, .com, .exe, .pif, .scr, or .zip file extension.
运行端口: 1034/tcp
二、.M@mm 运行时会执行的操作
1. 将自身复制到:
* %Windir%
* %Windir%
* C:Document and SettingsuserLocal
* %systemroot%
* %systemroot%
* %systemroot%
* %systemroot%
* %systemroot%
注意:: %Windir%是一个变量。 蠕虫会找到 Windows installation 文件夹,并将自身复制到其中。 默认情况下,此文件夹为C:Windows or C:Winnt
2.病毒会创建定时任务计划
"%systemroot%TasksAt*.job"
3. 它会创建以下注册表值,以便在Windows系统启动时运行:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun JavaVM="%Windows%"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "Services" = %WinDir%
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “Services” = C:Docume~1userLocals~
HKEY_LOCAL_MACHINESystemControlSet001servicesSharedAccessParametersFirewallPolicy “Services” = “C:Documents and SettingsUserLoacl ”或者“Services” = “C:”
HkEY_USERSDefaultSoftwareMicrosoftWindowsShellNoRoamMoICache下有两个键值:C:Document and SettingsUserLocal 和
C:
HKEY_CURRENT_USERSoftwareMicrosoftDaemon
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDaemon
HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantAcmru5603
4.创建以下文件:
%Temp%
%Temp%[randomly named file].log
5. 试图在所有包含以下字符的文件夹下创建其自身的副本:
* USERPROFILE
*
6. 在具有下列扩展名的文件中搜索电子邮件地址:
*.doc
*.txt
*.htm
*.html
* .hlp
*.tx*
*.asp
*.ht*
*.sht*
*.adb
*.dbx
*.wab
三、运行示例
当蠕虫找到一个打开的Outlook窗口时它会向找到的电子邮件地址发送电子邮件。
此类电子邮件有以下特征:
发件人:可能是经过伪装的发件人地址
主题:
下列之一:
* say helo to my litl friend
* click me baby, one more time
* hello
* error
* status
* test
* report
* delivery failed
* Message could not be delivered
* Mail System Error - Returned Mail
* Delivery reports about your e-mail
* Returned mail: see transcript for details
* Returned mail: Data format error
正文:
电子邮件正为中所包含的内容会根据数种文本选项而不同。 {}括号内的句子与词以"|"分开:
* Dear user { domain>},{ {{M|m}ail {system|server} administrator|administration} of {that|the following}{.|:|,}}|||||} {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week. {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server. {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe. {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, { * {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}: Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. * Your message {was not|could not be} delivered within days: {{{Mail s|S}erver}|Host} The following recipients {did|could} not receive this message: < Please reply to postmaster@{ domain>} if you feel this message to be in error. The original message was received at [current time]{ | }from { ----- The following addresses had permanent fatal errors ----- {< {----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{ domain>.| {>>> MAIL F{rom|ROM}:[From address of mail] <<< 50$d {[From address of mail]... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 < email address>>... {Mail quota exceeded|Message is too large} 554 < < found)|554 {5.0.0 |}Service unavailable; ] blocked using {|}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:< email address>> <<< 550 {MAILBOX NOT FOUND|5.1.1 < unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded |}<<< 400}|} The original message was included as attachment * {{The|Your} m|M}essage could not be delivered 注意: * the email. * instance, if the email address is john_doe@, the domain is "." * if the email address is john_doe@, the domain is "." * infected computer. The worm gathers this information from the infected computer's registry. 四、运行中会产生的后缀 附件: (下列之一) * readme * instruction * transcript * mail * letter * file * text * attachment * document * message 蠕虫总是会使用下面后缀中的一个: * cmd * bat * com * exe * pif * scr 该蠕虫会避开包含下列字符串的电子邮件地址: * mailer-d * spam * abuse * master * sample * accou * privacycertific * bugs * listserv * submit * ntivi * support * admin * page * * gold-certs * feste * not * help * foo * soft * site * rating * you * your * someone * anyone * nothing * nobody * noone * info * winrar * winzip * rarsoft * * sourceforge * ripe. * arin. * google * gnu. * gmail * seclist * secur * bar. * * trend * update * uslis * domain * example * sophos * yahoo * spersk * panda * hotmail * msn. * msdn. * microsoft * sarc. * syma * avp 五、查杀说明: 赛门铁克安全响应中心提供的针对 .M@mm 的杀毒工具无法清除该病毒,需进行手动删除。
发布评论