 |
|
W32/Mugly.C-mm |
|
概 述
|
|
|
病毒描述
|
|
最后更新:*
|
|
Dec 24 2004 |
|
捕获时间:*
|
|
Dec 18 2004 |
|
|
FortiGate能检测到的
病毒库版本*
|
|
FOS/V2.36:
|
4.532 |
|
FOS/V2.50:
|
4.532 |
|
FOS/V2.80:
|
4.532 |
|
|
|
|
病毒特点
|
|
威胁程度:*
|
1
2 3 4 5
|
|
病毒长度:*
|
458,752 |
|
病毒类型:*
|
Worm
|
|
|
|
受影响系统*
|
|
|
|
|
其它名称*
|
|
Email-Worm.Win32.Wurmark.b [Kaspersky], |
|
W32.Mugly.C@mm [NAV], |
|
W32/Mugly.c@MM [McAfee], |
|
Win32/Wurmark.C [Nod32]
|
|
|
表现特征
|
- 被感染的系统无法连接到 Symantec 或者 Kaspersky 的常用下载网站。
- 在 System32 目录下创建如下文件 -
ANSMTP.DLL
attached.zip
bszip.dll
uglym.jpg
xxz.tmp
|
|
|
|
攻击分析
|
这是一个32位的病毒,文件大小为 458,752 字节。使用 Visual Basic 6
编写。病毒会显示一个先是用下唇遮住上唇,然后逐渐的越过眼睛而变得越来越丑的中年男子的图片。另外,病毒会通过内建的 SMTP
引擎偷偷发送自己,并试图阻止使用 Kaspersky 和 Norton 的用户升级程序。
当病毒运行后,会在 System32 目录下创建如下文件 -
ANSMTP.DLL (141,312 bytes) - SMTP library
attached.zip (388,807 bytes) - .ZIP contains copy of virus
bszip.dll (34,304 bytes) - .ZIP library
uglym.jpg (11,228 bytes) - image of man
xxz.tmp (458,752 bytes) - copy of virus
病毒还会在根目录写入额外的文件 -
C:\bt32.exe (231,500 bytes) - 包含蠕虫的代码
垃圾邮件发送
病毒扫描一下扩展名的文件中的 email 地址 -
.wab
.adb
.tbb
.dbx
.asp
.php
.htm
.sht
.txt
.doc
包含以下字符串后缀的邮件地址的不会被使用 -
adaware
nod32
trendmicro
avguk
grisoft
pandasoftware
Sophos
Sophos
.gov
symantec
lavasoft
mcafee
kaspersky
病毒试图通过下面的路径来加载 MSN Messenger -
C:\Program Files\Messenger\msmsgs.exe
然后向联系列表中的用户发送信息。信息会包含病毒副本的附件。
以下可能是发送感染文件的名称 -
Pic_001.exe
Mary-Christmas.scr
Hapy-new-year.scr
Photo_01.pif
admire_001.exe
is_this_you.scr
love_04.scr
for_you.pif
病毒会在发送邮件的 "From" 栏中使用以下邮件地址,从而欺骗用户 -
mery@msn.com
romeorichard@google.com
George@cnet.com
michael88@hotmail.com
administrator@hotmail.com
monika666@gmail.com
hunky78@norton.com
Ales56@mcafee.com
tit_fuck_909@gmail.com
micheangelo@yahoo.com
angy@hotmail.com
britny@paltalk.com
goonish88@aol.com
george88@download.com
病毒会在以下主体内容和消息中选择一个创建邮件 -
- Subject: Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
- Subject: Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
- Subject: Rate My Pic.......
Body:
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
- Subject: You have an Admirer
Body:
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
|
|
网站拦截
病毒会修改 "hosts." 文件,从而令 Kaspersky 和 Norton 反病毒软件无法正常升级。如果被染的系统尝试试图访问
"hosts." 中的站点,则会连接到系统 IP : 127.0.0.1(这里假设系统IP为 127.0.0.1)。以下是 "hosts."
文件的列表内容 -
rads.mcafee.com
liveupdate.symantecliveupdate.com
update.symantec.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads-us4.kaspersky-labs.com
updates3.kaspersky-labs.com
symantecliveupdate.com
symatec.com
downloads3.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
updates1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
ftp.downloads3.kaspersky-labs.com
|
|
|
|
处理方式
|
|
用Web界面检查ForiGate的病毒库是否最新病毒库,更新到最新病毒库,如有必要请使用"Allow Push Update"选项。
|
|
