病毒特征:
Yd�UY:��JR H�a5Ut�2�n A. 通过邮件进行穿鼻,会 自动搜集感染者的邮件地址,并假冒发件人名称发送带毒邮件;
�9.pd^&}#w ZN��w�W)_E B. 感染附件类型:".doc", ".txt",".avi", ".mpeg"等;
w$:bU*1�8� w�E,�4u��P C. 感染系统目录%systemroot%\,并以csrss.exe命名自身。
y�eA�G�)�8 �:j,/(�_�C (真正csrss.exe位于%systemroot%\system32\下)
x4.��nf]� Y�v�mQD$8n D.注入进程services.exe?svchost.exe,且会模仿windows文件保护机制,
�@��GGA5�G ojO�}/R0U 防止csrss.exe被清除;
_x�3ze�a�D v�clO���[; E.通过感染svchost.exe ,自动扫描邮件地址进行感染,并感染以下已知文件名结
�QSGxj��E* k</�S�F4/l 尾的文件:
f��0[]0�- 6Qbj <�&V� adb.asp.cfg.cgi.mra.dbx.dhtm.eml.htm.html.jsp.mbx.mdx.mht.mmf.msg.
_�'Fe5�� n o&1`nmF�8� nch.ods.oft.php.pl.sht.shtm.stm.tbb.txt.uin.wab.wsh.xls.xml.dhtml
��T���\5O\ @�3c}V",�� F.如果邮件地址含有以下字符串则不感染:
@3s,�i��+C K$�]��[f> "@example." "Mailer-Daemon@" "-0"
PJ'|�==yf` "2003" "@subscribe" ".00"
6�]b�lyi�g "2004" "kasp" "@."
FQ]�<�y�.( "2005" "admin" "---"
c%�o[�K=.w "2006" "icrosoft" "abuse"
TML3!^~Q�V "@hotmail" "support" "panda"
t5t���-qOp "@msn" "ntivi" "cafee"
��z�M^D7), "@microsoft" "unix" "spam"
|/�fw|U�l- "rating@" "bsd" "pgp"
-US�uF"Y\> "f-secur" "linux" "@avp."
vi~�)cUF�@ "news" "listserv" "noreply"
QZgmy�(=�[ "update" "certific" "local"
1K= z0R�.L ".qmail" "torvalds@" "root@"
qQ7#�emXlT ".gif" "sopho" "postmaster@"
i/J��Fgk+� "anyone@" "@foo" ".0"
Y/Q+{@*-�} "bugs@" "@iana" ".1"
�&c%JQSG � "contract@" "free-av" ".2"
���SXmv>=� "feste" "@messagelab" ".3"
4B�=��d�nH "gold-certs@" "winzip" ".4"
x��k�s Y&� "help@" "google" ".5"
bB4?��W5b5 "info@" "winrar" ".6"
�-n p�se�{ "nobody@" "samples" ".7"
cR]4y��o�h "noone@" "spm111@" ".8"
�!
$�[k-.p "0000" ".." ".9"
R%*L!:�RY� }[knB,E�X� W���+=4rh� 发作症状:
gqXb0*�^b� JqmTK�CJFx 1、感染该病毒后,会自动从http: // 85.249.23.43 /下载新的病毒文件,并执行。
�i
��pa��$ �9�98\*|)n 2、或从加密网址
http://85.249.23.35/m2/ g.php
http://207.46.250.119/g/ m.php
http://84.22.161.192/s/ f.php 获取下载列表,下载指定文件。
�)�F!R�B�z `�1�9��u6# 3、该病毒将修改以下注册表项添加自启动项:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image文件执行
R]EX:�#�m� ��PC��`j[� Options\explorer.exe Debugger="C:\WINDOWS\csrss.exe"
QG#\�6/GPF |#+.Er�� Qh2�;j+1M5 <N� e^�UmJ 受感染的系统包括:
eH�*Iez�o: G8R/9~�d�0 &}Wm6W3d.! -Windows 9X/ME: C:\Windows
U�+[3/z7�@ �2[<X1A-BO -Windows NT/2000 : C:\Winnt\
SRBtf? �^f GdWj�6�$~: -Windows XP : C:\Windows\
�aZ�+1�/TI LCVZ�{gHO* 
