病毒特征:
n�&_.�HP]Y 0J�M5H!0 A. 通过邮件进行穿鼻,会 自动搜集感染者的邮件地址,并假冒发件人名称发送带毒邮件;
��\�C<�>7/ j:-+�j.SR2 B. 感染附件类型:".doc", ".txt",".avi", ".mpeg"等;
q]E9WQU2X� �vXi�2p=5! C. 感染系统目录%systemroot%\,并以csrss.exe命名自身。
Hn)#|� 82# j+Rw?%Xz�] (真正csrss.exe位于%systemroot%\system32\下)
Fd[,z�q�=3 :r63*q�rG] D.注入进程services.exe?svchost.exe,且会模仿windows文件保护机制,
�%{�D��n#" QK7Gh|sP�w 防止csrss.exe被清除;
n�$+*GDELI n9�D$�+�5v E.通过感染svchost.exe ,自动扫描邮件地址进行感染,并感染以下已知文件名结
ikK�\9gB)( j[�j�tAW�L 尾的文件:
�S�EUeOLWd ?^1QJE�M3� adb.asp.cfg.cgi.mra.dbx.dhtm.eml.htm.html.jsp.mbx.mdx.mht.mmf.msg.
B&/i5&D=dP ePv3-q.5>R nch.ods.oft.php.pl.sht.shtm.stm.tbb.txt.uin.wab.wsh.xls.xml.dhtml
��yZ87Z5P" +'D`[;N'WK F.如果邮件地址含有以下字符串则不感染:
X�"pb��]v )��L=|�?�. "@example." "Mailer-Daemon@" "-0"
iV�'�b
�\" "2003" "@subscribe" ".00"
DlTt;}A�C "2004" "kasp" "@."
>OW"�S�m8# "2005" "admin" "---"
@sj6b�lH�" "2006" "icrosoft" "abuse"
KMx5�;_
ac "@hotmail" "support" "panda"
~y���1�"2> "@msn" "ntivi" "cafee"
y7k �kgkj& "@microsoft" "unix" "spam"
--OQ�DDGJ� "rating@" "bsd" "pgp"
��;�}ShxSs "f-secur" "linux" "@avp."
�k�u�h.c#� "news" "listserv" "noreply"
S]x`�Ssf)_ "update" "certific" "local"
?��)$.(O~� ".qmail" "torvalds@" "root@"
�i7Mc�Ci�G ".gif" "sopho" "postmaster@"
1#Yz.Wz f "anyone@" "@foo" ".0"
c6#%<8<aN "bugs@" "@iana" ".1"
=@7��52^AL "contract@" "free-av" ".2"
n)@�S?�;}3 "feste" "@messagelab" ".3"
%"$20D<3M~ "gold-certs@" "winzip" ".4"
W"xm'tIeW� "help@" "google" ".5"
�3Yp04{E:\ "info@" "winrar" ".6"
2��!�b5�~ "nobody@" "samples" ".7"
���~:?En.$ "noone@" "spm111@" ".8"
G`X��@+C�v "0000" ".." ".9"
Z�=U(��[] YIUj7�H��� *|I%�iVQ�j 发作症状:
W[:c\bG��� |K��!��Z)u 1、感染该病毒后,会自动从http: // 85.249.23.43 /下载新的病毒文件,并执行。
e�D��>�_�� m)n��Zyoq 2、或从加密网址
http://85.249.23.35/m2/ g.php
http://207.46.250.119/g/ m.php
http://84.22.161.192/s/ f.php 获取下载列表,下载指定文件。
MKwIv(gK� _/&�%Jbuo8 3、该病毒将修改以下注册表项添加自启动项:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image文件执行
I;�!�@� `0 K!}co-YkzL Options\explorer.exe Debugger="C:\WINDOWS\csrss.exe"
BcA��=z-MW $@l�ID��%� z?MeK�}rKZ ��0vR�0`-% 受感染的系统包括:
A�g`u@.GHQ vn�HI�s#3 u[�~W�,H.A -Windows 9X/ME: C:\Windows
dKCJ:T��sE a�/(j0 se% -Windows NT/2000 : C:\Winnt\
m+_rC�iI{w a�Sb�cf�M( -Windows XP : C:\Windows\
r��zX3rv(g �e�A)gkVld 
