病毒特征:
.x��q��=&* B��)OclO0� A. 通过邮件进行穿鼻,会 自动搜集感染者的邮件地址,并假冒发件人名称发送带毒邮件;
�-&4T3'|GT ��Ny\i��)P B. 感染附件类型:".doc", ".txt",".avi", ".mpeg"等;
W)3#k}`o4r M=rLg~qx0R C. 感染系统目录%systemroot%\,并以csrss.exe命名自身。
9NUgtw �6V U0;[�~c�$� (真正csrss.exe位于%systemroot%\system32\下)
j{G=F0�K�e
<]43,%[gc D.注入进程services.exe?svchost.exe,且会模仿windows文件保护机制,
T�:En�2JM# �wn]`�B��� 防止csrss.exe被清除;
z#��$�l$v� }QGP����p� E.通过感染svchost.exe ,自动扫描邮件地址进行感染,并感染以下已知文件名结
�y�Rvz]�iT Zdod���_�� 尾的文件:
Mck��n0M$c WZ1,�!$"/% adb.asp.cfg.cgi.mra.dbx.dhtm.eml.htm.html.jsp.mbx.mdx.mht.mmf.msg.
$Wae�G�b + B[Q��^[=i� nch.ods.oft.php.pl.sht.shtm.stm.tbb.txt.uin.wab.wsh.xls.xml.dhtml
b`mC-�w_[& 1@up1e;iB. F.如果邮件地址含有以下字符串则不感染:
�4PYhrd/FA oI�Tw_z�+= "@example." "Mailer-Daemon@" "-0"
0L:�,Fr!iM "2003" "@subscribe" ".00"
u�*j90;n7 "2004" "kasp" "@."
aBxq*�kU6b "2005" "admin" "---"
NoK>rb"-{, "2006" "icrosoft" "abuse"
{q�Qd\8N?~ "@hotmail" "support" "panda"
~�Q����ZT4 "@msn" "ntivi" "cafee"
:H�(`8�@_J "@microsoft" "unix" "spam"
`?@ ~x!E\� "rating@" "bsd" "pgp"
��#�wb-Lh� "f-secur" "linux" "@avp."
wnH @g��)� "news" "listserv" "noreply"
�9wno`1)wE "update" "certific" "local"
5?6^}~m�� ".qmail" "torvalds@" "root@"
�7��! ��qo ".gif" "sopho" "postmaster@"
a*'>1�?KDF "anyone@" "@foo" ".0"
�&Y�.#9�S� "bugs@" "@iana" ".1"
_�4�c1�mO` "contract@" "free-av" ".2"
s`Y98q5 �P "feste" "@messagelab" ".3"
m�Z3�6��' "gold-certs@" "winzip" ".4"
m��*_+
i0P "help@" "google" ".5"
p��Q.�]w=F "info@" "winrar" ".6"
1nl��{Kb�] "nobody@" "samples" ".7"
�|i��M]�tu "noone@" "spm111@" ".8"
6XH��U� �T "0000" ".." ".9"
�pZhS_&u1� c��39:h`^? 1�eghpMv�� 发作症状:
f����re|Ld o@�:I�lg'� 1、感染该病毒后,会自动从http: // 85.249.23.43 /下载新的病毒文件,并执行。
o@s@3`>%�r 4f3��nM|�� 2、或从加密网址
http://85.249.23.35/m2/ g.php
http://207.46.250.119/g/ m.php
http://84.22.161.192/s/ f.php 获取下载列表,下载指定文件。
h�Llm=5D-f 9���$�.3sA 3、该病毒将修改以下注册表项添加自启动项:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image文件执行
�g2OwG 2�| �Z23+CbKy} Options\explorer.exe Debugger="C:\WINDOWS\csrss.exe"
ycH0
_
<@O �xcq"�|�!8 >o(=MU8j�^ E�S^�^y�!V 受感染的系统包括:
�p
bnL#�6y <w(Cq1�q;� KWL%ZPD:|G -Windows 9X/ME: C:\Windows
J-Ti��G�S9 �g+5�lvI�= -Windows NT/2000 : C:\Winnt\
�p�9cL�o�- �
"�<�+QA -Windows XP : C:\Windows\
T�2 �(}8= �ZnN9Ac 
