Email-Worm.Win32.NetSky.t

   

   病毒名称：Email-Worm.Win32.NetSky.t
中文名称：网络天空变种
病毒类型：蠕虫
文件 MD5：F1EAC29A09279D51C81585AE47C5255D
公开范围：完全公开
危害等级：中等
文件长度：38,912 字节
感染系统：Win98以上系统
开发工具：Microsoft Visual C++ 6.0
加壳工具：LE-Exe Executable Image *
　　　　　UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
命名对照：驱逐舰[Win32.HLLP.Secto]
　　　　　瑞星[Win32.Sality.k]
  
病毒描述：
　 “网络天空”04年起肆虐互联网络，至今仍存活。该病毒运行后，衍生病毒文件到系统目录下，添加注册表启动项以随机引导病毒体。病毒内建SMTP服务器，伪造大量发信地址，发送大量带有名为“主题名+随机数字.pif”的附件的垃圾邮件到指定地址。当用户点击附件时，即中毒。
  
行为分析：
1、衍生下列副本与文件

%Windir%\ uinmzertinmds.opm
%Windir%\ EasyAV.exe
%System32%\vcmgcd32.dll
%System32%\vcmgcd32.dl

2、新建注册表键值：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\EasyAVValue: String: "%WINDir\EasyAV.exe"

3、病毒从包含下列扩展名的文件中搜索邮件地址：

.sht.adb .tbb.wab.dbx.oft.doc.msg

4、用户可能收到的邮件信息：

发送邮件地址：

smoke@freenet.am
neox@pisem.net
oriontrooper@yahoo.com
gfplus@softhome.net
kzm@cisco.com
cryorb@tut.by
hubmib-request@ietf.org
msoe@microsoft.com
fkma@mmtools.ru
uri@lucent.com
raraghun@cisco.com
joe@joestewart.org
joespammer@example.com
bik78@mail.ru
case@snmp.com
crsky@yeah.net
gerrit@familiehaase.de
shag@apsvans.com
hanta@chiva.net
msoe@microsoft.com
smoke@freenet.am
fkma@mmtools.ru
waldbusser@lucent.com
ietfmibs@ops.ietf.org
dyk_158@163.com
gfplus@softhome.net
ts@polynet.lviv.ua
tbd@despammed.com
hoto@ipbcn.org
waldbusser@lucent.com
net-snmp-coders@lists.sourceforge.net
hanta@chiva.net

收件人地址：

cao_cong_hx@yahoo.com.cn
tbd@despammed.com
oriontrooper@yahoo.com
bmd2chen@tom.com
mario555@pisem.net
tbd@despammed.com
mario555@pisem.net

邮件主题：

Diggest
Archive
Request
Requested document
Re: Approved
Letter
Thank you!
Re: Movie document
Re: Text
Re: Thanks you!
Powerpoint document
Re: Photo document
Approved
Info
Hi
My details
Re: User list
Re: Hello
Re: Hi
Developement
Thank you!
Re: Movie document
My details
Re: Details
Re: Important
Your information
Your details
Sample
Homepage
Important
Excel document
Re: Old document
Re: Bill
Re: Important
Re: Your document

邮件内容：

Please notice the attached diggest.
The info.Thanks
I have spent much time for your document.
My number list.
My instructions.
My developement is attached.Yours sincerely
Your letter.Thank you
Your file is attached to this mail.Yours sincerely
Hello!Please see the text.
Hello!Please have a look at the attached document.Yours sincerely
Please read the attached document.
Hi!Please, old document.
Hi!Please, user list.
Hi!Please read quickly.
Hello!Please have a look at the info.
Hello!The bill.
Hello!The icq number.Thank you
Hello!Here is the document.Thanks
Here is the document.Yours sincerely
Hello!The note is attached.
Hello!Please have a look at the note.Thank you
Hello!Please notice the attached document.Thanks
Hello!See the document for details
Hi!Here is the document.
Please read the attached document.Thanks
Please read the summary.Yours sincerely
Please notice the attached postcard.
Please notice the attached document.Yours sincerely
Please have a look at the attached document.
Please see the requested document.
Please have a look at the archive
Please see the new document.
Please see the excel document.
Hello!Please notice the attached sample.Thank you
See the document for details.Yours sincerely
I have found the order.Thanks
Hi!For more details see the attached document.Thank you
Hi!Note that I have attached your document.
Hi!Please see the homepage.

注：% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32，windows95/98/me中默认的安装路径是C:\Windows\System，windowsXP中默认的安装路径是C:\Windows\System32。
  

--------------------------------------------------------------------------------
清除方案：
  1、使用安天木马防线可彻底清除此病毒(推荐)

2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线“进程管理”关闭病毒进程

EasyAV.exe

(2) 删除病毒释放文件

%Windir%\ uinmzertinmds.opm
%Windir%\ EasyAV.exe
%System32%\vcmgcd32.dll
%System32%\vcmgcd32.dl

(3) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\EasyAVValue: String: "%WINDir\EasyAV.exe"