Vermian virus Worm_Funny.A analyses a report (6)
Jiang Min " MSN clown " vermian virus analyses a report
Virus type: Network worm
Virus size: 56320 byte
Transmission way: Network
Endanger grade: ★ ★
On October 10, 2004, jiang Min turns over virus center to intercept and capture " MSN " vermian virus I-Worm/MsnFunny. This virus meets the MSN good friend from tendercy user deliver message and virus program, change a large number of commonly used websites to Http://www. ***.com.
Specific technology feature is as follows:
1. After virus moves, the duplicate that founds following oneself:
%WinDir%rundll32.exe, 56320 byte
%SystemDir%explorer.exe, 56320 byte
%SystemDir%iexplore.exe, 56320 byte
%SystemDir%userinit32.exe, 56320 byte
2. Add in registering a watch following start:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"MMSystem" = %SystemDir%mmsystem.dll "" , rundll32
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Userinit" = %SystemDir%userinit32.exe,
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"MMSystem" = %SystemDir%mmsystem.dll "" , rundll32
Such, when Windows is started, virus can be carried out automatically. Run MSN compulsive setting automatically to switch on the mobile phone.
3. To the MSN of the user online good friend sends following message, can deliver virus program:
Bar of a new-blown, get together in the evening, here has introductory %url% , write down so that give me the telephone call
Friend, notice to rest more, can loosen to here loosen, %url%
We also come common how, see MM, %url% , enough flavour! Ah!
Japanese is in Nanjing the ironclad proof of the massacre! Boycott day goods %url% stoutly
10 the biggest to Chinese menace countries! List %url%
I had seen the most beautiful video MM (does not look can not regret) , %url%
" Chinese farmer is investigated " page page tears of blood, alarm in the center of turn from Netease, %url%
4. Modification %SystemDir%driversetchosts file, weigh 900 many commonly used websites directional to 222.89.98. *** , at present this website cannot join normally.
Be aimed at this virus, river civilian company is already urgent upgraded virus library. Ask you to upgrade in time to October 10 virus library, can check in the round kill this virus, the system that protects you does not suffer its enroach on. (be over)
Previous12 Next