国家计算机病毒应急处理中心

我国出现 Worm_Netsky.C（“网络天空”病毒变种）

病毒名称： Worm_Netsky.C（“网络天空”病毒变种）

其它英文命名：W32/Netsky.C@MM （McAfee）

W32/Netsky.C.worm （Panda）

WORM_NETSKY.C （Trend Micro）

Moodown.C （F-Secure）

I-Worm.Moodown.c （Kaspersky）

Win32.Netsky.C （Computer Associates）

W32/Netsky-C （Sophos）

感染系统：Win9x/WinMe/WinNT/Win2000/WinXP/Win2003

病毒长度：25,352字节

病毒特征：

病毒使用UPX压缩，通过电子邮件进行传播。运行后，在Windows目录下生成自身的拷贝，修改注册表键值。病毒的拷贝有两个扩展名，使用Word的图标，并在共享文件夹中生成自身拷贝。

1、生成病毒文件

病毒运行后，在%Windows％目录下生成自身的拷贝，名称为Winlogon.exe。

病毒还在在%Windows％目录下生成包含自身拷贝.zip文件，其名称与病毒邮件的附件名称相同。

（其中，%Windows% 是Windows的默认文件夹，通常是 C:\Windows 或 C:\WINNT）

2、修改注册表项

病毒创建注册表项，使得自身能够在系统启动时自动运行，在

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下创建

ICQ Net = "%Windows%\winlogon.exe -stealth"

3、删除注册表中的键值

为了达到影响系统运行的目的，会试图删除多个重要的注册表键值。

病毒在

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 和

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下寻找并删除下列键值：

Explorer

KasperskyAV

Taskmon

Windows Services Host

在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下删除下列键值：

System.

msgsvr32

DELETE ME

service

Sentry

在HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下删除下列键值：

d3dupdate.exe

au.exe

OLE

在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices下删除下列键值：

System.

3、通过电子邮件进行传播

病毒在被感染用户的系统内搜索以下扩展名的文件，找到电子邮件地址，并使用的自带的SMTP向这些地址发送带毒的电子邮件。

.eml

.txt

.php

.pl

.htm

.html

.vbs

.rtf

.uin

.asp

.wab

.doc

.adb

.tbb

.dbx

.sht

.oft

.msg

.shtm

.cgi

病毒发送的带毒电子邮件格式如下：

发件人：（可能不是真实的邮件地址，具有欺骗性的地址）

主题：（为下列之一）

Delivery Failed

Status

report

question

trust me

hey

Re: excuse me

read it immediatelly

Re: does it?

Yep

important

hello

dear

Re: unknown

fake?

warning

moin

what's up?

info

Re: information

Here is it

stolen

private?

good morning

illegal...

error

take it

re:

Re: Re: Re: Re:

you?

something for you

exception

Re: hey

excuse me

Re: hi

Re: does it?

Re: important

Re: hello

believe me

Question

denied!

notification

Re: <5664ddff?$??o2>

lol

last chance!

I'm back!

its me

notice!

内容：（为下列之一）

what means that?

help attached

<...>

ok...

that is interesting...

i wait for your comment about it.

such as yours?

read the details.

gonna?

here is the document.

*lol*

read it immediately!

i found that about you!

your hero in the picture?

yours?

here is it.

illegal st. of you?

is that true?

account?

is that your name?

picture?

message?

is that your account?

pwd?

I wait for an answer!

abuse?

is that yours?

you are a bad writer

I don't know your document!

I have your password!

you won the rk!

something about you!

classroom test of you?

kill the writer of this document!

old photos about you?

i hope thats not true!

your name is wrong!

does it match?

i found this document about you.

time to fear?

really?

do you know this????

i know your document!

did you sent it to me?

this file is bad!

why should I?

pages?

her.

another pic, have fun! ... :->

test it

child porn?

greetings

xxx ?

stuff about you?

your document is not good

something is going wrong!

your photo is poor

information about you?

the information is wrong!

doc about me?

kill him on the picture!

from the chatter (my photo!)

from your lover ;-)

love letter?

here, the serials

are you a teacherin the picture?

here, the introduction

is that criminal?

here, the cheats

i like your doc!

what do you think about it?

that's a funny text.

that's not the truth?

do you have?

instruct me about this!

i lost that

i am speachless about your document!

is that the reality?

msg

your design is not good!

important?

your TAN number?

take it easy!

why?

you are naked in this document!

thats wrong!

your icq number?

i am desperate

modifications?

your personal record?

yes.

misc. and so on. see you!

your attachment? verify it.

you earn money, see the attachment!

is that your attachment?

is that your website?

you feel the same.

meaning of that?

possible?

you have tried to steal!

did you ask me for that?

you are bad

your job? (I found that!)

is that possible?

something is going ...

something is not ok

did you know from this document?

wrong calculation! (see the attachment!...

never!

poor quality!

good work!

excellent!

great!

i don't think so.

pretty pic about you?

docs?

schoolfriend?

<09580985869gj>

<?}

i want more...

here is the next one!

attachi#

did you see her already?

is that your wife?

is that your creditcard?

is that your photo?

do you think so?

do you have the bug also?

already?

forgotten?

drugs? ...

does it matter?

i have received this.

best?

the truth?

your body?

your eyes?

your face?

File is self-decryting.

File is damaged.

File is bad.

i saw you last week!

xxx service

your account is expired!

you cannot hide yourself! (see photo)

what still?

who?

how?

only encrypted!

personal message!

my advice....

i've found it about you

<<<Failure>>>

great xxx!

man or women?

child or adult?

here is yours!

a crazy doc about you

xxx about you?

i don't want your xxx pics!

doc?

trial?

what?

;-)

i need you!

correct it!

see this!

it's a secret!

this is nothing for kids!

it's so similar as yours!

is that your car?

do not give up!

great job!

here is the $%%454$

you are sexy in this doc!

incest?

let it!

you look like an ape!

you look like an rat?

be mad?

are you cranky?

bob the builder

did you know that?

money?

is that your car?

is this information about you?

is that your privacy?

is that your TAN?

is that your message?

is that your cd?

is that your finger?

your are naked?

is that your porn pic?

is that your work?

is that your family?

is that your beast?

is that your account?

is that your slip?

is that your domain?

are you the naked one?

are you the naked person!

are you the one?

does it belong to you?

do you have sex in the picture?

you have a sexy body in the pic!

your lie is going around the world!

lets talk about it!

do you know the thief?

are you a photographer?

you have done a mistake in the document...

its private from me

do not show this anyone!

new patch is available!

this is an attachment message!

in your mind?

Microsoft

fast food...

Your bill.

try this patch!

do you have an orgasm in the picture?

Transaction failed. Show the doc!

I 've found your bill!

see your name!

You are infected. Read the details!

here is my advice.

here is my photo!

here is the <censored>

feel free to use it.

does it belong to you?

your document is silly!

is the pic a fake?

Antispam is turned off. See file!

Authentification required. Read the att...

solve the problem!

<null>

do not use my document!

do not open the attachment!

do not visit the pages on the list I se...

explain!

tell me more about your document!

Your provider will be disabled!

Instant patches.

病毒邮件的附件可能是一个.zip文件，其内包含病毒的可执行文件，文件名称为下列之一，否则的话，附件就是一个具有双扩展名的文件，名称同样为下列之一。

附件：（名称为下列之一）

document

associal

msg

yours

doc

wife

talk

message

response

creditcard

description

details

attachment

pic

trash

card

stuff

poster

posting

portmoney

textfile

moonlight

concert

sexy

information

news

note

number_phone

bill

mydate

swimmingpool

class_photos

product

old_photos

topseller

important

shower

myaunt

aboutyou

yours

nomoney

birth

found

death

story

worker

mails

letter

website

regards

regid

friend

unfolds

jokes

doc_ang

your_stuff

location

454543403

final

schock

release

webcam

dinner

intimate stuff

sexual

ranking

object

secrets

mail2

attach2

part2

msg2

disco

freaky

visa

party

material

misc

nothing

transfer

auction

warez

undefinied

violence

update

masturbation

injection

naked1

naked2

tear

music

paypal

privacy

word_doc

image

incest

附件扩展名1：（为下列之一）

.txt

.rtf

.doc

.htm

附件扩展名2：（为下列之一）

.exe

.scr

.com

.pif

4、其它

病毒在驱动器 C 到 Y上搜索包含字符串“Shar”的文件夹，如果找到的文件夹不是CD-ROM, 病毒就在找到的文件夹和其子文件夹下生成病毒的拷贝，名称为下列之一:

Microsoft WinXP Crack.exe

Teen Porn 16.jpg.pif

Adobe Premiere 9.exe

Adobe Photoshop 9 full.exe

Best Matrix Screensaver.scr

Porno Screensaver.scr

Dark Angels.pif

XXX hardcore pic.jpg.exe

Microsoft Office 2003 Crack.exe

Serials.txt.exe

Screensaver.scr

Full album.mp3.pif

Ahead Nero 7.exe

Virii Sourcecode.scr

E-Book Archive.rtf.exe

Doom 3 Beta.exe

How to hack.doc.exe

Learn Programming.doc.exe

WinXP eBook.doc.exe

Win Longhorn Beta.exe

Dictionary English - France.doc.exe

RFC Basics Full Edition.doc.exe

1000 Sex and more.rtf.exe

3D Studio Max 3dsmax.exe

Keygen 4 all appz.exe

Windows Sourcecode.doc.exe

Norton Antivirus 2004.exe

Gimp 1.5 Full with Key.exe

Partitionsmagic 9.0.exe

Star Office 8.exe

Magix Video Deluxe 4.exe

Clone DVD 5.exe

MS Service Pack 5.exe

ACDSee 9.exe

Visual Studio Net Crack.exe

Cracks & Warez Archive.exe

WinAmp 12 full.exe

DivX 7.0 final.exe

Opera.exe

IE58.1 full setup.exe

Smashing the stack.rtf.exe

Ulead Keygen.exe

Lightwave SE Update.exe

The Sims 3 crack.exe

手工清除该病毒的相关操作：

1、终止病毒进程

在Windows 9x/ME系统，同时按下CTRL+ALT+DELETE，在Windows NT/2000/XP系统中，同时按下CTRL+SHIFT+ESC，选择“任务管理器——〉进程”，选中正在运行的进程“Winlogon.exe”，并终止其运行。

2、注册表的恢复

点击“开始——〉运行”，输入regedit,运行注册表编辑器，依次双击左侧的HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run ，并删除面板右侧的ICQ Net = "%Windows%\winlogon.exe -stealth"

3、删除病毒释放的文件

点击“开始——〉查找——〉文件和文件夹”，查找文件“Winlogon.exe”，并将找到的文件删除。查找在%Windows%下生成的.zip文件，并将找到的文件删除。

4、运行杀毒软件，对系统进行全面的病毒查杀

国家计算机病毒应急处理中心
计算机病毒防治产品检验中心
网址：Http://www.antivirus-China.org.cn
电　　话：022-66211488/66211489/66211490
传　　真：022-66211487
电子邮件：security@tj.cnuninet.net