Stfw.RuW32.Mydoom.CF@mm
admin
🕛 30.06.2005, 00:04
Обнаружен 28 июня.Последнее обновонление 29 июня.
Тип: червь.
Длина кода: 32,2 кб.
Уязвимые системы: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. <more>
Технические детали:
Копирует себя как %System%[the dropped worm file name].dll.
Добавляет значение "rundll" = "rundll32.exe "%System%[the dropped worm file name].dll" taskmon" в реестр HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun;
значения
"[Default]" = "%System%[the dropped worm file name].dll"
"ThreadingModel" = "Apartment" в
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{a randomly generated CLSID}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{a randomly generated CLSID}InprocServer32
Создаёт новые ключи реестра:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{a randomly generated CLSID}
Ищет e-mail адреса на компьютере-жертве.
При этом избегает адресов, содержащих строки:
admin*
*gmail.com
*.ru
*@mail.com
*@messagelabs.com
*@microsoft.com
*@symantec.com
*@avp*
*@mcafee.com
*@nai.com
*@networkassociates.com
*@sophos.com
*@trendmicro.com
*@ca.com
*.ru
*.cn
Рассылает себя в письмах с характеристиками:
From:
aol.com
msn.com
yahoo.com
hotmail.com
Subject: Is it your name listed here?
Message Body: It seems this is the Pentagon listing
Subject: take a look
Message Body: another terrorist
Subject: No way, she can't take THIS
Message Body: Something really incredible
Subject: this is what will happen to your family
Message Body: just see that
Subject: What about .?
Message Body: :)
Subject: Funniest George W. Bush Picture ever
Message Body:: I was laughing my ass off
Subject: crazy housewife
Message Body: Have you seen it?
Subject: A postcard for you!
Message Body: This postcard was sent to you via Modern Postcard. Have a happy holiday!
Subject: Cool picture
Message Body: This poor guy...
Subject: surprise, surprise...
Message Body: guess who?
Subject: employees list
Message Body: Make sure this isn't you being layed off
Subject: file submission failure
Message Body: Your file hasn't passedour security check and thus was returned
Subject: Error: could not send message for past 2 days
Message Body: Please review the attachment for the delivery problems
Attachment:
document
readme
doc
text
file
data
test
message
body
_http://securityresponse.symantec.com/avc