《Mytob.33》駭蟲變種頻繁，開啟後門程式，降低安全設定

看板NetSecurity (資安資訊安全)作者ayoyo8927.時間20年前 (2005/12/07 09:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

Mytob.33 駭蟲變種頻繁，開啟後門程式，降低安全設定，使電腦無防衛能力 Mytob 病毒依然非常活躍，病毒作者不斷修改原始程式碼並發佈新變種，大部分都具有相同行為模式。 Mytob.33 駭蟲與之前的變種相似，不但會取得通訊錄名單並且大量傳送病毒郵件，而且會開啟後門程式，允許駭客攻擊，降低安全設定，使電腦無防衛能力。基本介紹：病毒名稱：Worm@W32.Mytob.33 病毒別名：W32.Mytob.ML@mm[symantec] 病毒型態：Worm , E-Mail , Backdoor 病毒發現日期：2005/12/06 影響平台：Windows 95/98/ME , Windows NT/2000/XP/2003 風險評估：散播程度：高破壞程度：中 Worm@W32.Mytob.33 信件格式：發信者： < 隨機 > 主旨： < 下列任一個 > *DETECTED* Online User Violation Email Account Suspension Important Notification Members Support Notice of account limitation Security measures Warning Message: Your services near to be closed. You have successfully updated your password Your Account is Suspended Your Account is Suspended For Security Reasons .................... 內文： < 下列任一個 > Dear user [USER NAME], You have successfully updated the password of your [DOMAIN NAME] account. If you did not authorize this change or if you need assistance with your account, please contact [DOMAIN NAME] customer service at: [SPOOFED EMAIL ADDRESS WITH DOMAIN NAME] Thank you for using [DOMAIN NAME]! The [DOMAIN NAME] Support Team +++ Attachment: No Virus (Clean) +++ [domain part of email] Antivirus - www.[DOMAIN NAME] Dear user [USER NAME], It has come to our attention that your [DOMAIN NAME] User Profile ( x ) records are out of date. For further details see the attached document. Thank you for using [DOMAIN NAME]! The [DOMAIN NAME] Support Team +++ Attachment: No Virus (Clean) +++ [DOMAIN NAME] Antivirus - www.[DOMAIN NAME] ...................... 附加檔案： < 下列任一個 > [RANDOM FILE NAME] accepted-password account-details account-info account-password account-report approved-password document email-details email-password ................... Worm@W32.Mytob.33 行為描述：註：在Win95/98/me %System% 預設值為 C:\windows\System 在WinNT/2000/XP/2003 %System% 系統預設值為 C:\WinNT\System32 駭蟲會從通訊錄和下列位置取得電子郵件地址： %UserProfile%\Local Settings\Temporary Internet Files 駭蟲會從下列副檔名檔案中取得電子郵件地址： .adb .asp .cgi .dbx .htm .html .jsp .php .pl .sht .......... 駭蟲會開啟後門程式並允許駭客攻擊。透過病毒執行後，將駭蟲本身複製到%System% skype32.exe 病毒執行後，在%System%產生 rofl.sys 修改登錄檔，降低安全設定。 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify" = "1" "AntiVirusOverride" = "1" "FirewallDisableNotify" = "1" "FirewallOverride" = "1" "UpdatesDisableNotify" = "1" 修改登錄檔，降低安全設定。 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile "EnableFirewall" = "0" 修改登錄檔，降低安全設定。 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate "DoNotAllowXPSP2" = "1" -- 夫兵者不祥之器物或惡之故有道者不處君子居則貴左用兵則貴右兵者不祥之器非君子之器不得已而用之恬淡為上勝而不美而美之者是樂殺人夫樂殺人者則不可得志於天下矣吉事尚左凶事尚右偏將軍居左上將軍居右言以喪禮處之殺人之眾以哀悲泣之戰勝以喪禮處之道常無名樸雖小天下莫能臣侯王若能守之萬物將自賓天地相合以降甘露民莫之令而自均始制有名名亦既有夫亦61-62-84-213-adsl-tpe.STATIC.so-net.net.tw海