[转载]GIFT.C蠕虫病毒分析
信息来源:安全小组Description:
This worm propagates via email. It sends copies of itself as attachment to email messages it sends out. It uses Microsoft Word to compose email messages.
Users are advised to be wary of email messages with any of the following Subject lines:
* benchmark
* cool mail
* Cracks
* Damn crack...
* Disk tool
* freeIRC beta mail list
* Honey ;)
* IE Plug-in
* IE5 security patch
* Improve your site
* JsvaScript 4 Docs
* My Rom list
* NS Plug-in
* Secure Communications Inc.
* Sex Farm - Adult contents
* Sexy game
* Shield PAK Installation
* VB examples
* y2k fix
* your dlls
For the complete details of the email message that this worm sends, users can check the Technical Details section.
Upon first execution, this worm displays a message box containing the following strings:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access
This worm runs on Windows 98, ME, NT, 2000, and XP.
Technical Details:
Installation and Autostart Technique
Upon execution, this worm drops a copy of itself as RUNDLLW32.EXE in the Windows system folder.
It creates the following registry entries to ensure its automatic execution at every Windows startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows
RUN = "%Windows%\Rundllw32.exe"
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
In systems running Windows 98, and ME, this worm adds the following lines to the WIN.INI file to enable its automatic execution every time Windows starts up:
[windows]
load =
run = %Windows%\Rundllw32.exe
NullPort = None
Upon first execution, this worm displays a message box containing the following strings:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access
It then becomes memory-resident at the next Windows startup.
Propagation via Email
This worm propagates via email. It sends copies of itself as attachments to email messages it sends. It uses Microsoft Word to compose the email messages, and MAPI to send them out.
To search for addresses to use as email recipients and sender, this worm searches for files with the following extensions:
* .HT*
* .ASP
(Note: * stands for any character.)
The email message it sends has the following details:
· Subject: Improve your site
Message: Your page is nice. Test this js scripts and tell me what do you think.
Attachment: js.exe
· Subject: IE5 security patch
Message: This is the security patch you asked for... i don't know if is the last version but works.
Attachment: Ie5Patch.exe
· Subject: Shield PAK Installation
Message: Take a look at this new archiver! 30 trial version.
Attachment: ISPAK.EXE
· Subject: Secure Communications Inc.
Message: Do you feel secure? Run this small program to see if your communications are safe.
Attachment: SCommSetup.exe
· Subject: Cracks
Message: Take a look at my cracks list. Ask if you want something ;)
Attachment: clist.exe
· Subject: Sex Farm - Adult contents
Message: Sex Farm! Take a look at this little demo for free. Adult content!!!
Attachment: sfarm.exe
· Subject: JsvaScript 4 Docs
Message: This is the information you mean? Let me know if you need something else :)
Attachment: jsdoc4.exe
· Subject: VB examples
Message: 1st notice... moreover there are some examples. VB4 runtime is needed!
Attachment: instEx.exe
· Subject: My Rom list
Message: I love you :* Thanks you for the information. There is my list...
Attachment: myList.exe
· Subject: IE Plug-in
Message: There is the plug-in for IE... ;) send me comments.
Attachment: ie-pin.exe
· Subject: NS Plug-in
Message: There is the plug-in for NS... ;) send me comments.
Attachment: ns-pin.exe
· Subject: Honey ;)
Message: Hi honey! How goes? fine here. There is the little app i told you.
Attachment: SETUP.EXE
· Subject: Quiz
Message: Hello, Take a look to this little app!
Attachment: Setup.exe
· Subject: Damn crack...
Message: Hello, I'm trying to make run this shit but... please test it if ya can.
Attachment: crack.exe
· Subject: Disk tool
Message: Dunno. But try this. May be it works in your system. See you!
Attachment: drDisk.exe
· Subject: Sexy game
Message: Cool pics you send me!!! try this little game... rulez!
Attachment: powerDick.exe
· Subject: your dlls
Message: Here goes the dlls you asked for. It's strange you don't have it yet :?
Attachment: dlls.exe
· Subject: y2k fix
Message: This will fix your problem ;) You're welcome...
Attachment: y2k.exe
· Subject: benchmark
Message: A backdoor?? nah. But if this makes you feel better, there's a benchmark.
Attachment: bdbench.exe
· Subject: why?
Message: What can i do? please reply as soon as posible.
Attachment: doc.exe
· Subject: cool mail
Message: I'm testing my new cool mail client... rockz! and is smallllll ;)
Attachment: smail.exe
· Subject: freeIRC beta mail list
Message: Last Beta 0.6. Reply with subject "un-subscribe" to leave mail list...
Attachment: setupb.exe
Other Details
This worm is written in Borland C++. The following strings can be found in its body:
This is a I-Worm coded by Bumblebee\29a!
Gretingz to all 29a members ;)
I-Worm.RunDllw32 Activated
页:
[1]