10 月
12
2004

透過 MSN 散撥的病毒

今天在Taiwan CNET看到這則新聞.

接著我就到McAfee的網站去查了一下這個病毒的資訊.

病毒名稱 : W32/Funner.worm

描述:

It sends itself as FUNNY.EXE to addresses found within MSN Messenger.

When executed, this worm will copy itself to the %Sysdir% folder as

EXPLORER.EXE

IEXPLORE.EXE

USERINIT32.EXE

It also copies itself to the %Windir% folder as RUNDLL32.EXE.

The following registry keys are created:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinLogon “Userinit” = %SYSDIR%Userinit32.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MMSystem” = %Windir%RUNDLL32.EXE %SYSDIR%mmsystem.dll

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “MMSystem” = %Windir%RUNDLL32.EXE %SYSDIR%mmsystem.dll

mmsystem.dll is a module containing functions to manage multimedia for 16-bit multimedia applications.

The worm also tries to delete any occurrence of the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce “MMSystem”

It then attempts to invoke MSN Messanger (msmsgs.exe) and creates the following registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MSMSGS” = C:Program FilesMessengermsmsgs.exe” /background

A log file BSFIRST2.LOG is created in the %SYSDIR% folder.

另外它會修改你的HOST檔案

:item2: 大家可以參考McAfee的說明

Comments are closed.