Brief introduction of virus variant-worm.sobig.b
Alert level: ★★★★★
Attack time: random
Virus type: worm virus
Transmission mode: Internet/mail/LAN
Infected object: The virus began to spread around the world on May 18 and landed in China on May 19. The runtime will copy itself to the system directory, modify the registry and start it by itself, and at the same time send out a large number of virus mails, occupying system resources.
In addition to the rapid spread of the virus through e-mail and LAN, it will also connect to four websites designated by the virus in the background, download virus files from these four websites and run them, thus greatly increasing the expansibility of the virus. If the virus author puts the updated version of the virus into the website, the virus on the infected computer will upgrade itself from time to time and complete the new deformation, which makes the antivirus software unable to find it; If the virus author directly puts some Trojan viruses into these websites, the virus on the infected computer will become an accomplice of these viruses, so the virus will do more harm to enterprises and institutions. This virus has the following characteristics. If users find these features in their computers, they are most likely infected with this virus:
1. When the virus runs, it will copy itself into the system directory and name it: msccn32.exe.
The virus will modify the registry in HKEY _ Local _ Machine \ Software \ Microsoft \ Windows \
Add the key value System Tray to the startup item of CurrentVersion\Run, and the content of this key value is the file path of the virus, so that the virus will run automatically the next time you start the computer.
3. The virus will traverse the LAN and try to copy itself to Windows \ All Users \ Start Menu \ Programs \ Start \ and Documents and Settings \ All Users \ Start Menu \ Programs \ of other computers, and users can view these directories.
2. The virus will search all files on the hard disk *. web,*。 txt,*。 dbx,*。 htm,*。 Html and *. Eml, extract email addresses from it, and then send emails containing viruses to these addresses. The virus email has the following title: Your details have been approved (ref: 38446-263) re: Your password has been approved (ref: 3394-65467) re: My details screensaver Cool screensaver re: Movie re: My application user found all or part of the above phenomena in his computer, and is likely to be infected with the virus "worm". Sobig.b "。
Virus variant-worm introduction. Sobig.c In June 2003, Rising Global Anti-virus Monitoring Network intercepted a new variant of the great infinite series of viruses: worms. Sobig.c, Chinese name: worm. Sobig.c and previous versions of the virus (Worm. Sobig.B), this virus not only encrypts the strings in its body, but also focuses on the phenomenon that the virus restricts its own spread.
When analyzing the virus, Rising's anti-virus engineer found that there was a period of time to judge the code. This is extremely rare among recently discovered viruses. Stranger still, the judgment code during this period is not the condition of virus attack, but the limiting condition of virus self-propagation. When the system time is longer than June 8, 2003, the virus will automatically stop spreading.
Exploring the reasons for the virus's "self-harm", Rising senior anti-virus expert said: "From the logic of virus writing, the virus author definitely hopes that the virus he wrote can be widely spread. This abnormal situation of the virus shows a dangerous signal that the virus is only a test version, and in the near future, the virus author will launch a more powerful new version." Generally, virus writers only write viruses and test them in different stages. However, the feature that this great infinite virus variety automatically lapsed on June 8 shows that the virus writing has entered a formal stage of "standardization" and "process", indicating that a new virus era is coming, and the anti-virus road of anti-virus manufacturers is more difficult.
The characteristics of "The Great Infinite Variety C" are as follows:
Copy yourself
After the virus runs, it will copy itself to the Window directory and name it mscvb32.exe, and modify the self-startup entry in the registry to start itself.
Second, encrypt your own data.
The virus encrypts the string in its body, which increases the difficulty of virus analysis.
Three-infected LAN
The virus will search the local LAN resources and try to copy the virus files to the Windows \ All Users \ Start Menu \ Programs \ startup directory and documents and settings \ All Users \ Start Menu \ Programs \ startup directory of LAN computers, thus increasing the probability of virus startup.
Fourth, mail dissemination.
The virus will search *. web,*。 txt,*。 dbx*。 htm,*。 Html and *. Eml file, and extract the email address from it for email transmission. The message title may be: The attachment name of the virus message may be: Reply: Submitted (004756-3463) Screen Saver. Your application was submitted. Piffle: Movie files. Piffle: 45443-343556. Movies. Pifre: Application 45443. Program information file ... users who have not installed antivirus software should pay attention to this email with this title and attachment.
In view of the characteristics of the virus, Rising suggested that enterprises and institutions use the online version of anti-virus software for daily network security maintenance, and start monitoring and upgrading in time to prevent the virus from launching a new version at any time.
Introduction of Virus Variant-Maximal Infinite Variant D (Worm. SoBig.d) Alert degree: ★★★★☆.
Attack time: random
Virus type: worm virus
Transmission mode: LAN/mail
Infected object: mail
Dependent system: WIN9X//NT/2000/XP 1. Copy yourself to the windows directory.
The virus will copy itself to the %Windir% directory (default: c:\windows or c:\winnt), name it as dftrn32.dat, and then create two configuration files: dftrn32.dat and rssp32.dat
Second, modify the registry from the beginning.
When the virus runs, it will modify the self-starting entry in the registry: HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \ run, and add a key named: SFtrb service, with the content:% %Windir%\cftrb32.exe When the system is restarted, the virus will run automatically.
Third, infect computers in the local area network.
When the computer is connected to the network, the virus will copy itself to other computers in the LAN: Windows \ All Users \ Start Menu \ Programs \ Boot Directory and Documents and Settings \ All Users \ Start Menu \ Programs \ Boot Directory. After the infected computer in the LAN is restarted, the virus will automatically run and be activated on other computers in the LAN.
Fourth, spread by mail.
When the virus runs, it will also search. wab,。 dbx,。 htm,。 html,。 Eml and. Txt to find a valid e-mail address in the computer. When they are found, virus mails will be generated and sent out in large quantities. The title of the virus email is the following possibilities: the attachment of the virus email is the following possibilities: Re: DocumentsDocument. pif re:app . 00347545-002 app 003475。 Piffle: Movies. Movies. Pif application number: 456003 Re. F_456.pif Re: Your application (ref: 003844) Application 844.pifre: ScreenSaver ScreenSaver.scrre: Accepted accepted.pif If your application applies for communication, Program information file ... application. Introduction of pif virus variants-the great infinite variant E(Worm. SoBig.E) alertness: ★★★★★
Attack time: random
Virus type: worm virus
Transmission mode: mail/LAN
Infected object: LAN
Dependent system: WIN9X//NT/2000/XP This virus has the following characteristics. If users find these features in their computers, they are most likely infected with this virus:
1. When the virus runs, it will copy itself to the directory: %Windir%\ and name it winssk32.exe, and then create a virus configuration file named msrrf.dat in this directory. Users can find the computer, find these two files and delete them.
Note: %Windir% is a variable, which refers to the system installation directory. The default is "C:\Windows" or "c:\Winnt", or it can be other directories specified by the user when installing the operating system.
2. When the virus is running, it will modify the startup entry in the registry: HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \ and add a key named: SSK service, with the content:% %Windir%\winssk32.exe, so that the virus can run automatically when the system is started next time. Users can use the REGEDIT tool to directly delete the key value of the virus, so that the virus cannot be started.
3. When the virus runs, a thread named winssk32 will be generated in the memory. Users with operating systems above NT can directly kill the process with task manager, while users with 9X operating system can only kill the virus process with third-party software such as Proc ⅵ ew.
4. The virus will search the computers in the local area network. If the default * * * is found, it will copy itself to Windows \ All Users \ Start Menu \ Programs \ Startup, Documents and Settings \ All Users \ Start Menu \ Programs \ Startup Directory. Users can check these directories to see if there are any virus bodies mentioned above, and if there are, they can delete them directly.
5. The virus will search *. web,*。 txt,*。 dbx*。 htm,*。 Html and *. Eml file, and extract the email address from it for email transmission.
The sender of the email may be: Support @ yahoo.com.
The email title can be: Re: application Re: movie Re: movie Re: submission Re: Scre: Ensaver Re: document Re: Re: application Ref 003644 Re: Re: Docu. Ment Your application application. pif applications. pifmovie. pifscreensaver. SCR submitted. pifnew document. pifre: document. pif00444 8554. The attachment of pif referer.pif email may be: your _ details.zipapplication.zipdocument.zipscreensaver.zipmovie.zip Users without antivirus software can delete this email directly if they receive it.
If users find all or part of the above phenomena in their own computers, they are likely to be infected with the great infinite variant E(Worm. SoBig.E) virus. 1. Establish good safety habits. For example, don't open some emails and attachments of unknown origin, don't go to websites you don't know well, and don't execute software that has no antivirus after downloading from the Internet. These necessary habits will make your computer safer.
2. Shut down or delete unnecessary services in the system. Many operating systems install some auxiliary services by default, such as FTP client, Telnet, Web server and so on. These services provide convenience for attackers, but are of little use to users. If they are deleted, the possibility of being attacked can be greatly reduced.
3. Upgrade security patches frequently. According to statistics, 80% of network viruses are spread through system security vulnerabilities, such as Red Team, Nimda, etc., so you should go to Microsoft website regularly to download the latest security patches to prevent problems before they happen.
4. Use complicated passwords. Many network viruses attack the system by guessing simple passwords, so using complex passwords will greatly improve the security factor of computers.
5. Isolate the infected computer quickly. When your computer finds a virus or abnormality, it should be disconnected immediately to prevent the computer from being infected more, or from becoming the source of transmission and infecting other computers again.
Know something about viruses. In this way, new viruses can be found in time, and corresponding measures can be taken to protect your computer from virus damage at critical moments: if you can understand some registry knowledge, you can regularly check whether the self-startup items in the registry have suspicious key values; If you know something about the internal memory, you can always check whether there are suspicious programs in the memory.
Once it is best to install professional antivirus software for comprehensive monitoring. With more and more viruses today, it is more and more economical to use anti-virus software. However, after installing anti-virus software, users should often upgrade, turn on some major monitoring (such as email monitoring) and report problems, so as to truly protect the security of computers.
Introduction of Virus Variant-Maximal Infinite Variant F(Worm. SoBig.F) Alert degree: ★★★★★★★
Attack time: random
Virus type: worm virus
Transmission route: Internet/mail
Dependent system: WIN9X/NT/ 2000/XP This virus has the following three characteristics:
First, strong email communication skills. On the basis of the original virus, the virus author improved it, so that the "Great Infinite Variant F" virus can not only search the e-mail address in the address book, but also find the existing e-mail address from the web file, and the virus can even find the relevant e-mail address directly in the e-mail. These characteristics greatly enhance the ability of viruses to spread e-mail, so that viruses can flood in a short time.
Second, the local area network (LAN) transmission ability of the virus is very strong. When the virus runs, it will look for other computers in the local area network, and when it is found, it will copy itself to the startup directory of these computers. The virus in these computers will be automatically activated when they are restarted next time, and then a chain reaction will be formed, and at the same time, it will spread widely and quickly exhaust the resources of the mail server.
Third, the virus has the ability to upgrade itself. Anti-virus engineers also found that when the virus is running, it will directly communicate with external virus makers through the network, and directly upgrade itself through the network, so that it can complete its mutation in the process of transmission, form a new variant virus, and continue to flood the network. When the 1. virus runs, a virus process named "WINPPR32" will be generated in the memory. Users can use task manager (CTRL+SHIFT+DELETE) or third-party memory editing tools to find virus processes and kill them.
When the virus runs, it will copy itself to the system directory and name it:% %WINDIR%\WINPPR32. EXE users can find virus files and then delete them.
Note: %Windir% is a variable and refers to the operating system installation directory. The default is "C:\Windows" or "c:\Winnt", or it can be other directories specified by the user when installing the operating system. %systemdir% is a variable, which refers to the system directory in the operating system installation directory. By default, it is "C:\Windows\system" or "c:\Winnt\system32".
3. The virus will modify HKCu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Entry in the registry, and add the virus key value "trayx =% windir% \ winppr32.exe/sinc"" to it. Users can use the REGEDIT tool to directly delete virus key values to avoid virus startup.
2. The virus will enumerate the local LAN resources through the network, and try to copy the virus files to Windows \ All Users \ Start Menu \ Programs \ Startup and Documents and Settings \ All Users \ Start Menu \ Programs \ in the startup directory. If the user's computer is a computer in the LAN, please check whether there are virus bodies in the above directory. If there is, you can delete the virus file directly.
The virus will use port 8998/udp to send a probe message to its owner. In response, the main server will return a URL from which the virus can download files. There are two hosts, namely: a. root server. Network or b.root-servers.net? ..
The virus has a back door and will open the following ports: 995/udp, 996/udp, 997/udp, 998/udp and 999/udp. The virus will listen for UDP messages from these ports and analyze them. If it is the upgrade information sent by the virus service, the virus will automatically update itself.
The virus will stop spreading on September 10, 2003.
⒏ The virus will send the following virus mails, which users find can be deleted directly. The subject of the virus email is the following possibilities: the attachment is named as the following possibilities: reply: thank you! Your_document.pif Thank you! Document _ all.pifyourdetails thank _ you.pifre: details your _ details.pifre: re: my details details.pifre: approved document _ 9446.pifre: your application. Pifre: wicked screensaver wicked _ SCR. Movie 0045. The text of the pif message is as follows: Please see the attachment. Details. See the attachment for details. If users find all or part of the above phenomena in their computers, they are likely to be infected with the great infinite variant F(Worm. Sobig.F) virus.