Virus Name: worm.donghe.49152
Virus Characteristics:
E-mail attachment virus called hello.exe, the virus e-mail heading for the Chinese, there may be "your friend sent you a greeting card"; "Happy Birthday to You"; "reunion"; "You won the lottery"; "Festival happy ";" Congratulations ";" Hello! ";" I love you ";" I want to escape from universities "of the virus in vivo in Chinese information indicating the author's name, school, email and other information, and the need to work with author information.
Before the virus spread very wide with cover letter no connection with the virus, not of the virus changes from the old cover letter from the virus. The virus, worm, as recent as the IFRAME vulnerability is used so often in preview (IE vulnerable version) to run. Run a virus will copy itself to the windows in the system directory, named Exporler.exe, and modify the exe file association in order to activate itself again next time.
Virus automatically obtain the user address book information in the recklessly messages. Viral also comes with a VBS virus, the virus sends messages in two forms, one is sent as an attachment the virus itself, one is the VBS virus as an attachment (Annex called hello.vbs) sent. VBS part of the virus will modify registry entries in order to start their next run, and also changed IE's default start page.
Destructive virus:
1, blocking mail server
2, delete the file: delete the following file extensions exe, dll, dat, mp3, doc. Accomplished by the VBS virus.
Upon receiving the message attachments to Hello.exe, the virus will use the known IE vulnerabilities automatically. If no patch, then the message in the preview with the virus, the virus will run automatically and infection. Requests the user to the following address to download and install the appropriate patch for this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
After the virus will copy itself to start the system directory, named Exporler .. exe, and modify the registry associated with the EXE file.
HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand
C: WIN98SYSTEMExporler.exe% 1% *
HKEY_CLASSES_ROOTexefileshellopencommand
C: WIN98SYSTEMExporler.exe% 1% *
Thus, in the implementation of any EXE file, will activate the virus. At this point, the virus will send a message to the e-mail viruses.
When the user receives the e-mail attachment to Hello.vbs, the virus uses IE's vulnerabilities automatically. Directory in the windows generated file Win32Dll.vbs, in the windows system directory generated files MSKernel.vbs. And the virus to delete all logical disks in the following types of files:. Exe,. Dll,. Mp3,. Dat,. Doc, if these files in the root directory is not deleted.
In view of the virus attack resulting from the loss of data, system failures, causing serious damage, please refer to the virus, especially 163.com, 163.net, 263.net, sina.com, china.com, citiz.net mail users, features found in more than delete the message immediately, do not open.