HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Wink{random alphabetic characters} ImagePath = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows NT, 2000, or XP)
ワームは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run Wink{random alphabetic characters} = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows 95, 98 or ME)
Sender:Taken from the gathered email addresses Option 1:
Subject:none
Mail Body:none
Option 2:
Subject: chosen from the following:
congratulations
darling
eager to see you
honey
how are you
introduction on ADSL
japanese girl VS playboy
japanese lass sexy pictures
let's be friends
look,my beautiful girl friend
meeting notice
please try again
questionnaire
so cool a flash,enjoy it
some questions
sos!
spice girls vocal concert
the Garden of Eden
welcome to my hometown
your password
The subject can be preceded by the following:
Hi,{user name},
Hello,{user name},
Re:
Fw:
Mail Body:none
Option 3:
Subject: a {string 1} {string 2} game
Mail Body: A {string 1} {string 2} game
This is a {string 1} {string 2} game This game is my first work. You're the first player. I expect you would enjoy it.
Option 4:
Subject: {string 3} removal tools
Mail Body: {string 4} give you the {string 3} removal tools {string 3} is a dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.{string 4}.com
Option 5:
Subject: could be any of the following:
Undeliverable mail--"{random string}"
'Returned mail--"{random string}"
Mail Body: The following mail can't be sent to {spoofed email address}
From: {spoofed email address} To: {spoofed email address} Subject: {random string} The file is the original mail
Option 6:
Subject: Worm Klez.E immunity
Mail Body: Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
Option 7:
Subject: {string 5} {string 6}
Mail Body:random text
Option 8:
Subject: could be any of the following:
a {string 7} {string 7} tool
a {string 7} {string 7} patch
where {string 7} could be any of the following:
excite
funny
good
humour
IE 6.0
new nice
powful
W32.Elkern
W32.Klez.E
WinXP
Mail Body:random text
Option 9:
Subject: a {string 1} {string 2} website
Mail Body: This is {subject} I {string 8} you would {string 9} it.
where {string 8} can be any of the following:
expect
hope
wish
{string 9} can be any of the following:
enjoy
like
Option 10:
Subject:chosen from existing files and folder names
Mail Body:none
{string 1} is optional or could be any of the following:
very
special
{string 2} is optional or could be one of the following:
Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia About Klez V2.01: 1,Main mission is to release the new baby PE virus,Win32 Foroux 2,No significant change.No bug fixed.No any payload. About Win32 Foroux (plz keep the name,thanx) 1,Full compatible Win32 PE virus on Win9X/2K/NT/XP 2,With very interesting feature.Check it! 3,No any payload.No any optimization 4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing
対応方法
対応検索エンジン: 9.200
初回 VSAPI パターンバージョン 3.946.01
初回 VSAPI パターンリリース日 2006年11月22日
VSAPI OPR パターンバージョン 3.947.00
VSAPI OPR パターンリリース日 2006年11月22日
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。