您的位置:主页 >>  病毒信息 >>  网络病毒专科

当心自动播放MP3的蠕虫:W32/Parrot@MM



(瑞星编译)


病毒名称:W32/Parrot@MM
大小:52,260  字节

    这是一个复合病毒、乱发邮件的蠕虫以及通过mIRC进行传播的蠕虫。它创建一个.MP3文件,当windows目录中的一个exe文件被运行后,系统自动播放该MP3文件。

邮件的内容如下:

Subject: Parrot screensaver
Message: Hehe hey, look at this screensaver :)
Attachment: PARROT.SCR

当附件PARROT.SCR被运行,病毒将创建一些文件:

1)C:\PARROT.SCR
2)%WinDir%\PARROT.MP3 (其中WinDir表示windows所在目录,该文件是一个音乐文件)

"Hi there, I'm Parrot, the talking virus, written by Jigabyte."

3)%WinDir%\HELLO.MP3
"You'd better not f!@# on the table Graham Cluley, you son of a bitch. I don't even know the lady and she calls me a son of a bitch! Later, I go to eat at a bigga restaurant. The waitress brings me a spoon and a knife, but no fork. I tell her, I wanna the fork. The tella me everyone wanna f!@#. I tell her you no understand, I wanna fork on the table. She say you better no fuck on the table, you son of a bitch. I don't even know the lady and she calla me a son of a bitch. I - don't - need - this"

4)%WinDir%\WINSTART.BAT (批处理文件,包含下列文本)

@cls
@echo You're infected with Parrot, the talking virus,
@echo by Gigabyte/Metaphase

5)%WinDir%\MSG.VBS (包含一个消息)
标题为: "VBScript: Parrot" 内容:
"You'd better not f!@# on the table Graham Cluley, you son of a bitch. I don't even know the lady and she calls me a son of a bitch!

Later, I go to eat at a bigga restaurant. The waitress brings me a spoon and a knife, but no fork. I tell her, I wanna the fork. The tella me everyone wanna f!@#. I tell her you no understand, I wanna fork on the table. She say you better no fuck on the table, you son of a bitch. I don't even know the lady and she calla me a son of a bitch. I - don't - need - this"

    该病毒将windows目录中的除了EXPLORER.EXE, PTSNOOP.EXE, RUNDLL.EXE, TASKMON.EXE,和 WSCRIPT.EXE文件外的所有exe文件改名,后缀为 .PRT,并把病毒代码拷贝到原来的exe文件中(如NOTEPAD.EXE被改名为NOTEPAD.PTR,而NOTEPAD.EXE文件中包含的已经是病毒W32/Parrot@MM的代码了。)当某个exe文件运行后,音乐文件PARROT.MP3被播放,而相应的***.PTR文件中的内容被拷贝回原来的***.exe文件中且运行,如果该程序在运行中被中断,***.exe文件将被删除,也就是说windwos目录中只能有一个exe文件被运行。

    C:\MIRC\SCRIPT.INI 文件被C:\WINDOWS\PARROT.SCR 文件覆盖,目的是向IRC用户发送病毒代码,但由于路径不正确,通过IRC传播将失效。

下面的注册键是在每次系统启动时创建并装载音乐文件hello.mp3,之后,一个消息框将被显示:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(Default)=hello.mp3

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\(Default)=msg.vbs