需要修复电脑?
聘请专家
Alias:VBS/Gorum.a
Type:Worm 
Size:
Origin: 
Date:05-31-2000 
Damage:Sent by email. 
VDF Version:6.20.00.00 
Danger:Medium 
Distribution:Medium 

DistributionThe worm sends itself to all addresses found in Outlook. If Outlook 2000 is installed, the virus sends the following email:

Subject:
You know what it is. ;-P

Body:
Check it out!

Attachment name- formed out of the following text strings:


links
cool
funny
anti-loveletter
guorm
pot
win2k
icq2k
money
funnypic.jpg
quake
Year2K
Mirc2K
Word2001
FunStuff
WindowsMe


extensions:

.vbs
.vbe
.txt.vbs
.jpg.vbs
.avi.vbs
.scr.vbs

Technical DetailsThe VB script multiplies itself as winuser.dll and user32.dll.vbs in Windows system directory.
The virus also ensures that the script is run by every system start. The registry entry for this is:

user32=wscript.exe
%Windows-System-Verzeichnis%\user32.dll.vbs % HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then the virus checks if it has been sent by email using Outlook Address Book. This is marked in the registry:

HKCU\software\Guorm, bookmark mailed.

Then the virus scans all drives for mIRC program. In the directories containing the files

mirc.ini
mirc32.exe
mlink32.exe

it replaces and/or creates the file script.ini.
This only happens if the scanning has not been performed before (the bookmark Mirqued in the registry key HKCU\software\Guorm does not exist). Using this ini file, the virus sends itself through IRC.

说明添加者: Crony Walker 打开 2004年6月15日星期二

反馈 . . . .
https:// 为了你的安全,此窗口已加密。