本帖最后由 zdshsls 于 2011-6-24 16:02 编辑
如果你的MSE和Windows Update服务被关闭,千万要小心Yimfoca家族病毒,下面是MMPC发布的消息
http://blogs.technet.com/b/mmpc/archive/2011/06/23/msrt-june-2011-targeting-yimfoca.aspx
This month's MSRT families included Win32/Rorpian (an autorun worm that exploits a vulnerability in shortcut files), Win32/Nuqel (another autorun worm that spreads via network drives, removable drives, and instant messaging programs) and Win32/Yimfoca.
The last, Yimfoca, is a prevalent IM worm that uses common instant messaging applications and social networking websites to spread. It also affects security settings on the infected computer. Aside from stopping the Windows Update service and thus preventing critical updates from being installed, it also stops Microsoft Security Essentials and Forefront Endpoint Protection services. For this reason, it made the list of malware that was added to this month's Malicious Software Removal Tool (MSRT).
Yimfoca, similar to Win32/Slenfbot (added to MSRT in September 2008), can spread via instant messaging programs. For example, the image below shows a screenshot of an MSN Messenger window containing one of the messages used by Win32/Yimfoca to spread.
If the user clicks on the link, he or she is led to a website containing a fake Facebook page. The page shows a "Photo has been moved." message and instructs the user to click on the View Photo button to view the image. Once this button is clicked, a file download is initiated for an executable file masquerading as a photo, just like in the screenshot shown below.
In an attempt to further convince the user of its ruse, Win32/Yimfoca may also use an icon similar to that of an image file. If the unsuspecting user opens the downloaded file, Win32/Yimfoca will then proceed to install itself into the computer.
Just like most IM worms these days, Win32/Yimfoca also has backdoor functionality. It attempts to connect to a remote IRC server through a predefined port, join a channel and wait for commands. It could be a command to set Internet Explorer’s start page, spread via instant messaging and/or social networking sites, or download and execute arbitrary files, among other things.
You can read a more detailed description of Win32/Yimfoca in our encyclopedia.
The following table shows the current top threat families that have been cleaned from users’ computers with MSRT since its release last week. Win32/Yimfoca is #17, with 38,544 machines cleaned so far.
| Rank | Family | Machines Cleaned | | 1 | Sality | 191,689 | | 2 | Taterf | 158,468 | | 3 | Rimecud | 110,550 | | 4 | FakeRean | 94,272 | | 5 | Vobfus | 86,709 | | 6 | Alureon | 80,831 | | 7 | Nuqel | 72,187 |
| … |
| | 15 | Renocide | 43,993 | | 16 | Ramnit | 41,202 | | 17 | Yimfoca | 38,544 |
| … |
| | 31 | FakeXPA | 13,383 | | 32 | Winwebsec | 13,218 | | 33 | Rorpian | 13,632 |
If you think you have been infected by this threat, or you notice that your Windows Update service is disabled, or your Microsoft Security Essentials or Forefront Endpoint Protection in not running, we recommend that you download and run the Malicious Software Removal Tool.
Stay safe, and don't forget to regularly visit the Microsoft Malware Protection Center to get the latest updates about security and malware.
机器翻译:
本月MSRT家庭包括Win32/Rorpian (自动运行蠕虫利用了漏洞的快捷方式的文件), Win32/Nuqel (另自动运行蠕虫是通过网络驱动器,可移动驱动器和即时消息程序传播)和Win32/Yimfoca 。 最后,Yimfoca,是一种流行的IM蠕虫病毒,它使用常见的即时消息应用程序和社交网站传播。 它还会影响对被感染计算机的安全设置。 除了 停止Windows Update服务,从而防止被安装关键更新,它也会停止微软安全基础和 Forefront 端点保护服务。 出于这个原因,它使恶意软件列表添加到这个月的恶意软件删除工具(MSRT)。
Yimfoca,类似Win32/Slenfbot (2008年9月加入MSRT),可以通过即时消息程序传播。 例如,下面的图像显示了一个MSN Messenger包含了Win32/Yimfoca用来传播的一条消息窗口的屏幕截图。
如果在用户点击链接,他或她是导致网站含有虚假的Facebook页面。 页面显示“照片已经被移除。” 消息,并指示用户在浏览照片按钮来查看图像。 一旦这个按钮被点击,下载一个文件启动一个可执行文件作为就像照片中的截图所示,伪装文件。
在试图进一步说服其诡计用户,Win32/Yimfoca也可以使用一个图标类似的图像文件。 如果不知情的用户打开下载的文件,然后进行Win32/Yimfoca将安装到电脑本身。
就像大多数IM蠕虫这些天,Win32/Yimfoca也有后门的功能。 它试图通过一个预定义的端口连接到远程IRC服务器,加入一个频道,等待命令。 这可能是一个命令来设置IE的起始页,通过即时消息和/或社交网站传播,或下载并运行任意文件以及其他东西。
你可以阅读的更详细的描述Win32/Yimfoca在我们的百科全书。
下表显示了当前面临的最大威胁已经从与MSRT用户的计算机上清除自上周发布的家庭 。 Win32/Yimfoca is #17, with 38,544 已清理计算机.| 排名 | 家族 | 已清除 | | 1 | Sality virus | 191689 | | 2 | Taterf | 158468 | | 3 | Rimecud | 110550 | | 4 | FakeRean | 94272 | | 5 | Vobfus | 86709 | | 6 | Alureon | 80831 | | 7 | Nuqel | 72187 |
| ... ... |
| | 15 | Renocide | 43993 | | 16 | Ramnit | 41202 | | 17 | Yimfoca | 38544 |
| ... ... |
| | 31 | FakeXPA | 13383 | | 32 | Winwebsec | 13218 | | 33 | Rorpian | 13632 |
如果你觉得你已经感染了这种威胁,或您发现您的Windows Update服务被禁用,或您的Microsoft安全基础或Forefront端点保护未运行,我们建议您下载并运行恶意软件删除工具 。
保持安全,不要忘了定期访问Microsoft恶意软件保护中心 ,以获取有关安全和恶意软件的最新更新。
|
发表于 2011-6-24 13:11:38
发表于 2011-6-25 10:35:43
