e-mail欺骗

最近一封伪造的声称来自微软公司的e-mail信函正被发送。如果你收到如下的信函，不要运行邮件附带的可执行文件。这封信函不是微软公司发送的；这是骗人的，意思是某些人使这封信看起来是由微软发送的。其附带的可执行文件并不象在e-mail中声称的是一个spam过滤器。

微软不会通过e-mail分发文件。正式的微软软件分发策略能在以下站点看到：
http://www.microsoft.com/security/new/swdistribution.asp

------------------------- 原始e-mail消息 -----------------------------------

From: aspam@microsoft.com
To: ;
Sent: Tuesday, March 21, 2000 5:16 PM
Subject: Microsoft Anti-Spam Policy

Microsoft Anti-Spamming Policy
To All Microsoft Users:
Microsoft Corporation does not endorse "spamming"!
We do not want people to receive unsolicited e-mail. In the strictest
sense of the definition, you can not contact anyone via e-mail unless
that person has specifically told you that you can contact them or
invited contact (i.e. classified ad). This applies to businesses,
non-profit organizations, and individuals.

We do support open communications and we feel that 99.9% percent of
the Microsoft Users community wants to hear about our new products,
critical updates, and be informed about resources that are availableon-line.

The best way to let this many people know about the important matters,
pertinent information, and resources is via e-mail. Most people do not
appreciate receiving junk mail (normally without a valid reply address
and a questionable "offer" of some kind). However, there are some
people that are offended about receiving legitimate e-mail telling them
about similar interest matters.

Participate in the Microsoft Anti Spam Policy and remember
YOU CAN STOP IT!

.........

-----------------------------------------------------------------------------------------------

邮件附着的可执行文件为Aspam.exe（文件长度为173,568字节），是一个特洛伊木马。如果该文件被执行，它将显示一个消息框，如下：

Congratulations
Your mail client is now properly configured to use Microsoft Anti Spam Policy?
（祝贺你的邮件客户端现在已完全用Microsoft Anti Spam Policy? 设置）

实际上，Aspam 特洛伊木马在 \Windows\System 目录下增加了一个名为Amcis32.dll（文件长度为145,408字节）的DLL文件，并创建或修改了以下的注册关键字：

HKEY_CLASSES_ROOT\CLSID\{657B9354-BB3B-4500-A9B0-109B4FA64815} ="IEClassObject"

HKEY_CLASSES_ROOT\CLSID\{657B9354-BB3B-4500-A9B0-109B4FA64815}\InprocServer3

2 = "C:\WINDOWS\SYSTEM\AMCIS32.DLL"

HKEY_CLASSES_ROOT\CLSID\{657B9354-BB3B-4500-A9B0-109B4FA64815}\InprocServer3

2\ThreadingModel = "Apartment"

HKEY_CLASSES_ROOT\AMCIS32.IEClass = "IEClassObject"

HKEY_CLASSES_ROOT\AMCIS32.IEClass\Clsid =

"{657B9354-BB3B-4500-A9B0-109B4FA64815}"

HKEY_CLASSES_ROOT\CLSID\{657B9354-BB3B-4500-A9B0-109B4FA64815}\ProgID =

"AMCIS32.IEClass"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse

r Helper Objects\{657B9354-BB3B-4500-A9B0-109B4FA64815}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse

r Helper Objects\{657B9354-BB3B-4500-A9B0-109B4FA64815}\DontDelete

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRe

cts2\MRU\1 = 43 41 56 46 44 5F 39 38

这些条目使得Amcis32.dll 能被Windows Explorer（浏览器）加载。

检测及清除：

KILL10.16版本可以检测出 Win32/Aspam.Trojan，要从已感染的系统清除特洛伊木马，必须彻底删除Aspam.exe 和Amcis32.dll 文件。