This is an Internet worm that was found in the wild in the middle of March 2001. The worm spreads via e-mail by sending infected messages from affected computers and through IRC channels by sending its copy to there. The worm also infects EXE files in the Windows directory.
The worm itself is Win32 application (PE EXE file) written in the Microsoft Visual C++ language. The worm size is about 60K of length, but it was found in compressed form: the worm code was compressed using the ASPack utility, and it thus only was about 34K of length. |
这个Internet蠕虫在2001年三月中旬开始流行,这个病毒从被感染的机器通过E-MAIL传送感染的信息,并且通过IRC频道传递自身拷贝。这个蠕虫同时感染windows目录中的文件。
这个病毒自身是一个WIN32可执行程序(PE格式文件),是用微软VC++编写的。
这个病毒长度是60K,但是发现了压缩版本,通过ASPack的压缩,长度只有34K。 |
When the worm starts it copies itself to Windows system directory with two names: XANAX.EXE and
XANSTART.EXE. The XANSTART.EXE file is then registered in the Registry's auto-run key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Default = %winsystem%\xanstart.exe |
这个病毒向WINDOWS system目录开始一个自我复制过程,有两个名字:XANAX.EXE和 XANSTART.EXE。XANSTART.EXE被添加到注册表中,使之被自动运行。键值为
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
默认键值为 %winsystem%\xanstart.exe |
|
where %winsystem% is the name of the Windows system directory. As a result the worm is run each time Windows starts up. |
%winsystem%即WINDOWS sytem目录,这个蠕虫就达到了每次WINDOWS启动时加载的目的 |
"Infecting" Email
The worm then launches its email spreading routine. To achieve spreading the worm creates a temporary file with the name XANAX.VBS
(VBS=Visual Basic script), writes a VBS program to there and starts it with the help of
WSCRIPT.EXE. The VBS program gets access to Outlook's address book and sends messages to the first 1000 addresses from each of the address lists.
The message looks as follows and contains the below mentioned file attachment: |
EMAIL传播
这个蠕虫加载后开始运行自身的EMAIL传播例程,为了完成传播,这个病毒建立了一个临时文件,文件名为XANAX.VBS(VBS=Visual Basic script),
在其中写入VBS脚本,并通过WSCRIPT.EXE来运行它。
这个VBS程序取得了Outlook地址簿的访问权,并且发送邮件给每一个地址组的头1000个地址。这个邮件内容如下,并且包含下面提到的文件附件。 |
Message Subject: Stressed? Try Xanax!
Message Text:
Hi there! Are you so stressed that it makes you ill? You're not alone!
Many people suffer from stress, these days. Maybe you find Prozac too
strong? Then you NEED to try Xanax, it's milder. Still not convinced?
Check out the medical details in the attached file. Xanax might change
your life!
File Attachments: xanax.exe |
邮件标题:压抑吗?试试Xanax
邮件正文:好啊!你是否压抑得要得病了?你并不孤独!当前,很多人遭受压抑的折磨。或许你发现Prozac过于猛烈?那么你需要试试Xanax,它更柔和。
不信么?看看附件中的详细药品资料,Xanax会改变你的生活!
文件附件:xanax.exe。 |
Infecting EXE files
The worm then searches for EXE files in the Windows directory and infects them. While infecting the worm moves the victim file body down and writes itself to the file's beginning. The worm does not infect files with names that begin with the letters E, P, R, S, T, W .
IRC channels
Next the worm affects the mIRC client, if it is installed. The worm searches for the mIRC client in the directories:
\mirc
\Program Files\mirc
on the C:, D:, E: and F: drives. If the mIRC client exists, the worm overwrites the SCRIPT.INI mIRC script file with a program that sends a worm copy to everybody who joins an infected channel. |
感染EXE文件
然后这个蠕虫在WINDOWS目录下搜索EXE文件,并且感染他们。感染的同时,这个蠕虫后移受感染的文件体并且将自身写到文件开头。这个蠕虫不感染以E、P、R、S、T、W开头的文件。
IRC频道
之后蠕虫影响到MIRC的客户端,如果这个程序已经安装。这个蠕虫将搜索MIRC的客户端,病毒将在C:、D:、E:、F:搜索
\mirc
\Program Files\mirc
目录。
如果MIRC客户端存在,这个蠕虫覆盖mIRC脚本文件SCRIPT.INI为一个程序,该程序传送自身拷贝给加入这个感染者所在频道的每一个人。 |
Further Comments
When the worm is run from a file with name with 'R' letter next to last one in a file name
(xxxRx.EXE) it displays the message:
Xanax
8-Chloro-1-methyl-6-phenyl-4H-s-triazolo (4,3-alpha)(1,4) benzodiazepine |
进一步的说明
当这个蠕虫通过一个文件运行,而且这个文件名倒数第二个字母是R(类似xxxRx.EXE),会显示如下信息:
Xanax
8-Chloro-1-methyl-6-phenyl-4H-s-triazolo (4,3-alpha)(1,4) benzodiazepine(应该是Xanax的化学构成,译者注) |
|
The worm's filename XANSTART.EXE (which is registered in the system registry's auto-run key) meets this 'R' letter rule. Thus the worm will display this message on each Windows startup. |
XANSTART.EXE这个蠕虫文件名(加载到系统注册表中自动运行选项那个文件)就符合这个规则,因此这个信息会在每一次Windows启动时显示。 |
The worm also creates more files in the system:
In the Windows system directory: HOSTFILE.EXE
In the Windows directory: WINSTART.BAT, XANAX.SYS
The HOSTFILE.EXE is left after running infected host file, and that file contains a pure (not infected) body of the last infected file run.
The XANAX.SYS file contains the text:
Win32.HLLP.Xanax (c) 2001 Gigabyte
The WINSTART.BAT file contains commands that display the message:
Do not take this medication with ethanol, Buspar (buspirone), TCA
antidepressants, narcotics, or other CNS depressants.
|
这个蠕虫同时建立很多文件在系统中:
在windows system目录下:HOSTFILE.EXE
在windows目录下:WINSTART.BAT, XANAX.SYS
HOSTFILE.EXE在被感染宿主文件运行后保留下来,这个文件包含了最后运行的被感染文件的无毒备份。
XANAX.SYS包含了字符串:
Win32.HLLP.Xanax (c) 2001 Gigabyte
WINSTART.BAT文件包含了显示如下信息的指令:
译文大概为服用(XANAX)时不要同时使用乙醇、丁螺旋酮、TCA抗抑郁药、麻醉药和其他的CNS镇静剂。 |
This combination can increase CNS depression. Be sure not to take other
sedative, benzodiazepines, or sleeping pills with this drug. The combinations
could be fatal. Do not smoke or drink alcohol when taking Xanax. Alcohol can
lower blood pressure and decrease your breathing rate to the point of
unconsciousness. Tobacco and marijuana smoking can add to the sedative
effects of Xanax. |
这种组合会促进CNS机能降低。确定不要与该毒品同时使用其他的镇静剂、苯二氮,或者嗜睡药。这种组合是致命的。在服用Xanax的同时不要吸烟或喝含酒精的饮料。含酒精饮料会降低血压和呼吸频率,直至意识不清。吸烟或者吸食大麻可以加大Xanax的镇静效力。 |
