MSN新变种(poolmc.exe,photo38.JPG-www.myspace.com)病毒分析

    超级巡警团队监测到随着广大网友开始正常的工作，MSN蠕虫又开始扩散。它会给MSN上的好友发送名字中带有photo字样的附件。
超级巡警团队提醒广大用户不要轻易下载并运行利用MSN传播的程序。
 一、病毒相关分析：
      病毒标签：
        病毒名称：Backdoor.Win32.IRCBot.gen
        病毒别名：MSN蠕虫
        病毒类型：蠕虫
        危害级别：3
        感染平台：Windows
        病毒大小：78,848(字节)
        SHA1　　：c69509ab0a8108c2c48eb9589735d4be51ed26d5
        加壳类型：EXECryptor
        开发工具：VC
     病毒行为：
        1、复制自身为%System%poolmc.exe
           生成文件：%temp%photo*.zip
           //压缩包中文件为picture*.JPG-www.myspace.com　(*代表同一随机数字)
           //压缩包中文件与poolmc.exe为同一文件
        2、连接以下域名：
           www.timbercreeksoftware.com
           www.massiverender.com
           01.cybernix.info
           下载文件：
           http://www.massiverender.com/*****/p3.exe    //与poolmc.exe为同一文件
        3、添加注册表启动项：
           [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
           "Windows Pool Setup"="poolmc.exe"
　　　　4、下载文件：http://www.timbercreeksoftware.com/regdata/eng.txt
           文件内容如下：
           u want to see something really funny? look at this lol
           have you seen this new picture of me?
           do you like this picture of me?
           new party pictures :)
           You want to see something very funny? accept this haha
           Do you like sexyness? accept this and you will know!
           want to see my new pics? accept this
           I just found this nasty pic.. you need to see this haha
           let me introduce you to my newest friend :) accept the pic
           New myspace pics here
           New facebook pics accept ;]
           this person looks like you
           look at my new profile pic
           watch out.. this picture im sending you is so nasty!
           do I look good with this mix?
           Hello! would you like to see my