病毒大百科

这是一个通过电子邮件传播的蠕虫病毒。该病毒会使用自带的SMTP引擎疯狂向外发送带毒邮件，诱骗邮件接收者打开附件。禁止用户访问某些著名的反病毒网站，从网上下载病毒到本地机器运行，还会在感染机器上留下后门以便攻击者可以通过IRC来控制被感染机器。

1)释放病毒副本LIENVANDEKELDER.EXE到系统目录下

2)添加注册表启动项：
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"http://www.lienvandekelder.be"="LienVandeKelder.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"http://www.lienvandekelder.be"="LienVandeKelder.exe"

3)使用自己的SMTP引擎向外发送邮件：

取下面的某一行做为邮件主题：
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons

取下面的某一段做为邮件正文：
Account Information Are Attached!
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
please look at attached document.
Please see the attachement.
To safeguard your email account from possible termination, please see the attached file.
To unblock your email account acces, please see the attachement.
We have suspended some of your email services, to resolve the problem you should read the attached document.

取下面的某一行做为附件名称：
document_full
email-doc
email-info
email-text
IMPORTANT
info-text
information
your_details
{random}

附件可能使用的扩展名：
EXE
PIF
SCR
ZIP

4)通过修改host文件来禁止用户访问下列反病毒网站：
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

5)从网上下载病毒到染毒机器上运行。