| 订阅 | 在线投稿
分享
 
 
 

Win32.Troj.QQPass.aa

2008-08-14 22:52:48  编辑来源:互联网  宽屏版  评论

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

木马程序

病毒长度:

38126

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是个盗取用户QQ帐号的蠕虫,可以通过可移动磁盘传播,并对抗安全软件。

1、释放以下文件并设置为隐藏和系统属性。

%WINDIR%\system32\bryato.dll

%WINDIR%\system32\bryato.exe

%WINDIR%\system32\severe.exe

%WINDIR%\system32\drivers\conime.exe

%WINDIR%\system32\drivers\fubcwj.exe

2、在每个分区的根目录下生成文件:Autorun.inf和病毒复制体:OSO.exe,并修改相关注册表项以使用户双击打开该分区时运行病毒体:

修改的注册表项:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun0xB5

Autorun.inf内容如下:

[AutoRun]

open=OSO.exe

shellexecute=OSO.exe

shell\Auto\command=OSO.exe

3、添加或修改注册表项以隐藏病毒文件:

HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue"0"

4、添加以下注册表项以达到自启动的目的。

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj"%WINDIR%\System32\bryato.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato"%WINDIR%\System32\severe.exe"

5、修改以下注册表项以达到随Explorer进程启动的目的:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell"Explorer.exe%WINDIR%\System32\drivers\conime.exe"

6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

7、修改hosts文件以达到阻止用户访问安全网站的目的:

127.0.0.1mmsk.cn

127.0.0.1ikaka.com

127.0.0.1safe.qq.com

127.0.0.1360safe.com

127.0.0.1www.mmsk.cn

127.0.0.1www.ikaka.com

127.0.0.1tool.ikaka.com

127.0.0.1www.360safe.com

127.0.0.1zs.kingsoft.com

127.0.0.1forum.ikaka.com

127.0.0.1up.rising.com.cn

127.0.0.1scan.kingsoft.com

127.0.0.1kvup.jiangmin.com

127.0.0.1reg.rising.com.cn

127.0.0.1update.rising.com.cn

127.0.0.1update7.jiangmin.com

127.0.0.1download.rising.com.cn

127.0.0.1dnl-us1.kaspersky-labs.com

127.0.0.1dnl-us2.kaspersky-labs.com

127.0.0.1dnl-us3.kaspersky-labs.com

127.0.0.1dnl-us4.kaspersky-labs.com

127.0.0.1dnl-us5.kaspersky-labs.com

127.0.0.1dnl-us6.kaspersky-labs.com

127.0.0.1dnl-us7.kaspersky-labs.com

127.0.0.1dnl-us8.kaspersky-labs.com

127.0.0.1dnl-us9.kaspersky-labs.com

127.0.0.1dnl-us10.kaspersky-labs.com

127.0.0.1dnl-eu1.kaspersky-labs.com

127.0.0.1dnl-eu2.kaspersky-labs.com

127.0.0.1dnl-eu3.kaspersky-labs.com

127.0.0.1dnl-eu4.kaspersky-labs.com

127.0.0.1dnl-eu5.kaspersky-labs.com

127.0.0.1dnl-eu6.kaspersky-labs.com

127.0.0.1dnl-eu7.kaspersky-labs.com

127.0.0.1dnl-eu8.kaspersky-labs.com

127.0.0.1dnl-eu9.kaspersky-labs.com

127.0.0.1dnl-eu10.kaspersky-labs.com

8、查找含有以下字符串的窗口,找到则将其关闭:

杀毒、专杀、病毒、木马、注册表

9、停止并禁用以下安全服务:

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

10、终止以下安全软件相关进程:

PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe,

RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe,

Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp,

kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe

11、删除QQ的以下文件:

QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe

12、创建键盘和鼠标消息钩子,寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送到指定邮箱。

病毒名称(中文): 病毒别名: 威胁级别: ★☆☆☆☆ 病毒类型: 木马程序 病毒长度: 38126 影响系统: Win9xWinMeWinNTWin2000WinXPWin2003 病毒行为: 这是个盗取用户QQ帐号的蠕虫,可以通过可移动磁盘传播,并对抗安全软件。 1、释放以下文件并设置为隐藏和系统属性。 %WINDIR%\system32\bryato.dll %WINDIR%\system32\bryato.exe %WINDIR%\system32\severe.exe %WINDIR%\system32\drivers\conime.exe %WINDIR%\system32\drivers\fubcwj.exe 2、在每个分区的根目录下生成文件:Autorun.inf和病毒复制体:OSO.exe,并修改相关注册表项以使用户双击打开该分区时运行病毒体: 修改的注册表项:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5 Autorun.inf内容如下: [AutoRun] open=OSO.exe shellexecute=OSO.exe shell\Auto\command=OSO.exe 3、添加或修改注册表项以隐藏病毒文件: HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0" 4、添加以下注册表项以达到自启动的目的。 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe" 5、修改以下注册表项以达到随Explorer进程启动的目的: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell "Explorer.exe%WINDIR%\System32\drivers\conime.exe" 6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" 7、修改hosts文件以达到阻止用户访问安全网站的目的: 127.0.0.1mmsk.cn 127.0.0.1ikaka.com 127.0.0.1safe.qq.com 127.0.0.1360safe.com 127.0.0.1www.mmsk.cn 127.0.0.1www.ikaka.com 127.0.0.1tool.ikaka.com 127.0.0.1www.360safe.com 127.0.0.1zs.kingsoft.com 127.0.0.1forum.ikaka.com 127.0.0.1up.rising.com.cn 127.0.0.1scan.kingsoft.com 127.0.0.1kvup.jiangmin.com 127.0.0.1reg.rising.com.cn 127.0.0.1update.rising.com.cn 127.0.0.1update7.jiangmin.com 127.0.0.1download.rising.com.cn 127.0.0.1dnl-us1.kaspersky-labs.com 127.0.0.1dnl-us2.kaspersky-labs.com 127.0.0.1dnl-us3.kaspersky-labs.com 127.0.0.1dnl-us4.kaspersky-labs.com 127.0.0.1dnl-us5.kaspersky-labs.com 127.0.0.1dnl-us6.kaspersky-labs.com 127.0.0.1dnl-us7.kaspersky-labs.com 127.0.0.1dnl-us8.kaspersky-labs.com 127.0.0.1dnl-us9.kaspersky-labs.com 127.0.0.1dnl-us10.kaspersky-labs.com 127.0.0.1dnl-eu1.kaspersky-labs.com 127.0.0.1dnl-eu2.kaspersky-labs.com 127.0.0.1dnl-eu3.kaspersky-labs.com 127.0.0.1dnl-eu4.kaspersky-labs.com 127.0.0.1dnl-eu5.kaspersky-labs.com 127.0.0.1dnl-eu6.kaspersky-labs.com 127.0.0.1dnl-eu7.kaspersky-labs.com 127.0.0.1dnl-eu8.kaspersky-labs.com 127.0.0.1dnl-eu9.kaspersky-labs.com 127.0.0.1dnl-eu10.kaspersky-labs.com 8、查找含有以下字符串的窗口,找到则将其关闭: 杀毒、专杀、病毒、木马、注册表 9、停止并禁用以下安全服务: srservice sharedaccess KVWSC KVSrvXP kavsvc RsRavMon RsCCenter RsRavMon 10、终止以下安全软件相关进程: PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe, RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe, Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp, kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe 11、删除QQ的以下文件: QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe 12、创建键盘和鼠标消息钩子,寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送到指定邮箱。
󰈣󰈤
 
 
 
>>返回首页<<
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
©2005- 王朝网络 版权所有