Win32.Troj.Agent.jf
病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
96232
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个木马程序,该病毒会劫持LSP,注册BHO,下载文件,注入进程,并且会监控病毒本身的文件和注册表项,创建AutoRun.inf,并且会通过U盘传播,危害比较大.
1.生成文件:
%Windows%\java\java.dll
%Windows%\system32\%MS%HCopy.dkt
%Windows%\system32\kernel32.sys
%Windows%\system32\mfc48.dll
\RECYCLER\RECYCLER\autorun.exe
2.添加注册表:
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}@"JavaClass"
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32@"C:\WINNT\java\java.dll"
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32ThreadingModel"Apartment"
HKLM\SOFTWARE\Microsoft\InternetExplorer
GUID
DC
UT
3.修改注册表:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
原值:dword:00000001
dword:00000000
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
AppInit_DLLs
原值:"userinit.dll"
"kernel32.sys"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\TcpIp_Protocol
4.设置互斥量:
"DKFSInitMutex"
5.创建事件:
“DKFSFileSpyIsRunEvent”
6.创建信号量:
DKFSRegDaemonSemaphore
DKFileSpySystemDaemonSemaphore
DKFSUsbFileTransferSemaphore
DKFSHDFileTransferSemaphore1
DKFSUSBFileCopySemaphore
DKFSHDFileCopySemaphore
7.结束进程
iparm.exe
8.连接网址
"61.128.197.212
9.注入进程:
explorer.exe
qq.exe
msmsgs.exe
kavstart.exe
svchost.exe
winlogon.exe
lsass.exe
smss.exe
alg.exe
inetinfo.exe
conime.exe
wuauclt.exe
