王朝网络
分享
 
 
 

Win32.Troj.QQPass.nw

王朝system·作者佚名  2008-08-14
宽屏版  字体: |||超大  

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

木马程序

病毒长度:

48436

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个盗取QQ帐号密码的木马病毒。

1、复制自身到如下路径:

%system%\severe.exe

%system%\jusodl.exe

%system%\drivers\pnvifj.exe

%system%\drivers\conime.exe

释放病毒文件到%system%\jusodl.dll

2、在每个磁盘根目录下生成如下病毒文件,当用户双击盘符时会激活病毒

OSO.EXE、autorun.inf

3、改写hosts文件,屏蔽如下安全网站:

127.0.0.1localhost

127.0.0.1mmsk.cn

127.0.0.1ikaka.com

127.0.0.1safe.qq.com

127.0.0.1360safe.com

127.0.0.1www.mmsk.cn

127.0.0.1www.ikaka.com

127.0.0.1tool.ikaka.com

127.0.0.1www.360safe.com

127.0.0.1zs.kingsoft.com

127.0.0.1forum.ikaka.com

127.0.0.1up.rising.com.cn

127.0.0.1scan.kingsoft.com

127.0.0.1kvup.jiangmin.com

127.0.0.1reg.rising.com.cn

127.0.0.1update.rising.com.cn

127.0.0.1update7.jiangmin.com

127.0.0.1download.rising.com.cn

127.0.0.1dnl-us1.kaspersky-labs.com

127.0.0.1dnl-us2.kaspersky-labs.com

127.0.0.1dnl-us3.kaspersky-labs.com

127.0.0.1dnl-us4.kaspersky-labs.com

127.0.0.1dnl-us5.kaspersky-labs.com

127.0.0.1dnl-us6.kaspersky-labs.com

127.0.0.1dnl-us7.kaspersky-labs.com

127.0.0.1dnl-us8.kaspersky-labs.com

127.0.0.1dnl-us9.kaspersky-labs.com

127.0.0.1dnl-us10.kaspersky-labs.com

127.0.0.1dnl-eu1.kaspersky-labs.com

127.0.0.1dnl-eu2.kaspersky-labs.com

127.0.0.1dnl-eu3.kaspersky-labs.com

127.0.0.1dnl-eu4.kaspersky-labs.com

127.0.0.1dnl-eu5.kaspersky-labs.com

127.0.0.1dnl-eu6.kaspersky-labs.com

127.0.0.1dnl-eu7.kaspersky-labs.com

127.0.0.1dnl-eu8.kaspersky-labs.com

127.0.0.1dnl-eu9.kaspersky-labs.com

127.0.0.1dnl-eu10.kaspersky-labs.com

4、修改如下注册表项开机自动启动:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"pnvifj"="C:\WINDOWS\system32\jusodl.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"jusodl"="C:\WINDOWS\system32\severe.exe"

[HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

"Shell"="Explorer.exeC:\WINDOWS\system32\drivers\conime.exe"

修改如下项,隐藏病毒文件:

[HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]

CheckedValue="0"

修改如下键值,使正常文件的运行路径指向病毒文件:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\EGHOST.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NOD32.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

5、查找含有如下字符串的窗口,找到则将其关闭:

杀毒、专杀、病毒、木马、注册表。

停止并禁用如下安全服务:

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

终止如下安全进程:

"cmd.exe"

"net.exe"

"sc1.exe"

"net1.exe"

"PFW.exe"

"Kav.exe"

"KVOL.exe"

"KVFW.exe"

"adam.exe"

"qqav.exe"

"qqkav.exe"

"TBMon.exe"

"kav32.exe"

"kvwsc.exe"

"CCAPP.exe"

"KRegEx.exe"

"kavsvc.exe"

"VPTray.exe"

"RAVMON.exe"

"EGHOST.exe"

"KavPFW.exe"

"SHSTAT.exe"

"RavTask.exe"

"TrojDie.kxp"

"Iparmor.exe"

"MAILMON.exe"

"MCAGENT.exe"

"KAVPLUS.exe"

"RavMonD.exe"

"Rtvscan.exe"

"Nvsvc32.exe"

"KVMonXP.exe"

"Kvsrvxp.exe"

"CCenter.exe"

"KpopMon.exe"

"RfwMain.exe"

"KWATCHUI.exe"

"MCVSESCN.exe"

"MSKAGENT.exe"

"kvolself.exe"

"KVCenter.kxp"

"kavstart.exe"

"RAVTIMER.exe"

"RRfwMain.exe"

"FireTray.exe"

"UpdaterUI.exe"

"KVSrvXp_1.exe"

"RavService.exe"

7、寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送出去。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
>>返回首页<<
推荐阅读
 
 
频道精选
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
© 2005- 王朝网络 版权所有