| 订阅 | 在线投稿
分享
 
 
 

Worm.Downloader.cx.77824

来源:互联网  宽屏版  评论
2008-08-14 23:02:29

病毒名称(中文):

下载者病毒77824

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

木马下载器

病毒长度:

77824

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个下载者病毒,它会从网上下载大量的木马程序,并将这些木马加入用户系统的自动启动项,使它们能够自动运行起来。

1.病毒运行后从http://d**n.hu*ll.com/po**in/update.txt下载木马列表,然后大量的木马程序到本地

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYLOADER.EXE

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYMANGR.DLL

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\MSDEG32.DLL

C:\ProgramFiles\lsassj.exe

C:\ProgramFiles\InternetExplorer\PLUGINS\NvSys_55.Sys

C:\ProgramFiles\InternetExplorer\PLUGINS\NvWin_5.Jmp

C:\WINDOWS\192896L.exe

C:\WINDOWS\192896M.exe

C:\WINDOWS\192896MM.DLL

C:\WINDOWS\192896WL.DLL

C:\WINDOWS\AVPSrv.exE

C:\WINDOWS\cmdbcs.exe

C:\WINDOWS\DbgHlp32.exe

C:\WINDOWS\Kvsc3.exE

C:\WINDOWS\LotusHlp.exe

C:\WINDOWS\MsIMMs32.exE

C:\WINDOWS\MsPrint32D.exe

C:\WINDOWS\NVDispDRV.EXE

C:\WINDOWS\upxdnd.exe

C:\WINDOWS\WSockDrv32.exe

C:\WINDOWS\Fonts\avwghinb.dll

C:\WINDOWS\Fonts\avwlhin.dll

C:\WINDOWS\Fonts\gjfeaxw.fon

C:\WINDOWS\Fonts\gjfhass.dll

C:\WINDOWS\Fonts\jshuaxw.fon

C:\WINDOWS\Fonts\jshubxw.fon

C:\WINDOWS\Fonts\jsqxass.dll

C:\WINDOWS\Fonts\jsqxbss.dll

C:\WINDOWS\Fonts\jsqxbyc.dll

C:\WINDOWS\Fonts\jsqxbzc.exe

C:\WINDOWS\Fonts\msgubsd.fon

C:\WINDOWS\Fonts\mswuasd.fon

C:\WINDOWS\Fonts\swjqbcsb.dll

C:\WINDOWS\Fonts\wijibfw.fon

C:\WINDOWS\system32\AVPSrv.dll

C:\WINDOWS\system32\LYLOADER.EXE

C:\WINDOWS\system32\LYMANGR.DLL

C:\WINDOWS\system32\MSDEG32.DLL

C:\WINDOWS\system32\mshmsdjs32.dll

C:\WINDOWS\system32\NVDispDrv.dll

C:\WINDOWS\system32\qjylanamy.dll

C:\WINDOWS\system32\REGKEY.hiv

C:\WINDOWS\system32\rlandpczx.dll

................................

2.病毒下载还会修改注册表服务项和启动项,以及ShellExecuteHooks项实现钩子的安装

具体修改如下

HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\99D56F10

Description"D7598AE0"

DisplayName"99D56F10"

ImagePath"C:\WINDOWS\system32\4366ECF0.EXE-d"

ObjectName"LocalSystem"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8A1247C1-53DA-FF43-ABD3-345F323A48D8}

"avwghmn.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8960356A-458E-DE24-BD50-268F589A56A8}

"avwlhmn.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{24909874-8982-F344-A322-7898787FA742}

"swjqbzc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D908534-AD45-920F-AC89-4024FA9D26D1}

"gjfhayc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D098345-9012-8750-8910-9128098134D1}

"jsqxayc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{2D098345-9012-8750-8910-9128098134D2}

"jsqxbyc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

upxdnd"C:\WINDOWS\upxdnd.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsIMMs32"C:\WINDOWS\MsIMMs32.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

AVPSrv"C:\WINDOWS\AVPSrv.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsPrint32D"C:\WINDOWS\MsPrint32D.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Kvsc3"C:\WINDOWS\Kvsc3.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

cmdbcs"C:\WINDOWS\cmdbcs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWSockDrv32"C:\WINDOWS\WSockDrv32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunNVDispDrv"C:\WINDOWS\NVDispDRV.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunDbgHlp32"C:\WINDOWS\DbgHlp32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinSysM"C:\WINDOWS\192896M.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinSysW"C:\WINDOWS\192896L.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLotusHlp"C:\WINDOWS\LotusHlp.exe"

病毒名称(中文): 下载者病毒77824 病毒别名: 威胁级别: ★★☆☆☆ 病毒类型: 木马下载器 病毒长度: 77824 影响系统: Win9xWinMeWinNTWin2000WinXPWin2003 病毒行为: 这是一个下载者病毒,它会从网上下载大量的木马程序,并将这些木马加入用户系统的自动启动项,使它们能够自动运行起来。 1.病毒运行后从http://d**n.hu*ll.com/po**in/update.txt下载木马列表,然后大量的木马程序到本地 C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYLOADER.EXE C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYMANGR.DLL C:\DocumentsandSettings\mainzo\LocalSettings\Temp\MSDEG32.DLL C:\ProgramFiles\lsassj.exe C:\ProgramFiles\InternetExplorer\PLUGINS\NvSys_55.Sys C:\ProgramFiles\InternetExplorer\PLUGINS\NvWin_5.Jmp C:\WINDOWS\192896L.exe C:\WINDOWS\192896M.exe C:\WINDOWS\192896MM.DLL C:\WINDOWS\192896WL.DLL C:\WINDOWS\AVPSrv.exE C:\WINDOWS\cmdbcs.exe C:\WINDOWS\DbgHlp32.exe C:\WINDOWS\Kvsc3.exE C:\WINDOWS\LotusHlp.exe C:\WINDOWS\MsIMMs32.exE C:\WINDOWS\MsPrint32D.exe C:\WINDOWS\NVDispDRV.EXE C:\WINDOWS\upxdnd.exe C:\WINDOWS\WSockDrv32.exe C:\WINDOWS\Fonts\avwghinb.dll C:\WINDOWS\Fonts\avwlhin.dll C:\WINDOWS\Fonts\gjfeaxw.fon C:\WINDOWS\Fonts\gjfhass.dll C:\WINDOWS\Fonts\jshuaxw.fon C:\WINDOWS\Fonts\jshubxw.fon C:\WINDOWS\Fonts\jsqxass.dll C:\WINDOWS\Fonts\jsqxbss.dll C:\WINDOWS\Fonts\jsqxbyc.dll C:\WINDOWS\Fonts\jsqxbzc.exe C:\WINDOWS\Fonts\msgubsd.fon C:\WINDOWS\Fonts\mswuasd.fon C:\WINDOWS\Fonts\swjqbcsb.dll C:\WINDOWS\Fonts\wijibfw.fon C:\WINDOWS\system32\AVPSrv.dll C:\WINDOWS\system32\LYLOADER.EXE C:\WINDOWS\system32\LYMANGR.DLL C:\WINDOWS\system32\MSDEG32.DLL C:\WINDOWS\system32\mshmsdjs32.dll C:\WINDOWS\system32\NVDispDrv.dll C:\WINDOWS\system32\qjylanamy.dll C:\WINDOWS\system32\REGKEY.hiv C:\WINDOWS\system32\rlandpczx.dll ................................ 2.病毒下载还会修改注册表服务项和启动项,以及ShellExecuteHooks项实现钩子的安装 具体修改如下 HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\99D56F10 Description "D7598AE0" DisplayName "99D56F10" ImagePath "C:\WINDOWS\system32\4366ECF0.EXE-d" ObjectName "LocalSystem" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {8A1247C1-53DA-FF43-ABD3-345F323A48D8} "avwghmn.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {8960356A-458E-DE24-BD50-268F589A56A8} "avwlhmn.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {24909874-8982-F344-A322-7898787FA742} "swjqbzc.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {1D908534-AD45-920F-AC89-4024FA9D26D1} "gjfhayc.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {1D098345-9012-8750-8910-9128098134D1} "jsqxayc.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {2D098345-9012-8750-8910-9128098134D2} "jsqxbyc.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upxdnd "C:\WINDOWS\upxdnd.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsIMMs32 "C:\WINDOWS\MsIMMs32.exE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AVPSrv "C:\WINDOWS\AVPSrv.exE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsPrint32D "C:\WINDOWS\MsPrint32D.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kvsc3 "C:\WINDOWS\Kvsc3.exE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmdbcs "C:\WINDOWS\cmdbcs.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WSockDrv32 "C:\WINDOWS\WSockDrv32.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NVDispDrv "C:\WINDOWS\NVDispDRV.EXE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DbgHlp32 "C:\WINDOWS\DbgHlp32.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSysM "C:\WINDOWS\192896M.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSysW "C:\WINDOWS\192896L.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LotusHlp "C:\WINDOWS\LotusHlp.exe"
󰈣󰈤
 
 
 
>>返回首页<<
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
©2005- 王朝网络 版权所有