Downloader.Admincash 是一个特洛伊木马程序,它感染Windows系统中安全设置较低的Explorer.exe,同时下载Adware和拨号器。
[被屏蔽广告] 当Downloader.Admincash 运行时,它执行以下操作:
创建如下互斥实例,以确保同时只有一个木马运行:
BeavisMutex
ButtheadMutex
将自身拷贝为 %System%soft.exe 和 %System%[随机生成文件名].exe
提示: %System% 是系统目录变量,默认情况下它是C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32(Windows NT/2000),或 C:WindowsSystem32 (Windows XP).
创建如下注册表项:
HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
将下述键值:
"Web Service" = "%System%[random file name].exe"
添加到如下注册表项:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
un
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
un
添加注册表键值
"run" = "%System%soft.exe"
到:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWindows
HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NT
CurrentVersionWindows
添加注册表键值:
"DisableSR" = "0x00000001"
到:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NT
CurrentVersionSystemRestore
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionSystemRestore
添加键值:
"EnableFirewall" = "0x00000001"
到注册表项:
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoft
WindowsFirewallDomainProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
WindowsFirewallDomainProfile
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoft
WindowsFirewallStandardProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
WindowsFirewallStandardProfile
以用于禁用Windows 的Windows Firewall。