病毒别名:
处理时间:2005-09-27
威胁级别:★
中文名称:
病毒类型:木马
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个盗取银行等多种登录密码的木马病毒。
1. 病毒首先将自身复制到%Windir%目录下,然后在注册表添加启动项,以实现开机自启:
[HKCUSoftwareMicrosoftCurrentVersionRun]
"Ole" = "%WinDir%病毒文件名"
2. 接着病毒对自身路径进行判断,如果不是位于%WinDir%目录下,病毒将运行复制到
%WinDir%目录下的病毒体,然后退出;如果病毒位于%WinDir%目录下,病毒将继续
运行。病毒通过这种方法保证系统中只会有一个病毒进程在运行。
3. 首先病毒利用Protected Storage服务获取本地机器的各种密码,包括:
Outlook 密码
Outlook帐号密码
IE 密码保存站点密码
MSN登陆密码
IE 自动保存密码
4. 然后病毒清楚Cookie,以便下次用户登录时,不得不输入密码,这样病毒就可以通
过监控键盘记录,获取密码信息。
5. 接着,病毒有释放名为MS_DLL.dll动态链接库文件,并调用其中的钩子函数,对运
行窗口进行监控,当窗口为以下名字时,病毒就开始进行键盘监控:
Citi
Charter
Registered Users
Charter - Home
Welcome to GCI.net, Alaska,27h,s Internet
Web Mail Login
COX.net for
Cox High Speed Internet WebMail
Login
Total Access
Screen Name Sign In
AOL.com
SIGN IN - Comcast.net
Member Identification
Welcome To Patriot Media
Patriot Media
TDSMAIL
TDS Internet Services - Manage Your Internet Account
Welcome to TDS: High-Speed DSL, Dial-up and Internet Services
AT&T Worldnet Login
BellSouth - Web E-mail
SusCom Start Page - Home
suscom.net WebMail
PayPal
e-gold Account Access
Account Creation
Sign in to Yahoo!
Sign In
Get a New Password or Search for Your ICQ Number
Get a New Password
Earthlink
Billing
Optimum Online Webmail
bank
account
Bank of America | Online Banking | Enrollment
Bank of America | Please Select Your State
Bank of America | Online Banking | Get Help with Your Online
ID | Enter Your ATM PIN
Bank of America | Online Banking | Accounts Overview
Bank of America | Home | Personal
Bank Of America Online Banking
Welcome to Citi
Citi - Sign On
Citi? U.S. Cards
Citibank Lookup User ID
Citibank Reset Password
CitiBusiness Online
AT&T Universal Sign-on
Capital One Online Account Services - Login
Capital One Online Banking
Cardmember Services - Home
Welcome to Cardmember Access
Fleet | Fleet HomeLink Online Banking and Investing: Online
Banking: Fleet HomeLink
e-gold Account Access
Sign In
iBill Payment Page
HPshopping.com - sign in
PayPal - Log In
Fethard finance
Wells Fargo Home Page
Barclays IBank
U.S. Bank Internet Banking
RBC Financial Group - Online Banking
LloydsTSB online - Welcome
Key Bank - Online Banking
Welcome to Flagstar Bank,27h,s Internet Banking
Fool.com: Login
NatWest OnLine Banking
AIB 24hour-online
Washington Mutual - Log On
Egg Security Login
HSBC Bank plc: Internet Banking Log On
Please sign in
Juniper - Save Time and Money with the Juniper Credit Card
6. 病毒还建立线程,每隔10毫秒清空clipboard,使用户不得不用键盘输入密码。
7. 获取密码后,病毒利用自带的smtp引擎将这些信息发送到指定的信箱。
