威胁级别:★
病毒类型:木马
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
该病毒是一个QQ大盗变种。该病毒会将盗取的QQ号及密码发送到指定的电子邮箱和提交到指定的网址。建议电脑用户不要随便运行不明程序,以免中毒受害。
1、病毒拷贝自身到系统目录下,并设置为隐藏。
%SystemRoot%system32NTdHcP.exe
2、删除QQ保护文件npkcrypt.sys,并保存为npkcrypt.bak文件。
D:Program FilesTencentQQ
pkcrypt.sys
3、添加注册表启动项
HKLMSoftWareMicrosoftWindowsCurrentVersionRun
"NTdhcp" = "%SystemRoot%system32NTdhcp.exe"
4、安装了一个类型为WH_JOURNALRECORD的消息钩子,记录连续的鼠标和键盘事件。
其申请进程为:%SystemRoot%system32NTdHcP.exe
5、将下列服务启动全设置为禁止启动,并结束其进程。
HKLMSYSTEMCurrentControlSetServices
avapsvcStart
HKLMSYSTEMCurrentControlSetServicesRsRavMonStart
HKLMSYSTEMCurrentControlSetServicesRsCCenterStart
HKLMSYSTEMCurrentControlSetServiceskavsvcStart
HKLMSYSTEMCurrentControlSetServicesKVSrvXPStart
HKLMSYSTEMCurrentControlSetServicesKVWSCStart
HKLMSYSTEMCurrentControlSetServiceswscsvcStart
HKLMSYSTEMCurrentControlSetServicesKPfwSvcStart
HKLMSYSTEMCurrentControlSetServicesKWatchSvcStart
HKLMSYSTEMCurrentControlSetServicesSNDSrvcStart
HKLMSYSTEMCurrentControlSetServicesccProxyStart
HKLMSYSTEMCurrentControlSetServicesccEvtMgrStart
HKLMSYSTEMCurrentControlSetServicesccSetMgrStart
HKLMSYSTEMCurrentControlSetServicesSPBBCSvcStart
HKLMSYSTEMCurrentControlSetServicesSymantec Core LCStart
HKLMSYSTEMCurrentControlSetServicesNPFMntorStart
HKLMSYSTEMCurrentControlSetServicesMskServiceStart
HKLMSYSTEMCurrentControlSetServicesFireSvcStart
HKLMSYSTEMCurrentControlSetServicesMcShieldStart
HKLMSYSTEMCurrentControlSetServicesMcTaskManagerStart
HKLMSYSTEMCurrentControlSetServicesMcAfeeFrameworkStart
HKLMSYSTEMCurrentControlSetServicesRfwServiceStart
7、尝试删除下列启动项,并结束其进程。
HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavMon
HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVPersonal50
HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTimer
HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTask HKLMSoftWareMicrosoftWindowsCurrentVersionRunKvMonXP HKLMSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVRun HKLMSoftWareMicrosoftWindowsCurrentVersionRunKpopMon HKLMSoftWareMicrosoftWindowsCurrentVersionRunKulansyn HKCUSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall HKCUSoftWareMicrosoftWindowsCurrentVersionRunKavPFW
HKCUSoftWareMicrosoftWindowsCurrentVersionRunKvXP NOTFOUND
HKLMSoftWareMicrosoftWindowsCurrentVersionRunccApp HKLMSoftWareMicrosoftWindowsCurrentVersionRunSSC_UserPrompt HKLMSoftWareMicrosoftWindowsCurrentVersionRunNAV CfgWiz HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCAgentExe HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcRegWiz HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCUpdateExe HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKAGENTEXE HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKDetectorExe HKLMSoftWareMicrosoftWindowsCurrentVersionRunVirusScan Online HKLMSoftWareMicrosoftWindowsCurrentVersionRunVSOCheckTask HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI HKLMSoftWareMicrosoftWindowsCurrentVersionRunNetwork Associates Error HKLMSoftWareMicrosoftWindowsCurrentVersionRunShStatEXE HKLMSoftWareMicrosoftWindowsCurrentVersionRunVSOCheckTask HKLMSoftWareMicrosoftWindowsCurrentVersionRunKavStart HKLMSoftWareMicrosoftWindowsCurrentVersionRunRfwMain HKLMSoftWareMicrosoftWindowsCurrentVersionRunSonudMan HKLMSoftWareMicrosoftWindowsCurrentVersionRunKvPpWall_autorun
8、生成并运行Deleteme.bat批处理文件,实现自删除。
