威胁级别:★
病毒类型:木马
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
该病毒是一个下载木马。它会下载并安广告软件。建议电脑用户升级病毒库查杀该病毒,以免中毒受害。
1、生成的文件
C:Documents and SettingsAll UsersTemplatesemp.exe
C:Program FilesCommon FilesSystemUpdate.dat
C:Program FilesCommon FilesSystemUpdate.exe
C:WINNTsystem32
undllfromwin2000.exe
C:WINNTsystem32wbemocmor.dll
C:WINNTsystem32wbemmnevno40.dll
C:WINNTsystem32Score.txt
C:WINNTsystem32advport.dll
C:WINNTsystem32bcaqm26.dll
C:Documents and SettingsadministratorFavorites多特软件站-最安全放心的软件站.url
2、添加注册表启动项
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"System" = "C:Program FilesCommon FilesSystemUpdate.exe"
3、添加伪系统服务和驱动
HKLMSystemCurrentControlSetServicesDATEING
"Type" = "0x10"
HKLMSystemCurrentControlSetServicesDATEING
"Start" = "0x2"
HKLMSystemCurrentControlSetServicesDATEING
"ImagePath" = "C:WINNTSYSTEM32RUNDLLFROMWIN2000.EXE C:WINNTSYSTEM32WBEMMNEVNO40.DLL,Export 1087"
HKLMSystemCurrentControlSetServicesparaudio
"Type" = "0x1"
HKLMSystemCurrentControlSetServicesparaudio
"Start" = "0x2"
HKLMSystemCurrentControlSetServicesparaudio
"ImagePath" = "??C:WINNTsystem32driversparaudio.sys"
HKLMSystemCurrentControlSetServicesparaudio
"DisplayName" = "paraudio"
HKLMSystemCurrentControlSetServicesLicense
"Type" = "0x20"
HKLMSystemCurrentControlSetServicesLicense
"Start" = "0x2"
HKLMSystemCurrentControlSetServicesLicense
"ImagePath" = "%SystemRoot%System32svchost.exe -k netsvcs"
HKLMSYSTEMCurrentControlSetServicesLicense
"DisplayName" = "Windows Gateway"
HKLMSYSTEMCurrentControlSetServicesLicense
"Description" = "防火墙保护机制,为 Internet 连接共享和 Windows 防火墙提供高效的保护支持。无法终止此服务。"
HKLMSYSTEMCurrentControlSetServicesLicense
"Parameters" = ServiceDll"C:WINNTsystem32bcaqm26.dll"
5、添加注册表信息
HKCUSOFTWAREMicrosoftInternet ExplorerypedUrls
"url5" = "http://www.3839.com/index.html"
6、添加卸载程序,实则并不存在卸载
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallcoolsign
"DisplayName" = "CoolSign"
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallcoolsign
"UninstallString" = "C:Program Filescoolsignuninst.exe"