威胁级别:★
病毒类型:木马
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个发送QQ消息的木马病毒,病毒运行后会释放病毒文件,修改注册表,并在后台寻找QQ聊天窗口,找到后自动向好友发送消息。
1、释放病毒文件到如下路径:
%system32%1A783BD2.EXE
%system32%1A783BD2T.EXE
%system32%1A783BD2.dll
%system%为可变路径,一般为c:windowssystem32
2、释放.bat文件到%system32%delme.bat删除病毒体自身。
3、修改注册表项,添加服务1A783BD2:
HKLMSystemCurrentControlSetServices1A783BD2
HKLMSystemCurrentControlSetServices1A783BD2Type 0x10
HKLMSystemCurrentControlSetServices1A783BD2Start 0x2
HKLMSystemCurrentControlSetServices1A783BD2ErrorControl 0x1
HKLMSystemCurrentControlSetServices1A783BD2ImagePath "C:WINDOWSsystem321A783BD2.EXE -service"
HKLMSystemCurrentControlSetServices1A783BD2DisplayName "1A783BD2"
HKLMSystemCurrentControlSetServices1A783BD2ObjectName "LocalSystem"
HKLMSYSTEMCurrentControlSetServices1A783BD2Description "为系统提供加速启动功能。"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2NextInstance 0x1
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000Control*NewlyCreated* 0x0
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000Service "1A783BD2"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000Legacy 0x1
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000ConfigFlags SUCCESS 0x0
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000Class "LegacyDriver"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000ClassGUID "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_1A783BD2�000DeviceDesc "1A783BD2"
HKLMSYSTEMCURRENTCONTROLSETSERVICES1A783BD2Enum� "RootLEGACY_1A783BD2�000"
HKLMSYSTEMCURRENTCONTROLSETSERVICES1A783BD2EnumCount 0x1
HKLMSYSTEMCURRENTCONTROLSETSERVICES1A783BD2EnumNextInstance 0x1
HKLMSystemCurrentControlSetEnumRootLEGACY_1A783BD2�000ControlActiveService "1A783BD2"
4、插入Winlogon.exe和Explorer.exe进程,下载配置文件,根据配置文件修改用户主页。
5、遍历当前所有窗口,当找到QQ聊天窗口时,自动向好友发送消息。