Trojan/PopMonster
病毒长度:变长
病毒类型:木马
危害等级:*
影响平台:Win9X/2000/XP/NT/Me
Trojan/PopMonster是一个不能自动激活的程序,运行时首先会进行安装。
传播过程及特征:
1.修改注册表:
添加下列键值:
HKEY_CURRENT_USERSoftware180solutionsmsbb
HKEY_LOCAL_MACHINESoftwareiefeatures "lastdate"
HKEY_LOCAL_MACHINESoftwareiefeatures "popstate"
HKEY_LOCAL_MACHINESoftwareiefeatures "sys"
HKEY_LOCAL_MACHINESoftwareiefeatures "userid"
HKEY_LOCAL_MACHINESoftwareiefeatures "version"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"iefeatures" = "%Windir%IEFEATURES.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"msbb" = "%Windir%MSBBMSBB.EXE"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "MSVersion"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallmsbb
"DisplayName" = "PAD Lookups by n-CASE "
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallmsbb
"default" = "UninstallString"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall
CASE
"DisplayName" = "Interstitial Ad Delivery by n-CASE"
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
"Start Page" = "http://popnav.com"
HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerMain
"Start Page" = "http://popnav.com"
2.生成文件:
%Windir%DesktopEliminate Popups.url
%Windir%DesktopInternet Privacy Software.url
%Windir%DesktopYahoo.url
%Windir%FavoritesEbay.url
%Windir%FavoritesSearch Now.url
%Windir%FavoritesStop Popups.url
%Windir%FavoritesInternet ToolsInternet Privacy Software.url
%Windir%FavoritesInternet ToolsOnline Virus Scan.url
%Windir%FavoritesInternet ToolsPopup Blocker.url
%Windir%FavoritesSearchSearch Casinos.url
%Windir%FavoritesSearchSearch Dating.url
%Windir%FavoritesSearchSearch Now.url
%Windir%FavoritesSearchSearch Sports.url
%Windir%FavoritesShoppingBest Buy.url
%Windir%FavoritesShoppingBuy.com.url
%Windir%FavoritesShoppingEbay.url
%Windir%FavoritesShoppingWalMart.url
%System%iefeatures.exe
%System%MSrdk.xml
%System%msbbkyf.dat
%System%msbbmsbb.exe
