Win32.Troj.WinShow.p.6656

病毒名称(中文):

病毒别名:

TrojanDownLoader.Win32.WinShow.p<AVP>

威胁级别:

★☆☆☆☆

病毒类型:

木马程序

病毒长度:

6656

影响系统:

Win9xWinNTWin2000WinXPWin2003

病毒行为:

编写工具:

MicrosoftVisualC++6.0

传染条件:

发作条件:

系统修改:

A.添加如下文件:

%SystemRoot%image.dll

%SystemRoot%mshp.dll

%SystemRoot%winxf<新建目录>

%SystemRoot%winxfdict.dat

%SystemRoot%winxfkeywords.dat

%SystemRoot%winxfmsiesh.dll

%SystemRoot%winxfmssearch.dll

%SystemRoot%winxfwinxf32.dll

B.在收藏夹中添加如下几项：

eXtremeSex

Onlysexwebsite

Searchtheweb

Sevendaysoffreeporn

C.在注册表中创建子键：

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}

D.在注册表中添加如下健值：

HKEY_CLASSES_ROOTiefeatsl.ViewSource

HKEY_CLASSES_ROOTiefeatsl.ViewSource@"ViewSourceClass"

HKEY_CLASSES_ROOTiefeatsl.ViewSourceCLSID

HKEY_CLASSES_ROOTiefeatsl.ViewSourceCLSID@"{587DBF2D-9145-4c9e-92C2-1F953DA73773}"

HKEY_CLASSES_ROOTiefeatsl.ViewSourceCurVer

HKEY_CLASSES_ROOTiefeatsl.ViewSourceCurVer@"iefeatsl.ViewSource.1"

HKEY_CLASSES_ROOTiefeatsl.ViewSource.1

HKEY_CLASSES_ROOTiefeatsl.ViewSource.1@"ViewSourceClass"

HKEY_CLASSES_ROOTiefeatsl.ViewSource.1CLSID

HKEY_CLASSES_ROOTiefeatsl.ViewSource.1CLSID@"{587DBF2D-9145-4c9e-92C2-1F953DA73773}"

HKEY_CLASSES_ROOTImage.Image

HKEY_CLASSES_ROOTImage.Image@"ImageClass"

HKEY_CLASSES_ROOTImage.ImageCLSID

HKEY_CLASSES_ROOTImage.ImageCLSID@"{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}"

HKEY_CLASSES_ROOTImage.ImageCurVer

HKEY_CLASSES_ROOTImage.ImageCurVer@"Image.Image.1"

HKEY_CLASSES_ROOTImage.Image.1

HKEY_CLASSES_ROOTImage.Image.1@"ImageClass"

HKEY_CLASSES_ROOTImage.Image.1CLSID

HKEY_CLASSES_ROOTImage.Image.1CLSID@"{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}"

HKEY_CLASSES_ROOTSearchHook.SearchHookObject

HKEY_CLASSES_ROOTSearchHook.SearchHookObject@"SearchHookObjectClass"

HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCLSID

HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCLSID@"{FD9BC004-8331-4457-B830-4759FF704C22}"

HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCurVer

HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCurVer@"SearchHook.SearchHookObject.1"

HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1

HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1@"SearchHookObjectClass"

HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1CLSID

HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1CLSID@"{FD9BC004-8331-4457-B830-4759FF704C22}"

HKEY_CLASSES_ROOTShowSearch.ViewSource

HKEY_CLASSES_ROOTShowSearch.ViewSource@"ViewSourceClass"

HKEY_CLASSES_ROOTShowSearch.ViewSourceCLSID

HKEY_CLASSES_ROOTShowSearch.ViewSourceCLSID@"{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}"

HKEY_CLASSES_ROOTShowSearch.ViewSourceCurVer

HKEY_CLASSES_ROOTShowSearch.ViewSourceCurVer@"ShowSearch.ViewSource.1"

HKEY_CLASSES_ROOTShowSearch.ViewSource.1

HKEY_CLASSES_ROOTShowSearch.ViewSource.1@"ViewSourceClass"

HKEY_CLASSES_ROOTShowSearch.ViewSource.1CLSID

HKEY_CLASSES_ROOTShowSearch.ViewSource.1CLSID@"{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}"

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}@"ImageClass"

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32@"C:WINNTimage.dll"

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32ThreadingModel"Apartment"

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}ProgID

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}ProgID@"Image.Image.1"

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}Programmable

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}VersionIndependentProgID

HKEY_CLASSES_ROOTCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}VersionIndependentProgID@"Image.Image"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}@"ViewSourceClass"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32@"C:WINNTwinxfwinxf32.dll"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32ThreadingModel"Apartment"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}ProgID

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}ProgID@"iefeatsl.ViewSource.1"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}Programmable

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}TypeLib

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}TypeLib@"{58510DE5-7C2E-45fc-ADBC-5EF6BCEA5ACB}"

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}VersionIndependentProgID

HKEY_CLASSES_ROOTCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}VersionIndependentProgID@"iefeatsl.ViewSource"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}@"ViewSourceClass"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32@"C:WINNTwinxfmssearch.dll"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32ThreadingModel"Apartment"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}ProgID

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}ProgID@"ShowSearch.ViewSource.1"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}Programmable

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}TypeLib

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}TypeLib@"{CA3F4CA8-735D-4339-9EC2-BC0EDB077829}"

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}VersionIndependentProgID

HKEY_CLASSES_ROOTCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}VersionIndependentProgID@"ShowSearch.ViewSource"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}@"SearchHookObjectClass"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32@"C:WINNTwinxfmsiesh.dll"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32ThreadingModel"Apartment"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}ProgID

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}ProgID@"SearchHook.SearchHookObject.1"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}Programmable

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}TypeLib

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}TypeLib@"{2C671705-77A7-4592-A484-545087ED9EE8}"

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}VersionIndependentProgID

HKEY_CLASSES_ROOTCLSID{FD9BC004-8331-4457-B830-4759FF704C22}VersionIndependentProgID@"SearchHook.SearchHookObject"

HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainUseSearchAsst"no"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesImage"rundll32C:WINNTimage.dll,Install"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SponsorIDdword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}Counterdword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastDaydword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastUpdatedword:00003102

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}UpdateHourdword:00000017

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}ModuleVersiondword:00000013

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}DictVersiondword:0000001b

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}Dict2Versiondword:0000001b

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastHPDaydword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}InstallDaydword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SHVersiondword:0000000d

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}HPDllVersiondword:00000009

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}InstallFlagdword:0000000c

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SSVersiondword:00000004

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LRDdword:00000000

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}UpdaterVersiondword:00000009

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}URLSearchHooks

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}URLSearchHooks{CFBFAE00-17A6-11D0-99CB-00C04FD64497}""

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCLSID

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCLSID@"{587DBF2D-9145-4c9e-92C2-1F953DA73773}"

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCurVer

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCurVer@"iefeatsl.ViewSource.1"

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1CLSID

HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1CLSID@"{587DBF2D-9145-4c9e-92C2-1F953DA73773}"

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image@"ImageClass"

HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCLSID

HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCLSID@"{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}"

HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCurVer

HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCurVer@"Image.Image.1"

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1@"ImageClass"

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1CLSID

HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1CLSID@"{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}"

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject@"SearchHookObjectClass"

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCLSID

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCLSID@"{FD9BC004-8331-4457-B830-4759FF704C22}"

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCurVer

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCurVer@"SearchHook.SearchHookObject.1"

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1@"SearchHookObjectClass"

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1CLSID

HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1CLSID@"{FD9BC004-8331-4457-B830-4759FF704C22}"

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCLSID

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCLSID@"{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}"

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCurVer

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCurVer@"ShowSearch.ViewSource.1"

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1CLSID

HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1CLSID@"{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}@"ImageClass"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32@"C:WINNTimage.dll"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}InprocServer32ThreadingModel"Apartment"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}ProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}ProgID@"Image.Image.1"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}Programmable

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}VersionIndependentProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}VersionIndependentProgID@"Image.Image"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32@"C:WINNTwinxfwinxf32.dll"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}InprocServer32ThreadingModel"Apartment"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}ProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}ProgID@"iefeatsl.ViewSource.1"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}Programmable

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}TypeLib

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}TypeLib@"{58510DE5-7C2E-45fc-ADBC-5EF6BCEA5ACB}"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}VersionIndependentProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{587DBF2D-9145-4c9e-92C2-1F953DA73773}VersionIndependentProgID@"iefeatsl.ViewSource"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}@"ViewSourceClass"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32@"C:WINNTwinxfmssearch.dll"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}InprocServer32ThreadingModel"Apartment"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}ProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}ProgID@"ShowSearch.ViewSource.1"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}Programmable

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}TypeLib

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}TypeLib@"{CA3F4CA8-735D-4339-9EC2-BC0EDB077829}"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}VersionIndependentProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}VersionIndependentProgID@"ShowSearch.ViewSource"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}@"SearchHookObjectClass"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32@"C:WINNTwinxfmsiesh.dll"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}InprocServer32ThreadingModel"Apartment"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}ProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}ProgID@"SearchHook.SearchHookObject.1"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}Programmable

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}TypeLib

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}TypeLib@"{2C671705-77A7-4592-A484-545087ED9EE8}"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}VersionIndependentProgID

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FD9BC004-8331-4457-B830-4759FF704C22}VersionIndependentProgID@"SearchHook.SearchHookObject"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerURLSearchHooks

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerURLSearchHooks{FD9BC004-8331-4457-B830-4759FF704C22}""

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{587DBF2D-9145-4c9e-92C2-1F953DA73773}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{587DBF2D-9145-4c9e-92C2-1F953DA73773}@"."

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}@"ShowSearchmodule"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects{FD9BC004-8331-4457-B830-4759FF704C22}@""

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRunImage"rundll32C:WINNTimage.dll,Install"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunImage"rundll32C:WINNTimage.dll,Install"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEFeatSL_Uninstall

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEFeatSL_UninstallDisplayName"IEFeatSLUninstall"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEFeatSL_UninstallUninstallString"rundll32.exeC:WINNTimage.dll,Uninstall"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHook

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHookDisplayName"MSIESH"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHookUninstallString"rundll32.exeC:WINNTwinxfmsiesh.dll,Uninstall"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearch

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearchDisplayName"MSSearch"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearchUninstallString"rundll32.exeC:WINNTwinxfmssearch.dll,Uninstall"

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternetExplorerMainUseSearchAsst"no"

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionRunServices

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionRunServicesImage"rundll32C:WINNTimage.dll,Install"

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SponsorIDdword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}Counterdword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastDaydword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastUpdatedword:00003102

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}UpdateHourdword:00000017

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}ModuleVersiondword:00000013

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}DictVersiondword:0000001b

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}Dict2Versiondword:0000001b

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LastHPDaydword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}InstallDaydword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SHVersiondword:0000000d

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}HPDllVersiondword:00000009

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}InstallFlagdword:0000000c

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}SSVersiondword:00000004

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}LRDdword:00000000

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{587DBF2D-9145-4c9e-92C2-1F953DA73773}UpdaterVersiondword:00000009

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}URLSearchHooks

HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer{FD9BC004-8331-4457-B830-4759FF704C22}URLSearchHooks{CFBFAE00-17A6-11D0-99CB-00C04FD64497}""

E、修改如下注册条目：(修改默认主页及搜索页)

主键：HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMain

"StartPage"="http://www.microsoft.com/windows/ie_intl/cn/start/"

默认="res://mshp.dll/index.html#10213"

主键：HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMain

"SearchPage"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

默认="res://mshp.dll/sp.html#10213"

主键：HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}Count

"HRZR_EHAJZPZQ"=hex:02,00,00,00,45,00,00,00,10,f0,b7,24,f6,34,c4,01,

默认=hex:02,00,00,00,46,00,00,00,40,7f,74,f8,f6,34,c4,01,

主键：HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}Count

"HRZR_EHAJZPZQ:0k1,1n4"=hex:02,00,00,00,0c,00,00,00,d0,1e,5d,be,b2,31,c4,01,

默认=hex:02,00,00,00,0d,00,00,00,40,7f,74,f8,f6,34,c4,01,

主键：HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternetSettingsConnections

"SavedLegacySettings"=hex:3c,00,00,00,09,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

默认=hex:3c,00,00,00,0a,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyRNG

"Seed"=hex:14,a0,bb,55,41,89,58,7c,68,a2,35,66,df,5e,77,28,70,66,ab,d2,36,04,40,38,ad,31,dd,a0,1e,76,13,0c,68,1f,04,86,95,1d,7d,49,90,1d,e8,c4,2d,57,c5,c3,27,75,e9,84,2e,b5,96,0f,ce,08,2a,95,23,40,3b,f2,c1,c2,a6,35,59,34,cb,b8,c7,d5,59,28,91,ec,de,1b

默认=hex:1e,2a,0f,e8,9c,7f,8b,2f,dd,e5,e1,2e,fd,4f,1a,4d,44,f9,69,f4,0d,03,1d,d9,1b,16,28,f6,2e,91,60,a8,52,99,f2,3b,32,44,62,cf,6b,92,d3,13,8a,1e,2f,65,3b,7e,57,8a,ed,28,d2,bb,92,aa,fa,63,98,67,ce,f4,85,bd,25,30,b4,60,df,3f,da,55,7c,0f,ef,7d,74,52,

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMain

"Default_Page_URL"="http://www.microsoft.com/windows/ie_intl/cn/start/"

默认="res://mshp.dll/index.html#10213"

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMain

"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

默认="res://mshp.dll/sp.html#10213"

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMain

"SearchPage"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

默认="res://mshp.dll/sp.html#10213"

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMain

"StartPage"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"

默认="res://mshp.dll/index.html#10213"

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternetExplorerMain

"StartPage"="http://www.microsoft.com/windows/ie_intl/cn/start/"

默认="res://mshp.dll/index.html#10213"

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternetExplorerMain

"SearchPage"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"res://mshp.dll/sp.html#10213"

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}Count

"HRZR_EHAJZPZQ"=hex:02,00,00,00,45,00,00,00,10,f0,b7,24,f6,34,c4,01

默认=hex:02,00,00,00,46,00,00,00,40,7f,74,f8,f6,34,c4,01,

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}Count

"HRZR_EHAJZPZQ:0k1,1n4"=hex:02,00,00,00,0c,00,00,00,d0,1e,5d,be,b2,31,c4,01

默认=hex:02,00,00,00,0d,00,00,00,40,7f,74,f8,f6,34,c4,01,

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionInternetSettingsConnections

"SavedLegacySettings"=hex:3c,00,00,00,09,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

默认=hex:3c,00,00,00,0a,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

F、删除如下键值：

主键：HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerURLSearchHooks

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

主键：HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion智能ABC

"双打键盘类型"=dword:00000000

主键：HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWindows

"AppInit_DLLs""="

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternetExplorerURLSearchHooks

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

主键：HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersion智能ABC

"双打键盘类型"=dword:00000000

发作现象:

A.该木马运行后，会试图从以下网址下载文件(89600bytes)

http://75tz.com/feat/image.dll

http://iefeadsl.com/feat/image.dll

B.收藏夹里会多出一些项目(参见16点)

C、默认主页被修改为："res://mshp.dll/index.html#10213"

D、默认搜索页被改为："res://mshp.dll/index.html#10213"

E、会在添加删除程序中添加MSIESH及MSSearch两项。

非凡说明:

• ·Infect.Anad
• ·Infect.Andromeda
• ·Infect.Adrenalin
• ·Anti-AVP
• ·Win32.Troj.Lmir.gb
• ·Worm.Win32.Sasser.e
• ·Win32.Troj.Mir2Ryh
• ·Worm.Sasser.f
• ·Win32.Hack.AgobotGen
• ·Win32.Troj.Mir2yaodao