病毒名称(中文):
烈火凤凰
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
木马程序
病毒长度:
443392
影响系统:
Win9xWin2000WinXP
病毒行为:
编写工具:
VC
传染条件:
被欺骗运行,或是人为安装
发作条件:
运行时发作
系统修改:
A.自我复制到C:windowssystem32目录
NetBios.exe
NetServer.exe
WinNote.exe
WinLoadfile.exe
WinAuto.exe
WinServer.exe
WinProfile.exe
自我复制到C:windowssystem目录
WinConfig.exe
B.在C盘根目录创建以下文件
Autoexec.bat(假如存在该文件,病毒将覆盖该文件)
Config.bat
文件内容为指向病毒复本的指令
C.修改Win9x系统配置文件Win.ini
[files]
Run=C:windowssystem32WinProfile.exe
Load=C:windowssystem32WinLoadFile.exe
使用病毒可随机启动
D.添加注册表中的以下键和键值,使病毒可随机启动
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
WinServer.exe="C:Windowssystem32WinServer.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
WinBios.exe="C:Windowssystem32WinBios.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWARE
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoft
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindows
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersion
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRun
WinBios.exe="C:Windowssystem32WinBios.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWARE
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoft
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersion
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
NetBios.exe="C:Windowssystem32NetBios.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWinlogon
LegalNoticeCaption="烈火凤凰"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWinlogon
LegalNoticeText="欢迎进入魔域之界"
E.添加以下键值修改txt、inf、reg文件关联,当打开这些类型文件时激活病毒
HKEY_LOCAL_MACHINESoftwareCLASSESxtfileshellopencommand
(默认)="C:Windowssystem32WinNote.exe"
HKEY_LOCAL_MACHINESoftwareCLASSES.reg
(默认)="txtfile"
HKEY_LOCAL_MACHINESoftwareCLASSES.inf
(默认)="txtfile"
F.添加改注册表以下内容,禁用系统功能
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools=dword:00000000
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRundword:00000000
NoDrives=dword:00000008
NoRealMode=dword:00000000
NoLogOff=dword:00000000
NoSetTaskBar=dword:00000000
NoChangeStartMenu=dword:00000000
NoStartMenu=dword:00000000
NoSetFolders=dword:00000000
NoFolderOptions=dword:00000000
NoFind=dword:00000000
NoRecentDocsMenu=dword:00000000
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerWinOlaAppD
isabledword:00000001
禁用注册表编辑器,使开始菜单没有“运行、文档、注销等”选项
发作现象:
每次启动出现提示框,显示:
“欢迎进入魔域之界”
邮于病毒的恶意行为导致系统死机或崩溃。
非凡说明:
