Win32.Troj.Gamania.y

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

木马程序

病毒长度:

54784

影响系统:

Win9xWinNT

病毒行为:

这是一个盗取橘子公司所有游戏(如天堂1,天堂2)帐户密码的木马,该木马通过监视用户登陆游戏橘子的网站,用户输入的帐户和密码,来窃取用户重要信息.改病毒会终止大量的安全类软件,来延长自己的生命周期,进一步加大了用户的损失.

1.文件增加:

%systemroot%\Java\winlogin.exe

%systemroot%\inf\ie00.inf

%systemroot%\inf\deomen.exe

2.修改的文件:

防火墙规则,逃避防火墙的监控.

hosts:

127.0.0.1localhost

127.0.0.1avp.com

127.0.0.1ca.com

127.0.0.1customer.symantec.com

127.0.0.1dispatch.mcafee.com

127.0.0.1download.mcafee.com

127.0.0.1f-secure.com

127.0.0.1kaspersky.com

127.0.0.1www.kasperksy-labs.com

127.0.0.1liveupdate.symantec.com

127.0.0.1liveupdate.symantecliveupdate.com

127.0.0.1mast.mcafee.com

127.0.0.1mcafee.com

127.0.0.1my-etrust.com

127.0.0.1nai.com

127.0.0.1networkassociates.com

127.0.0.1rads.mcafee.com

127.0.0.1secure.nai.com

127.0.0.1securityresponse.symantec.com

127.0.0.1sophos.com

127.0.0.1symantec.com

127.0.0.1trendmicro.com

127.0.0.1update.symantec.com

127.0.0.1updates.symantec.com

127.0.0.1us.mcafee.com

127.0.0.1viruslist.com

127.0.0.1www.avp.com

127.0.0.1www.ca.com

127.0.0.1www.f-secure.com

127.0.0.1www.kaspersky.com

127.0.0.1www.mcafee.com

127.0.0.1www.my-etrust.com

127.0.0.1www.symantec.com

127.0.0.1www.viruslist.com

127.0.0.1kaspersky-labs.com

127.0.0.1downloads-eu1.kaspersky-labs.com

127.0.0.1downloads-us1.kaspersky-labs.com

127.0.0.1downloads1.kaspersky-labs.com

127.0.0.1downloads2.kaspersky-labs.com

127.0.0.1downloads3.kaspersky-labs.com

127.0.0.1downloads4.kaspersky-labs.com

127.0.0.1windowsupdate.microsoft.com

127.0.0.1downloads5.kaspersky-labs.com

127.0.0.1ftp.avp.ru

127.0.0.1updates3.kaspersky-labs.com

127.0.0.1updates2.kaspersky-labs.com

127.0.0.1updates1.kaspersky-labs.com

127.0.0.1ftp.kaspersky.com

127.0.0.1downloads-us22.kaspersky-labs.com

127.0.0.1downloads-us1.kaspersky-labs.com

127.0.0.1downloads-us2l.kaspersky-labs.com

127.0.0.1downloads-eu2l.kaspersky-labs.com

127.0.0.1v4.windowsupdate.microsoft.com

127.0.0.1v5.windowsupdate.microsoft.com

127.0.0.1windowsupdate.microsoft.com

127.0.0.1221.215.84.2

127.0.0.1210.51.23.7

127.0.0.1www.szadk.com

127.0.0.1asp3.6to23.com

127.0.0.1www.akoak.com

127.0.0.1www.ky173.com

127.0.0.1www.999sj.com

3.增加注册表起始项,使病毒开机运行

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BossIdea

C:\WINNT\java\winlogin.exe

4.结束以下进程和窗口:

KVMonXP.KXP

KVXP.KXP

噬菌体

svch0st.EXE

test.EXE

ghost.EXE

svchost.EXE

KAVSVC.EXE

KAV.EXE

MAILMON.EXE

EGHOST.EXE

IPARMOR.EXE

KAVPFW.EXE

ZAFrameWnd

ZoneAlarm

TfLockDownMain

PwrMonitorRunDllWin

KVXP_Monitor

江民杀毒软件：实时监控

KasperskyAnti-VirusPersonal

卡巴斯基反病毒单机版

任务治理器

运行窗口

天网防火墙企业版

天网防火墙个人版

Tapplication

RavMon.exe

RavMonClass

5.通过发送邮件的方式把所窃取的用户信息发送出去:

发信人为:guanzhujiaodian@163.com

收信人为:gzh0cudizhuo@126.com

标题为:"HELOimBamBooX"