病毒名称(中文):
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
15356
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒,该病毒会以邮件附件的形式发送到用户机器上,诱使用户运行该病毒。病毒文件winlog.exe会释放winlog.dll,并加载运行。后者能关闭大量安全软件和常用程序,能通过修改注册表的方式禁用大量安全软件。还会修改host文件,导致用户无法访问特定网站,该用户带来很大影响。该病毒还会添加到自启动项目,达到开机启动的目的。该病毒最大的特点是能关闭大量安全软件,可以说是“安全软件杀手”。
1,生成下列病毒文件:
%system%\winlog.exe
%system%\winlog.dll
2,关闭下列安全软件和常用程序:
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashPopWz.exe
ashShA64.dll
ashSimpl.exe
ashWebSv.exe
ashSkPck.exe
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
等等
3,修改host文件,禁止访问下列网站:
"ad.doubleclick.net"
"upgrade.bitdefender.com"
"report.bitdefender.com"
"ad.fastclick.net"
"ads.fastclick.net"
"ar.atwola.com"
"atdmt.com"
"avp.ch"
"banner.fastclick.net"
"banners.fastclick.net"
"www.ca.com"
"click.atdmt.com"
"clicks.atdmt.com"
"customer.symantec.com"
"dispatch.mcafee.com"
"downloads-eu1.kaspersky-labs.com"
"downloads-us1.kaspersky-labs.com"
"downloads-us2.kaspersky-labs.com"
"downloads-us3.kaspersky-labs.com"
"downloads.microsoft.com"
"downloads1.kaspersky-labs.com"
"downloads2.kaspersky-labs.com"
"downloads2.kaspersky-labs.com"
"ftp.downloads2.kaspersky-labs.com"
"go.microsoft.com"
"ids.kaspersky-labs.com"
"kaspersky-labs.com"
"liveupdate.symantec.com"
"liveupdate.symantecliveupdate.com"
"mast.mcafee.com"
"mcafee.com"
"media.fastclick.net"
"msdn.microsoft.com"
"my-etrust.com"
"networkassociates.com"
"office.microsoft.com"
"phx.corporate-ir.net"
"support.microsoft.com"
"trendmicro.com"
"updates1.kaspersky-labs.com"
"viruslist.com"
"www.awaps.net"
"www.f-secure.com"
"www.fastclick.net"
"www.kaspersky.com"
"www.symantec.com"
等等
4,自身添加到下列注册表项目:
HKLM\Software\Microsoft\Windos\CurrentVersion\Run
Key3=winlog.exe
key2=
5,修改下列注册表项目,达到禁用安全软件的目的:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SymantececNetDriverMonitor"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAVCfgWiz"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ZoneLabsClient"
"HKLM\SOFTWARE\Symantec"
"HKLM\SOFTWARE\McAfee"
"HKLM\SOFTWARE\KasperskyLab"
"HKLM\SOFTWARE\Agnitum"
"HKLM\SOFTWARE\PandaSoftware"
"HKLM\SOFTWARE\ZoneLabs"
"HKLM\SOFTWARE\TrendMicro"
