病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
6144
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
该病毒是一个更改用户主页的木马。病毒运行后,拷贝自身到%windows%\syschk.exe,并释放网页到本地,添加启动项,使得开机控制用户机器,使用户无法改变浏览器主页。该木马还会禁用注册表编辑器和控制面板中一些项。
1,生成文件
%windows%\syschk.exe
%windows%\blank.htm
2,更改注册表
HKLM\SOFTWARE\Microsoft\InternetExplorer\AboutURLs
"Search"="file://%windows%\blank.htm"
HKLM\SOFTWARE\Microsoft\InternetExplorer\Main
"StartPage"="about:search"
"SearchPage"="about:search"
"Default_Page_URL"="about:search"
"Default_Search_URL"="about:search"
HKLM\SOFTWARE\Microsoft\InternetExplorer\Search
"SearchAssistant="about:search"
"CustomizeSearch"="about:search"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"syschk"="syschk.exe/fastcheck"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"syschk"="syschk.exe/fastcheck"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchItcomponent
HKCU\SOFTWARE\Microsoft\InternetExplorer\Main
"StartPage"="about:search"
"SearchPage"="about:search"
"DisableScriptDebugger"="yes"
"ErrorDlgDisplayedOnEveryError"="no"
"ErrorDlgDetailsPaneOpen"="no"
"Show_URLinStatusBar"="no"
HKCU\Software\Policies\Microsoft\InternetExplorer\ControlPanel
"HomePage"=0x1
"ResetWebSettings"=0x1
HKCU\Software\Policies\Microsoft\InternetExplorer\Restrictions
"NoViewSource"=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableRegistryTools"=0x1
