病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
黑客程序
病毒长度:
743669
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个黑客后门病毒。该病毒的主要危害是在用户主机留下后门,供黑客的远程连接控制,并下载其它病毒感染计算机。该病毒为图片图标,发作时会真的打开一个图片来迷惑用户,而在后台进行感染用户主机。该病毒还会结束大量杀软进程,降低系统的安全等级。
1,生成文件
%widndows%\SYN.exe
%system%\drivers\npf.sys
%system%\MyPic.jpg
%system%\Packet.dll
%system%\WanPacket.dll
%system%\wpcap.dll
%widndows%\HLP.exe
C:\ProgramFiles\WindowsNT\svchost.exe
C:\ProgramFiles\WindowsNT\lsass.exe
C:\ProgramFiles\WindowsNT\ICWUT.DLL
2,添加启动项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet
"ImagePath"=""C:\ProgramFiles\WindowsNT\lsass.exe"ServiceStart"
3,设置下列项的注册表值
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{EF6205C1-3F17-4829-BCB5-1336ED89E356}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E689D735-1487-420D-9049-16ED198FE411}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4F500BF-C1A3-11D6-9697-0090961B771E}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DA984A6D-508E-11D6-AA49-0050FF3C628D}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{BA52B914-B692-46C4-B683-905236F6F655}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{B5A34A93-D538-43A7-8371-864CB6148D12}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9BDBC41E-C335-4263-83C0-ECE78EE28A33}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{644E432F-49D3-41A1-8DD5-E099162EEEC5}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6414512B-B978-451D-A0D8-FCFDF33E833C}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2359626E-7524-4F87-B04E-22CD38A0C88C}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{17492023-C23A-453E-A040-C7C580BBF700}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0C568603-D79D-11D2-87A7-00C04FF158BB}
"CompatibilityFlags"=0x400
4,删除下列杀软启动项
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SKYNETPersonalFireWall
RavTask
RavMon
RavTimer
RfwMain
URLLSTCK.exe
ccApp
KAVPersonal50
Kavrun
KavPFW
KavStart
iDubaPersonalFireWall
KVFW
KvXP
KvMonXP
5,删除下列服务
SYSTEM\CurrentControlSet\Services\RsCCenter
SYSTEM\CurrentControlSet\Services\RsRavMon
SYSTEM\CurrentControlSet\Services\RfwProxySrv
SYSTEM\CurrentControlSet\Services\RfwService
SYSTEM\CurrentControlSet\Services\SymantecCoreLC
SYSTEM\CurrentControlSet\Services\SPBBCSvc
SYSTEM\CurrentControlSet\Services\SNDSrvc
SYSTEM\CurrentControlSet\Services\SAVScan
SYSTEM\CurrentControlSet\Services\NSCService
SYSTEM\CurrentControlSet\Services\navapsvc
SYSTEM\CurrentControlSet\Services\comHost
SYSTEM\CurrentControlSet\Services\ccSetMgr
SYSTEM\CurrentControlSet\Services\ccProxy
SYSTEM\CurrentControlSet\Services\ccISPwdSvc
SYSTEM\CurrentControlSet\Services\ccEvtMgr
SYSTEM\CurrentControlSet\Services\kavsvc
SYSTEM\CurrentControlSet\Services\KWatchSvc
SYSTEM\CurrentControlSet\Services\KPfwSvc
SYSTEM\CurrentControlSet\Services\IDriverT
SYSTEM\CurrentControlSet\Services\KVWSC
SYSTEM\CurrentControlSet\Services\KVSrvXP
SYSTEM\CurrentControlSet\Services\srservice
SYSTEM\CurrentControlSet\Services\BITS
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Services\SharedAccess
SYSTEM\CurrentControlSet\Services\wscsvc
6,结束下列进程
UpdateAssist.exe
PFWLiveUpdate.exe
PFW.exe
RavQuick.exe
RavCopy.exe
RavUSB.exe
rfwcfg.exe
RavHDBak.exe
ScanBD.exe
MakeBoot.exe
RegClean.exe
RavStore.exe
SmartUp.exe
RsConfig.exe
RsAgent.exe
Rav.exe
RegGuide.exe
RavTask.exe
RavTimer.exe
RavStub.exe
rfwmain.exe
RavMon.exe
rfwproxy.exe
CCenter.exe
RavMonD.exe
rfwsrv.exe
LUCOMS~1.EXE
LUALL.EXE
NMain.exe
ccApp.exe
SPBBCSvc.exe
ccSetMgr.exe
ccProxy.exe
SNDSrvc.exe
ccEvtMgr.exe
symlcsvc.exe
navapsvc.exe
ccPwdSvc.exe
SAVScan.exe
NSCSRVCE.EXE
comHost.exe
kav.exe
kavsvc.exe
KAVLog2.EXE
Rescue.EXE
KRecycle.EXE
Update.EXE
KSAMain.EXE
KATMain.EXE
KASMain.EXE
KAVPFW.EXE
KAV32.EXE
KMailMon.EXE
KPFW32.EXE
KAVStart.EXE
KWatch.EXE
KPFWSvc.EXE
VirusBox.kxp
kvupload.exe
KVStub.kxp
KVScan.kxp
KvReport.kxp
KVLSUI.kxp
KVHiStory.kxp
kvdisk.kxp
KvDetect.exe
KVOL.exe
KVCenter.kxp
KRegEx.exe
kvinit.exe
kvfw.exe
KvXP.kxp
TrojDie.kxp
KvMailMag.kxp
KVMonXP.kxp
UIHost.exe
IDriverT.exe
kvwsc.exe
KVSrvXP.exe
agentsvr.exe
SymantecCoreLC
SPBBCSvc
SNDSrvc
SAVScan
NSCService
navapsvc
comHost
ccSetMgr
ccProxy
ccISPwdSvc
ccEvtMgr
kavsvc
KWatchSvc
KPfwSvc
IDriverT
KVWSC
KVSrvXP
srservice
BITS
wuauserv
SharedAccess
wscsvc
8,其它
%system%\drivers\npf.sys、%system%\Packet.dll、%system%\WanPacket.dll、%system%\wpcap.dll为一组网络工具程序,非病毒,用户可以自己删除。