订阅病毒名稱(中文):
病毒別名:
威脅級別:
★☆☆☆☆
病毒類型:
黑客程序
病毒長度:
743669
影響系統:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行爲:
這是一個黑客後門病毒。該病毒的主要危害是在用戶主機留下後門,供黑客的遠程連接控制,並下載其它病毒感染計算機。該病毒爲圖片圖標,發作時會真的打開一個圖片來迷惑用戶,而在後台進行感染用戶主機。該病毒還會結束大量殺軟進程,降低系統的安全等級。
1,生成文件
%widndows%\SYN.exe
%system%\drivers\npf.sys
%system%\MyPic.jpg
%system%\Packet.dll
%system%\WanPacket.dll
%system%\wpcap.dll
%widndows%\HLP.exe
C:\ProgramFiles\WindowsNT\svchost.exe
C:\ProgramFiles\WindowsNT\lsass.exe
C:\ProgramFiles\WindowsNT\ICWUT.DLL
2,添加啓動項
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet
"ImagePath"=""C:\ProgramFiles\WindowsNT\lsass.exe"ServiceStart"
3,設置下列項的注冊表值
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{EF6205C1-3F17-4829-BCB5-1336ED89E356}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E689D735-1487-420D-9049-16ED198FE411}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4F500BF-C1A3-11D6-9697-0090961B771E}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DA984A6D-508E-11D6-AA49-0050FF3C628D}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{BA52B914-B692-46C4-B683-905236F6F655}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{B5A34A93-D538-43A7-8371-864CB6148D12}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9BDBC41E-C335-4263-83C0-ECE78EE28A33}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{644E432F-49D3-41A1-8DD5-E099162EEEC5}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6414512B-B978-451D-A0D8-FCFDF33E833C}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2359626E-7524-4F87-B04E-22CD38A0C88C}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{17492023-C23A-453E-A040-C7C580BBF700}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0C568603-D79D-11D2-87A7-00C04FF158BB}
"CompatibilityFlags"=0x400
4,刪除下列殺軟啓動項
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SKYNETPersonalFireWall
RavTask
RavMon
RavTimer
RfwMain
URLLSTCK.exe
ccApp
KAVPersonal50
Kavrun
KavPFW
KavStart
iDubaPersonalFireWall
KVFW
KvXP
KvMonXP
5,刪除下列服務
SYSTEM\CurrentControlSet\Services\RsCCenter
SYSTEM\CurrentControlSet\Services\RsRavMon
SYSTEM\CurrentControlSet\Services\RfwProxySrv
SYSTEM\CurrentControlSet\Services\RfwService
SYSTEM\CurrentControlSet\Services\SymantecCoreLC
SYSTEM\CurrentControlSet\Services\SPBBCSvc
SYSTEM\CurrentControlSet\Services\SNDSrvc
SYSTEM\CurrentControlSet\Services\SAVScan
SYSTEM\CurrentControlSet\Services\NSCService
SYSTEM\CurrentControlSet\Services\navapsvc
SYSTEM\CurrentControlSet\Services\comHost
SYSTEM\CurrentControlSet\Services\ccSetMgr
SYSTEM\CurrentControlSet\Services\ccProxy
SYSTEM\CurrentControlSet\Services\ccISPwdSvc
SYSTEM\CurrentControlSet\Services\ccEvtMgr
SYSTEM\CurrentControlSet\Services\kavsvc
SYSTEM\CurrentControlSet\Services\KWatchSvc
SYSTEM\CurrentControlSet\Services\KPfwSvc
SYSTEM\CurrentControlSet\Services\IDriverT
SYSTEM\CurrentControlSet\Services\KVWSC
SYSTEM\CurrentControlSet\Services\KVSrvXP
SYSTEM\CurrentControlSet\Services\srservice
SYSTEM\CurrentControlSet\Services\BITS
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Services\SharedAccess
SYSTEM\CurrentControlSet\Services\wscsvc
6,結束下列進程
UpdateAssist.exe
PFWLiveUpdate.exe
PFW.exe
RavQuick.exe
RavCopy.exe
RavUSB.exe
rfwcfg.exe
RavHDBak.exe
ScanBD.exe
MakeBoot.exe
RegClean.exe
RavStore.exe
SmartUp.exe
RsConfig.exe
RsAgent.exe
Rav.exe
RegGuide.exe
RavTask.exe
RavTimer.exe
RavStub.exe
rfwmain.exe
RavMon.exe
rfwproxy.exe
CCenter.exe
RavMonD.exe
rfwsrv.exe
LUCOMS~1.EXE
LUALL.EXE
NMain.exe
ccApp.exe
SPBBCSvc.exe
ccSetMgr.exe
ccProxy.exe
SNDSrvc.exe
ccEvtMgr.exe
symlcsvc.exe
navapsvc.exe
ccPwdSvc.exe
SAVScan.exe
NSCSRVCE.EXE
comHost.exe
kav.exe
kavsvc.exe
KAVLog2.EXE
Rescue.EXE
KRecycle.EXE
Update.EXE
KSAMain.EXE
KATMain.EXE
KASMain.EXE
KAVPFW.EXE
KAV32.EXE
KMailMon.EXE
KPFW32.EXE
KAVStart.EXE
KWatch.EXE
KPFWSvc.EXE
VirusBox.kxp
kvupload.exe
KVStub.kxp
KVScan.kxp
KvReport.kxp
KVLSUI.kxp
KVHiStory.kxp
kvdisk.kxp
KvDetect.exe
KVOL.exe
KVCenter.kxp
KRegEx.exe
kvinit.exe
kvfw.exe
KvXP.kxp
TrojDie.kxp
KvMailMag.kxp
KVMonXP.kxp
UIHost.exe
IDriverT.exe
kvwsc.exe
KVSrvXP.exe
agentsvr.exe
SymantecCoreLC
SPBBCSvc
SNDSrvc
SAVScan
NSCService
navapsvc
comHost
ccSetMgr
ccProxy
ccISPwdSvc
ccEvtMgr
kavsvc
KWatchSvc
KPfwSvc
IDriverT
KVWSC
KVSrvXP
srservice
BITS
wuauserv
SharedAccess
wscsvc
8,其它
%system%\drivers\npf.sys、%system%\Packet.dll、%system%\WanPacket.dll、%system%\wpcap.dll爲一組網絡工具程序,非病毒,用戶可以自己刪除。
