病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
41472
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这个一个盗取多种游戏密码的木马病毒。
1.病毒将自身进行多次复制,并命名为与系统文件类似的名字:
%SYSTEM%\WINLOGON.exe
%SYSTEM%\rundll32.com
%SYSTEM%\finder.com
%WINDIR%\finder.com
%SYSTEM%\command.pif
%PROGRAMFILES%\InternetExplorer\iexplore.com
%COMMONPROGRAMFILES%\iexplore.pif
%WINDIR%\explorer.com
%WINDIR%\1.com
%WINDIR%\ExERouter.exe
并将自身复制到D盘根目录下,命名为pagefile.pif,并创建
autorun.inf文件,指向pagefile.pif。
2.修改注册表启动项,以及多种文件关联项:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\TorjanProgram
"%WINDIR%\WINLOGON.EXE"
HKCR\.lnk\ShellNew\command
"rundll32.comappwiz.cpl,NewLinkHere%1"
HKCR\.bfc\shellnew\command
"%SystemRoot%\system32\rundll32.com%SystemRoot%\system32
\syncui.dll,Briefcase_Create%2!d!%1"
HKCR\cplfile\shell\cplopen\command\(Default)
"rundll32.comshell32.dll,Control_RunDLL%1,%*"
HKCR\dunfile\shell\open\command\(Default)
"%SystemRoot%\system32\rundll32.comNETSHELL.DLL,InvokeDunFile%1"
HKCR\file\shell\open\command\(Default)
"rundll32.comurl.dll,FileProtocolHandler%l"
HKCR\htmlfile\shell\print\command\(Default)
"rundll32.com%SystemRoot%\System32\mshtml.dll,PrintHTML"%1""
HKCR\inffile\shell\Install\command\(Default)
"%SystemRoot%\System32\rundll32.comsetupapi,InstallHinfSection
DefaultInstall132%1"
HKCR\InternetShortcut\shell\open\command\(Default)
"finder.comshdocvw.dll,OpenURL%l"
HKCR\scrfile\shell\install\command\(Default)
"finder.comdesk.cpl,InstallScreenSaver%l"
HKCR\scriptletfile\Shell\GenerateTypelib\command\(Default)
"%SYSTEM%\finder.com"C:\WINNT\System32
\scrobj.dll,GenerateTypeLib"%1""
HKCR\telnet\shell\open\command\(Default)
"finder.comurl.dll,TelnetProtocolHandler%l"
HKCR\Unknown\shell\openas\command\(Default)
"%SystemRoot%\system32\finder.com%SystemRoot%\system32
\shell32.dll,OpenAs_RunDLL%1"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\(Default)
"%SystemRoot%\system32\rundll32.comNETSHELL.DLL,InvokeDunFile%1"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\(Default)
"finder.comshdocvw.dll,OpenURL%l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\(Default)
"finder.comdesk.cpl,InstallScreenSaver%l"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\(Default)
"%SystemRoot%\system32\finder.com%SystemRoot%\system32
\shell32.dll,OpenAs_RunDLL%1"
HKLM\SOFTWARE\Microsoft\SharedTools\MSInfo\ToolSets\MSInfohdwwiz\command
"%SYSTEM%\command.pif"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\(Default)
""%ProgramFiles%\InternetExplorer\iexplore.com"-nohome"
HKCU\Software\Microsoft\InternetExplorer\Main\Check_Associations
"No"
HKCR\Applications\iexplore.exe\shell\open\command\(Default)
""%ProgramFiles%\InternetExplorer\iexplore.com"%1"
HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePageCommand\(Default)
""%ProgramFiles%\InternetExplorer\iexplore.com""
HKCR\ftp\shell\open\command\(Default)
""%ProgramFiles%\InternetExplorer\iexplore.com"%1"
HKCR\htmlfile\shell\open\command\(Default)
""%ProgramFiles%\InternetExplorer\iexplore.com"-nohome"
HKCR\htmlfile\shell\opennew\command\(Default)
""%CommonProgramFiles%\iexplore.pif"%1"
HKCR\http\shell\open\command\(Default)
""%CommonProgramFiles%\iexplore.pif"-nohome"
HKLM\SOFTWARE\Classes\http\shell\open\command\(Default)
""%CommonProgramFiles%\iexplore.pif"-nohome"
HKCR\Drive\shell\find\command\(Default)
"%SystemRoot%\explorer.com"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell
"Explorer.exe1"
3.木马终止多种安全进程。
4.木马盗取魔兽、传奇等游戏的密码,并提交到指定的网址。
