病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
58539
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个盗取QQ号码的木马,病毒伪装成jpg图片欺骗用户点击运行。病毒会记录用户的QQ号码和密码,并发送给种马者。
1、病毒运行后会复制自身到%system%\ntdhcp.exe,并运行。
2、添加如下注册表项,以便开机自启:
[HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run]
"NTdhcp"="C:\WINDOWS\system32\NTdhcp.exe"
3、修改注册表,禁用反病毒软件服务,即将以下键的start值改为0x04,:
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
HKLM\SYSTEM\CurrentControlSet\Services\SymantecCoreLC
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
HKLM\SYSTEM\CurrentControlSet\Services\MskService
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
HKLM\SYSTEM\CurrentControlSet\Services\McShield
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKLM\SYSTEM\CurrentControlSet\Services\RfwService
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC
4、删除如下注册表项,使杀毒进程无法开机自动运行。
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDubaPersonalFireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDubaPersonalFireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAVCfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScanOnline
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NetworkAssociatesErrorReportingService
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
5、病毒运行过程中会搜寻杀毒软件窗口,若找到则发送WM_QUIT消息,令其退出。
6、病毒搜索QQ、TM登录窗口,记录键盘,并连接网络发送给种马者。