病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
12937
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个发送QQ消息的木马病毒,病毒运行后会释放病毒文件,修改注册表,并在后台寻找QQ聊天窗口,找到后自动向好友发送消息。
1、释放病毒文件到如下路径:
%system32%\1A783BD2.EXE
%system32%\1A783BD2T.EXE
%system32%\1A783BD2.dll
%system%为可变路径,一般为c:\windows\system32
2、释放.bat文件到%system32%\delme.bat删除病毒体自身。
3、修改注册表项,添加服务1A783BD2:
HKLM\System\CurrentControlSet\Services\1A783BD2
HKLM\System\CurrentControlSet\Services\1A783BD2\Type0x10
HKLM\System\CurrentControlSet\Services\1A783BD2\Start0x2
HKLM\System\CurrentControlSet\Services\1A783BD2\ErrorControl0x1
HKLM\System\CurrentControlSet\Services\1A783BD2\ImagePath"C:\WINDOWS\system32\1A783BD2.EXE-service"
HKLM\System\CurrentControlSet\Services\1A783BD2\DisplayName"1A783BD2"
HKLM\System\CurrentControlSet\Services\1A783BD2\ObjectName"LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\1A783BD2\Description"为系统提供加速启动功能。"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\NextInstance0x1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Control\*NewlyCreated*0x0
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Service"1A783BD2"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Legacy0x1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\ConfigFlagsSUCCESS0x0
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Class"LegacyDriver"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\ClassGUID"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\DeviceDesc"1A783BD2"
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\0"Root\LEGACY_1A783BD2\0000"
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\Count0x1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\NextInstance0x1
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_1A783BD2\0000\Control\ActiveService"1A783BD2"
4、插入Winlogon.exe和Explorer.exe进程,下载配置文件,根据配置文件修改用户主页。
5、遍历当前所有窗口,当找到QQ聊天窗口时,自动向好友发送消息。