病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
41127
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是个盗取用户QQ帐号的木马!
1、将自身复制为:
%WINDOWS%\Help\wshmcepts.chm
%ProgramFiles%\CommonFiles\MicrosoftShared\MSINFO\F80D61C2.dat
2、释放文件:
%ProgramFiles%\CommonFiles\MicrosoftShared\MSINFO\F80D61C2.dll
3、每个三秒就添加以下注册表项来自启动:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\(Default)""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\(Default)"%\ProgramFiles%\CommonFiles\MicrosoftShared\MSINFO\F80D61C2.dll"
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\ThreadingModel"Apartment"
4、尝试禁用以下与安全软件相关的服务:
navapsvc、RsRavMon、RsRavMon、kavsvc、KVWSC、KVSrvXP、wscsvc、KPfwSvc、KWatchSvc、SNDSrvc、ccProxy、ccEvtMgr、ccSetMgr、SPBBCSvc、
SymantecCoreLC、NPFMntor、MskService、FireSvc、McShield、McTaskManager、McAfeeFramework、RfwService、SKNFW、SkyProcs、AVP
5、尝试删除以下与安全软件相关的注册表项:
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDubaPersonalFireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAVCfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScanOnline
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NetworkAssociatesErrorReportingService
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvPpWall_autorun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SKYNETPersonalFireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\JiangminKVFW
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Rapdateiyr
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDubaPersonalFireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
6、尝试卸载以下安全软件:
KV2006
KVFW
rising
KINGSOFT\ANTIVIRUS
KasperskyAnti-VirusPersonal
rising\Rfw
绿鹰PC万能精灵
VIRUSCAN8000
7、检测用户计算机上是否安装还原精灵,假如发现安装则进行还原精灵转存使还原精灵失效。
8、创建消息钩子。
9、当检测到QQ运行时将以下文件的后缀改为.bak:QQLiveUpdate.exe、npkcrypt.sys、BDLiveUpdate.exe。
10、查找QQ登陆窗口,获取用户帐号信息后发送到指定网站和邮箱。
