病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
52988
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是个盗取用户多个网游帐号的木马!
1、将自身复制为以下文件:
%WINDOWS%\WINLOGON.EXE
%WINDOWS%\explorer.com
%WINDOWS%\1.com
%WINDOWS%\ExERoute.exe
%WINDOWS%\Debug\DebugProgram.exe
%system%\rundll32.com
%system%\finder.com
%system%\command.pif
%system%\MSCONFIG.COM
%system%\dxdiag.com
%programFiles%\InternetExplorer\iexplore.com
%programFiles%\CommonFiles\iexplore.pif
2、修改以下注册表项来更改文件关联,使其指向病毒文件:
HKCR\.lnk\ShellNew\command"rundll32.comappwiz.cpl,NewLinkHere%1"
HKCR\.bfc\shellnew\command"%SystemRoot%\system32\rundll32.com%SystemRoot%\system32\syncui.dll,Briefcase_Create%2!d!%1"
HKCR\cplfile\shell\cplopen\command\(Default)"rundll32.comshell32.dll,Control_RunDLL"%1",%*"
HKCR\htmlfile\shell\print\command\(Default)"rundll32.com%SystemRoot%\system32\mshtml.dll,PrintHTML"%1""
HKCR\inffile\shell\Install\command\(Default)"%SystemRoot%\System32\rundll32.comsetupapi,InstallHinfSectionDefaultInstall132%1"
HKCR\InternetShortcut\shell\open\command\(Default)"finder.comshdocvw.dll,OpenURL%l"
HKCR\scrfile\shell\install\command\(Default)"finder.comdesk.cpl,InstallScreenSaver%l"
HKCR\scriptletfile\Shell\GenerateTypelib\command\(Default)""%system%\finder.com"%system%\scrobj.dll,GenerateTypeLib"%1""
HKCR\telnet\shell\open\command\(Default)"finder.comurl.dll,TelnetProtocolHandler%l"
HKCR\Unknown\shell\openas\command\(Default)"%SystemRoot%\system32\finder.com%SystemRoot%\system32\shell32.dll,OpenAs_RunDLL%1"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\(Default)"%SystemRoot%\system32\rundll32.comNETSHELL.DLL,InvokeDunFile%1"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\(Default)"finder.comshdocvw.dll,OpenURL%l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\(Default)"finder.comdesk.cpl,InstallScreenSaver%l"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\(Default)"%SystemRoot%\system32\finder.com%SystemRoot%\system32\shell32.dll,OpenAs_RunDLL%1"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\(Default)""%ProgramFiles%\InternetExplorer\iexplore.com"-nohome"
HKCU\Software\Microsoft\InternetExplorer\Main\Check_Associations"No"
HKCR\Applications\iexplore.exe\shell\open\command\(Default)""%ProgramFiles%\InternetExplorer\iexplore.com"%1"
HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\(Default)""%ProgramFiles%\InternetExplorer\iexplore.com""
HKCR\ftp\shell\open\command\(Default)""%ProgramFiles%\InternetExplorer\iexplore.com"%1"
HKCR\htmlfile\shell\open\command\(Default)""%ProgramFiles%\InternetExplorer\iexplore.com"-nohome"
HKCR\htmlfile\shell\opennew\command\(Default)""%ProgramFiles%\CommonFiles\iexplore.pif"%1"
HKCR\http\shell\open\command\(Default)""%ProgramFiles%\CommonFiles\iexplore.pif"-nohome"
HKLM\SOFTWARE\Classes\http\shell\open\command\(Default)""%ProgramFiles%\CommonFiles\iexplore.pif"-nohome"
HKCR\Drive\shell\find\command\(Default)"%SystemRoot%\explorer.com"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell"Explorer.exe1"
HKCR\winfiles\defaulticon\(Default)"%1"
HKCR\winfiles\shell\open\command\(Default)"%WINDOWS%\ExERoute.exe"%1"%*"
HKCR\.exe\(Default)"winfiles"
3、添加以下启动项:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\TorjanProgram"%WINDOWS%\WINLOGON.EXE"
4、关闭与以下字符串相匹配的进程,并将该进程的可执行文件的从文件偏移284字节开始的20个字节修改掉,使该可执行文件再次执行时可能出错:
RAVMON*
TROJDIE*
KPOP*
CCENTER*
*ASSISTSE*
KPFW*
AGENTSVR*
KV*
KREG*
IEFIND*
IPARMOR*
SVI.EXE
UPHC*
RULEWIZE*
FYGT*
RFWSRV*
MMSK*
5、创建两个消息钩子来截获键盘和窗口消息。
6、当检测到用户运行QQ时将QQ的键盘保护文件npkcrypt.vxd改名为:qqpnpp.sys
7、盗取用户的霸王大陆、征途、魔兽世界、传奇世界等多个网游帐号和QQ帐号并发送给种植者。
