病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
广告软件
病毒长度:
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个广告软件。功能是用户在使用google等搜索引擎时,会在桌面右下角弹出与搜索的内容相关的广告。该广告使用的文件名类似系统文件名,迷惑用户;该广告会注册SPI服务,并不提供卸载,所以,当该文件出现故障时,可能会导致机器无法上网。
1,生成文件到系统目录,文件名为下列中的一种
quartz32.dll
wshcon32.dll
secur.dll
raspapi.dll
winipsec32.dll
2,添加注册表
HKEY_CLASSES_ROOT\Adplus.XLink
HKEY_CLASSES_ROOT\Adplus.XLink.1
HKEY_CLASSES_ROOT\CLSID\{18F57D30-EF36-4C0E-9343-7BFA6DF79B4A}
"InprocServer32"="C:\WINNT\System32\quartz32.dll"
HKEY_CLASSES_ROOT\Interface\{2805A558-1E98-48FB-8BA5-49A3AD78B129}
"IXLink"
HKEY_CLASSES_ROOT\TypeLib\{57F7A59D-8F7F-41B2-98B8-A095456716E9}\1.0\0\win32
"C:\WINNT\System32\quartz32.dll"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
hex:49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,57,00,61,00,74,00,63,00,68,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,61,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,
HKEY_LOCAL_MACHINE\SOFTWARE\Roogoo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
FROMID="roogoo"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
PackedCatalogItem
hex:25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,6d,73,61,66,64,2e,64,6c,6c,00,00,00,3a,00,35,00,36,00,20,00,33,00,32,00,34,00,2e,00,31,00,39,00,30,00,32,00,5d,00,00,00,00,00,00,00,00,00,00,00,00,00,04,02,00,00,00,00,00,00,00,00,00,00,00,00,ed,55,d8,41,bf,01,00,00,00,00,01,00,93,08,00,00,05,00,19,00,0e,00,00,01,0c,00,00,00,00,00,00,00,00,00,e0,1a,00,00,60,9e,fc,36,65,c4,cf,11,80,56,44,45,53,54,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,09,02,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,30,18,5f,8d,73,c2,cf,11,95,c8,00,80,5f,48,a1,92,f3,03,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,11,00,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
PackedCatalogItem
hex:43,3a,5c,57,49,4e,4e,54,5c,53,79,73,74,65,6d,33,32,5c,71,75,61,72,74,7a,33,32,2e,64,6c,6c,00,00,00,00,3a,00,35,00,36,00,20,00,33,00,32,00,34,00,2e,00,31,00,39,00,30,00,32,00,5d,00,00,00,00,00,00,00,00,00,00,00,00,00,04,02,00,00,00,00,00,00,00,00,00,00,00,00,ed,55,d8,41,bf,01,00,00,00,00,01,00,93,08,00,00,05,00,19,00,0e,00,00,01,0c,00,00,00,00,00,00,00,00,00,e0,1a,00,00,60,9e,fc,36,65,c4,cf,11,80,56,44,45,53,54,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,0c,00,00,00,fd,91,1e,4d,6a,11,aa,44,8f,d4,1d,2c,f2,7b,d9,a9,f4,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,
