| 導購 | 订阅 | 在线投稿
分享
 
 
 

Win32.Troj.QQPass.aa

2008-08-14 22:52:48  編輯來源:互聯網  简体版  手機版  移動版  評論  字體: ||
 

病毒名稱(中文):

病毒別名:

威脅級別:

★☆☆☆☆

病毒類型:

木馬程序

病毒長度:

38126

影響系統:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行爲:

這是個盜取用戶QQ帳號的蠕蟲,可以通過可移動磁盤傳播,並對抗安全軟件。

1、釋放以下文件並設置爲隱藏和系統屬性。

%WINDIR%\system32\bryato.dll

%WINDIR%\system32\bryato.exe

%WINDIR%\system32\severe.exe

%WINDIR%\system32\drivers\conime.exe

%WINDIR%\system32\drivers\fubcwj.exe

2、在每個分區的根目錄下生成文件:Autorun.inf和病毒複制體:OSO.exe,並修改相關注冊表項以使用戶雙擊打開該分區時運行病毒體:

修改的注冊表項:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun0xB5

Autorun.inf內容如下:

[AutoRun]

open=OSO.exe

shellexecute=OSO.exe

shell\Auto\command=OSO.exe

3、添加或修改注冊表項以隱藏病毒文件:

HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue"0"

4、添加以下注冊表項以達到自啓動的目的。

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj"%WINDIR%\System32\bryato.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato"%WINDIR%\System32\severe.exe"

5、修改以下注冊表項以達到隨Explorer進程啓動的目的:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell"Explorer.exe%WINDIR%\System32\drivers\conime.exe"

6、添加以下注冊表項來重定向相關安全軟件到病毒文件以達到阻止其運行的目的:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"

7、修改hosts文件以達到阻止用戶訪問安全網站的目的:

127.0.0.1mmsk.cn

127.0.0.1ikaka.com

127.0.0.1safe.qq.com

127.0.0.1360safe.com

127.0.0.1www.mmsk.cn

127.0.0.1www.ikaka.com

127.0.0.1tool.ikaka.com

127.0.0.1www.360safe.com

127.0.0.1zs.kingsoft.com

127.0.0.1forum.ikaka.com

127.0.0.1up.rising.com.cn

127.0.0.1scan.kingsoft.com

127.0.0.1kvup.jiangmin.com

127.0.0.1reg.rising.com.cn

127.0.0.1update.rising.com.cn

127.0.0.1update7.jiangmin.com

127.0.0.1download.rising.com.cn

127.0.0.1dnl-us1.kaspersky-labs.com

127.0.0.1dnl-us2.kaspersky-labs.com

127.0.0.1dnl-us3.kaspersky-labs.com

127.0.0.1dnl-us4.kaspersky-labs.com

127.0.0.1dnl-us5.kaspersky-labs.com

127.0.0.1dnl-us6.kaspersky-labs.com

127.0.0.1dnl-us7.kaspersky-labs.com

127.0.0.1dnl-us8.kaspersky-labs.com

127.0.0.1dnl-us9.kaspersky-labs.com

127.0.0.1dnl-us10.kaspersky-labs.com

127.0.0.1dnl-eu1.kaspersky-labs.com

127.0.0.1dnl-eu2.kaspersky-labs.com

127.0.0.1dnl-eu3.kaspersky-labs.com

127.0.0.1dnl-eu4.kaspersky-labs.com

127.0.0.1dnl-eu5.kaspersky-labs.com

127.0.0.1dnl-eu6.kaspersky-labs.com

127.0.0.1dnl-eu7.kaspersky-labs.com

127.0.0.1dnl-eu8.kaspersky-labs.com

127.0.0.1dnl-eu9.kaspersky-labs.com

127.0.0.1dnl-eu10.kaspersky-labs.com

8、查找含有以下字符串的窗口,找到則將其關閉:

殺毒、專殺、病毒、木馬、注冊表

9、停止並禁用以下安全服務:

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

10、終止以下安全軟件相關進程:

PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe,

RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe,

Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp,

kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe

11、刪除QQ的以下文件:

QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe

12、創建鍵盤和鼠標消息鈎子,尋找QQ登陸窗口,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎發送到指定郵箱。

 
病毒名稱(中文): 病毒別名: 威脅級別: ★☆☆☆☆ 病毒類型: 木馬程序 病毒長度: 38126 影響系統: Win9xWinMeWinNTWin2000WinXPWin2003 病毒行爲: 這是個盜取用戶QQ帳號的蠕蟲,可以通過可移動磁盤傳播,並對抗安全軟件。 1、釋放以下文件並設置爲隱藏和系統屬性。 %WINDIR%\system32\bryato.dll %WINDIR%\system32\bryato.exe %WINDIR%\system32\severe.exe %WINDIR%\system32\drivers\conime.exe %WINDIR%\system32\drivers\fubcwj.exe 2、在每個分區的根目錄下生成文件:Autorun.inf和病毒複制體:OSO.exe,並修改相關注冊表項以使用戶雙擊打開該分區時運行病毒體: 修改的注冊表項:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5 Autorun.inf內容如下: [AutoRun] open=OSO.exe shellexecute=OSO.exe shell\Auto\command=OSO.exe 3、添加或修改注冊表項以隱藏病毒文件: HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0" 4、添加以下注冊表項以達到自啓動的目的。 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe" 5、修改以下注冊表項以達到隨Explorer進程啓動的目的: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell "Explorer.exe%WINDIR%\System32\drivers\conime.exe" 6、添加以下注冊表項來重定向相關安全軟件到病毒文件以達到阻止其運行的目的: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe" 7、修改hosts文件以達到阻止用戶訪問安全網站的目的: 127.0.0.1mmsk.cn 127.0.0.1ikaka.com 127.0.0.1safe.qq.com 127.0.0.1360safe.com 127.0.0.1www.mmsk.cn 127.0.0.1www.ikaka.com 127.0.0.1tool.ikaka.com 127.0.0.1www.360safe.com 127.0.0.1zs.kingsoft.com 127.0.0.1forum.ikaka.com 127.0.0.1up.rising.com.cn 127.0.0.1scan.kingsoft.com 127.0.0.1kvup.jiangmin.com 127.0.0.1reg.rising.com.cn 127.0.0.1update.rising.com.cn 127.0.0.1update7.jiangmin.com 127.0.0.1download.rising.com.cn 127.0.0.1dnl-us1.kaspersky-labs.com 127.0.0.1dnl-us2.kaspersky-labs.com 127.0.0.1dnl-us3.kaspersky-labs.com 127.0.0.1dnl-us4.kaspersky-labs.com 127.0.0.1dnl-us5.kaspersky-labs.com 127.0.0.1dnl-us6.kaspersky-labs.com 127.0.0.1dnl-us7.kaspersky-labs.com 127.0.0.1dnl-us8.kaspersky-labs.com 127.0.0.1dnl-us9.kaspersky-labs.com 127.0.0.1dnl-us10.kaspersky-labs.com 127.0.0.1dnl-eu1.kaspersky-labs.com 127.0.0.1dnl-eu2.kaspersky-labs.com 127.0.0.1dnl-eu3.kaspersky-labs.com 127.0.0.1dnl-eu4.kaspersky-labs.com 127.0.0.1dnl-eu5.kaspersky-labs.com 127.0.0.1dnl-eu6.kaspersky-labs.com 127.0.0.1dnl-eu7.kaspersky-labs.com 127.0.0.1dnl-eu8.kaspersky-labs.com 127.0.0.1dnl-eu9.kaspersky-labs.com 127.0.0.1dnl-eu10.kaspersky-labs.com 8、查找含有以下字符串的窗口,找到則將其關閉: 殺毒、專殺、病毒、木馬、注冊表 9、停止並禁用以下安全服務: srservice sharedaccess KVWSC KVSrvXP kavsvc RsRavMon RsCCenter RsRavMon 10、終止以下安全軟件相關進程: PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe, RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe, Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp, kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe 11、刪除QQ的以下文件: QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe 12、創建鍵盤和鼠標消息鈎子,尋找QQ登陸窗口,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎發送到指定郵箱。
󰈣󰈤
 
 
 
>>返回首頁<<
 
 
 
 
 熱帖排行
 
王朝網路微信公眾號
微信掃碼關註本站公眾號 wangchaonetcn
 
  免責聲明:本文僅代表作者個人觀點,與王朝網絡無關。王朝網絡登載此文出於傳遞更多信息之目的,並不意味著贊同其觀點或證實其描述,其原創性以及文中陳述文字和內容未經本站證實,對本文以及其中全部或者部分內容、文字的真實性、完整性、及時性本站不作任何保證或承諾,請讀者僅作參考,並請自行核實相關內容。
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有