| 導購 | 订阅 | 在线投稿
分享
 
 
 

Win32.Troj.QQPass.nw

來源:互聯網  2008-08-14 22:55:39  評論

病毒名稱(中文):

病毒別名:

威脅級別:

★☆☆☆☆

病毒類型:

木馬程序

病毒長度:

48436

影響系統:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行爲:

這是一個盜取QQ帳號密碼的木馬病毒。

1、複制自身到如下路徑:

%system%\severe.exe

%system%\jusodl.exe

%system%\drivers\pnvifj.exe

%system%\drivers\conime.exe

釋放病毒文件到%system%\jusodl.dll

2、在每個磁盤根目錄下生成如下病毒文件,當用戶雙擊盤符時會激活病毒

OSO.EXE、autorun.inf

3、改寫hosts文件,屏蔽如下安全網站:

127.0.0.1localhost

127.0.0.1mmsk.cn

127.0.0.1ikaka.com

127.0.0.1safe.qq.com

127.0.0.1360safe.com

127.0.0.1www.mmsk.cn

127.0.0.1www.ikaka.com

127.0.0.1tool.ikaka.com

127.0.0.1www.360safe.com

127.0.0.1zs.kingsoft.com

127.0.0.1forum.ikaka.com

127.0.0.1up.rising.com.cn

127.0.0.1scan.kingsoft.com

127.0.0.1kvup.jiangmin.com

127.0.0.1reg.rising.com.cn

127.0.0.1update.rising.com.cn

127.0.0.1update7.jiangmin.com

127.0.0.1download.rising.com.cn

127.0.0.1dnl-us1.kaspersky-labs.com

127.0.0.1dnl-us2.kaspersky-labs.com

127.0.0.1dnl-us3.kaspersky-labs.com

127.0.0.1dnl-us4.kaspersky-labs.com

127.0.0.1dnl-us5.kaspersky-labs.com

127.0.0.1dnl-us6.kaspersky-labs.com

127.0.0.1dnl-us7.kaspersky-labs.com

127.0.0.1dnl-us8.kaspersky-labs.com

127.0.0.1dnl-us9.kaspersky-labs.com

127.0.0.1dnl-us10.kaspersky-labs.com

127.0.0.1dnl-eu1.kaspersky-labs.com

127.0.0.1dnl-eu2.kaspersky-labs.com

127.0.0.1dnl-eu3.kaspersky-labs.com

127.0.0.1dnl-eu4.kaspersky-labs.com

127.0.0.1dnl-eu5.kaspersky-labs.com

127.0.0.1dnl-eu6.kaspersky-labs.com

127.0.0.1dnl-eu7.kaspersky-labs.com

127.0.0.1dnl-eu8.kaspersky-labs.com

127.0.0.1dnl-eu9.kaspersky-labs.com

127.0.0.1dnl-eu10.kaspersky-labs.com

4、修改如下注冊表項開機自動啓動:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"pnvifj"="C:\WINDOWS\system32\jusodl.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"jusodl"="C:\WINDOWS\system32\severe.exe"

[HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

"Shell"="Explorer.exeC:\WINDOWS\system32\drivers\conime.exe"

修改如下項,隱藏病毒文件:

[HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]

CheckedValue="0"

修改如下鍵值,使正常文件的運行路徑指向病毒文件:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\EGHOST.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NOD32.exe\Debugger"C:\WINDOWS\system32\drivers\pnvifj.exe"

5、查找含有如下字符串的窗口,找到則將其關閉:

殺毒、專殺、病毒、木馬、注冊表。

停止並禁用如下安全服務:

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

終止如下安全進程:

"cmd.exe"

"net.exe"

"sc1.exe"

"net1.exe"

"PFW.exe"

"Kav.exe"

"KVOL.exe"

"KVFW.exe"

"adam.exe"

"qqav.exe"

"qqkav.exe"

"TBMon.exe"

"kav32.exe"

"kvwsc.exe"

"CCAPP.exe"

"KRegEx.exe"

"kavsvc.exe"

"VPTray.exe"

"RAVMON.exe"

"EGHOST.exe"

"KavPFW.exe"

"SHSTAT.exe"

"RavTask.exe"

"TrojDie.kxp"

"Iparmor.exe"

"MAILMON.exe"

"MCAGENT.exe"

"KAVPLUS.exe"

"RavMonD.exe"

"Rtvscan.exe"

"Nvsvc32.exe"

"KVMonXP.exe"

"Kvsrvxp.exe"

"CCenter.exe"

"KpopMon.exe"

"RfwMain.exe"

"KWATCHUI.exe"

"MCVSESCN.exe"

"MSKAGENT.exe"

"kvolself.exe"

"KVCenter.kxp"

"kavstart.exe"

"RAVTIMER.exe"

"RRfwMain.exe"

"FireTray.exe"

"UpdaterUI.exe"

"KVSrvXp_1.exe"

"RavService.exe"

7、尋找QQ登陸窗口,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎發送出去。

病毒名稱(中文): 病毒別名: 威脅級別: ★☆☆☆☆ 病毒類型: 木馬程序 病毒長度: 48436 影響系統: Win9xWinMeWinNTWin2000WinXPWin2003 病毒行爲: 這是一個盜取QQ帳號密碼的木馬病毒。 1、複制自身到如下路徑: %system%\severe.exe %system%\jusodl.exe %system%\drivers\pnvifj.exe %system%\drivers\conime.exe 釋放病毒文件到%system%\jusodl.dll 2、在每個磁盤根目錄下生成如下病毒文件,當用戶雙擊盤符時會激活病毒 OSO.EXE、autorun.inf 3、改寫hosts文件,屏蔽如下安全網站: 127.0.0.1localhost 127.0.0.1mmsk.cn 127.0.0.1ikaka.com 127.0.0.1safe.qq.com 127.0.0.1360safe.com 127.0.0.1www.mmsk.cn 127.0.0.1www.ikaka.com 127.0.0.1tool.ikaka.com 127.0.0.1www.360safe.com 127.0.0.1zs.kingsoft.com 127.0.0.1forum.ikaka.com 127.0.0.1up.rising.com.cn 127.0.0.1scan.kingsoft.com 127.0.0.1kvup.jiangmin.com 127.0.0.1reg.rising.com.cn 127.0.0.1update.rising.com.cn 127.0.0.1update7.jiangmin.com 127.0.0.1download.rising.com.cn 127.0.0.1dnl-us1.kaspersky-labs.com 127.0.0.1dnl-us2.kaspersky-labs.com 127.0.0.1dnl-us3.kaspersky-labs.com 127.0.0.1dnl-us4.kaspersky-labs.com 127.0.0.1dnl-us5.kaspersky-labs.com 127.0.0.1dnl-us6.kaspersky-labs.com 127.0.0.1dnl-us7.kaspersky-labs.com 127.0.0.1dnl-us8.kaspersky-labs.com 127.0.0.1dnl-us9.kaspersky-labs.com 127.0.0.1dnl-us10.kaspersky-labs.com 127.0.0.1dnl-eu1.kaspersky-labs.com 127.0.0.1dnl-eu2.kaspersky-labs.com 127.0.0.1dnl-eu3.kaspersky-labs.com 127.0.0.1dnl-eu4.kaspersky-labs.com 127.0.0.1dnl-eu5.kaspersky-labs.com 127.0.0.1dnl-eu6.kaspersky-labs.com 127.0.0.1dnl-eu7.kaspersky-labs.com 127.0.0.1dnl-eu8.kaspersky-labs.com 127.0.0.1dnl-eu9.kaspersky-labs.com 127.0.0.1dnl-eu10.kaspersky-labs.com 4、修改如下注冊表項開機自動啓動: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "pnvifj"="C:\WINDOWS\system32\jusodl.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "jusodl"="C:\WINDOWS\system32\severe.exe" [HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon] "Shell"="Explorer.exeC:\WINDOWS\system32\drivers\conime.exe" 修改如下項,隱藏病毒文件: [HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall] CheckedValue="0" 修改如下鍵值,使正常文件的運行路徑指向病毒文件: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe" 5、查找含有如下字符串的窗口,找到則將其關閉: 殺毒、專殺、病毒、木馬、注冊表。 停止並禁用如下安全服務: srservice sharedaccess KVWSC KVSrvXP kavsvc RsRavMon RsCCenter RsRavMon 終止如下安全進程: "cmd.exe" "net.exe" "sc1.exe" "net1.exe" "PFW.exe" "Kav.exe" "KVOL.exe" "KVFW.exe" "adam.exe" "qqav.exe" "qqkav.exe" "TBMon.exe" "kav32.exe" "kvwsc.exe" "CCAPP.exe" "KRegEx.exe" "kavsvc.exe" "VPTray.exe" "RAVMON.exe" "EGHOST.exe" "KavPFW.exe" "SHSTAT.exe" "RavTask.exe" "TrojDie.kxp" "Iparmor.exe" "MAILMON.exe" "MCAGENT.exe" "KAVPLUS.exe" "RavMonD.exe" "Rtvscan.exe" "Nvsvc32.exe" "KVMonXP.exe" "Kvsrvxp.exe" "CCenter.exe" "KpopMon.exe" "RfwMain.exe" "KWATCHUI.exe" "MCVSESCN.exe" "MSKAGENT.exe" "kvolself.exe" "KVCenter.kxp" "kavstart.exe" "RAVTIMER.exe" "RRfwMain.exe" "FireTray.exe" "UpdaterUI.exe" "KVSrvXp_1.exe" "RavService.exe" 7、尋找QQ登陸窗口,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎發送出去。
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 熱帖排行
 
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有