病毒名称(中文):
下载者病毒77824
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
木马下载器
病毒长度:
77824
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个下载者病毒,它会从网上下载大量的木马程序,并将这些木马加入用户系统的自动启动项,使它们能够自动运行起来。
1.病毒运行后从http://d**n.hu*ll.com/po**in/update.txt下载木马列表,然后大量的木马程序到本地
C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYLOADER.EXE
C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYMANGR.DLL
C:\DocumentsandSettings\mainzo\LocalSettings\Temp\MSDEG32.DLL
C:\ProgramFiles\lsassj.exe
C:\ProgramFiles\InternetExplorer\PLUGINS\NvSys_55.Sys
C:\ProgramFiles\InternetExplorer\PLUGINS\NvWin_5.Jmp
C:\WINDOWS\192896L.exe
C:\WINDOWS\192896M.exe
C:\WINDOWS\192896MM.DLL
C:\WINDOWS\192896WL.DLL
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\NVDispDRV.EXE
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WSockDrv32.exe
C:\WINDOWS\Fonts\avwghinb.dll
C:\WINDOWS\Fonts\avwlhin.dll
C:\WINDOWS\Fonts\gjfeaxw.fon
C:\WINDOWS\Fonts\gjfhass.dll
C:\WINDOWS\Fonts\jshuaxw.fon
C:\WINDOWS\Fonts\jshubxw.fon
C:\WINDOWS\Fonts\jsqxass.dll
C:\WINDOWS\Fonts\jsqxbss.dll
C:\WINDOWS\Fonts\jsqxbyc.dll
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\Fonts\msgubsd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\swjqbcsb.dll
C:\WINDOWS\Fonts\wijibfw.fon
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\mshmsdjs32.dll
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\qjylanamy.dll
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\rlandpczx.dll
................................
2.病毒下载还会修改注册表服务项和启动项,以及ShellExecuteHooks项实现钩子的安装
具体修改如下
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\99D56F10
Description"D7598AE0"
DisplayName"99D56F10"
ImagePath"C:\WINDOWS\system32\4366ECF0.EXE-d"
ObjectName"LocalSystem"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8A1247C1-53DA-FF43-ABD3-345F323A48D8}
"avwghmn.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8960356A-458E-DE24-BD50-268F589A56A8}
"avwlhmn.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{24909874-8982-F344-A322-7898787FA742}
"swjqbzc.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D908534-AD45-920F-AC89-4024FA9D26D1}
"gjfhayc.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D098345-9012-8750-8910-9128098134D1}
"jsqxayc.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{2D098345-9012-8750-8910-9128098134D2}
"jsqxbyc.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
upxdnd"C:\WINDOWS\upxdnd.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsIMMs32"C:\WINDOWS\MsIMMs32.exE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVPSrv"C:\WINDOWS\AVPSrv.exE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsPrint32D"C:\WINDOWS\MsPrint32D.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Kvsc3"C:\WINDOWS\Kvsc3.exE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cmdbcs"C:\WINDOWS\cmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWSockDrv32"C:\WINDOWS\WSockDrv32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunNVDispDrv"C:\WINDOWS\NVDispDRV.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunDbgHlp32"C:\WINDOWS\DbgHlp32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinSysM"C:\WINDOWS\192896M.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinSysW"C:\WINDOWS\192896L.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLotusHlp"C:\WINDOWS\LotusHlp.exe"