Worm.Downloader.cx.77824

病毒名称(中文):

下载者病毒77824

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

木马下载器

病毒长度:

77824

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是一个下载者病毒，它会从网上下载大量的木马程序，并将这些木马加入用户系统的自动启动项，使它们能够自动运行起来。

1.病毒运行后从http://d**n.hu*ll.com/po**in/update.txt下载木马列表,然后大量的木马程序到本地

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYLOADER.EXE

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\LYMANGR.DLL

C:\DocumentsandSettings\mainzo\LocalSettings\Temp\MSDEG32.DLL

C:\ProgramFiles\lsassj.exe

C:\ProgramFiles\InternetExplorer\PLUGINS\NvSys_55.Sys

C:\ProgramFiles\InternetExplorer\PLUGINS\NvWin_5.Jmp

C:\WINDOWS\192896L.exe

C:\WINDOWS\192896M.exe

C:\WINDOWS\192896MM.DLL

C:\WINDOWS\192896WL.DLL

C:\WINDOWS\AVPSrv.exE

C:\WINDOWS\cmdbcs.exe

C:\WINDOWS\DbgHlp32.exe

C:\WINDOWS\Kvsc3.exE

C:\WINDOWS\LotusHlp.exe

C:\WINDOWS\MsIMMs32.exE

C:\WINDOWS\MsPrint32D.exe

C:\WINDOWS\NVDispDRV.EXE

C:\WINDOWS\upxdnd.exe

C:\WINDOWS\WSockDrv32.exe

C:\WINDOWS\Fonts\avwghinb.dll

C:\WINDOWS\Fonts\avwlhin.dll

C:\WINDOWS\Fonts\gjfeaxw.fon

C:\WINDOWS\Fonts\gjfhass.dll

C:\WINDOWS\Fonts\jshuaxw.fon

C:\WINDOWS\Fonts\jshubxw.fon

C:\WINDOWS\Fonts\jsqxass.dll

C:\WINDOWS\Fonts\jsqxbss.dll

C:\WINDOWS\Fonts\jsqxbyc.dll

C:\WINDOWS\Fonts\jsqxbzc.exe

C:\WINDOWS\Fonts\msgubsd.fon

C:\WINDOWS\Fonts\mswuasd.fon

C:\WINDOWS\Fonts\swjqbcsb.dll

C:\WINDOWS\Fonts\wijibfw.fon

C:\WINDOWS\system32\AVPSrv.dll

C:\WINDOWS\system32\LYLOADER.EXE

C:\WINDOWS\system32\LYMANGR.DLL

C:\WINDOWS\system32\MSDEG32.DLL

C:\WINDOWS\system32\mshmsdjs32.dll

C:\WINDOWS\system32\NVDispDrv.dll

C:\WINDOWS\system32\qjylanamy.dll

C:\WINDOWS\system32\REGKEY.hiv

C:\WINDOWS\system32\rlandpczx.dll

................................

2.病毒下载还会修改注册表服务项和启动项,以及ShellExecuteHooks项实现钩子的安装

具体修改如下

HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\99D56F10

Description"D7598AE0"

DisplayName"99D56F10"

ImagePath"C:\WINDOWS\system32\4366ECF0.EXE-d"

ObjectName"LocalSystem"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8A1247C1-53DA-FF43-ABD3-345F323A48D8}

"avwghmn.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{8960356A-458E-DE24-BD50-268F589A56A8}

"avwlhmn.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{24909874-8982-F344-A322-7898787FA742}

"swjqbzc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D908534-AD45-920F-AC89-4024FA9D26D1}

"gjfhayc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{1D098345-9012-8750-8910-9128098134D1}

"jsqxayc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{2D098345-9012-8750-8910-9128098134D2}

"jsqxbyc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

upxdnd"C:\WINDOWS\upxdnd.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsIMMs32"C:\WINDOWS\MsIMMs32.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

AVPSrv"C:\WINDOWS\AVPSrv.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMsPrint32D"C:\WINDOWS\MsPrint32D.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Kvsc3"C:\WINDOWS\Kvsc3.exE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

cmdbcs"C:\WINDOWS\cmdbcs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWSockDrv32"C:\WINDOWS\WSockDrv32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunNVDispDrv"C:\WINDOWS\NVDispDRV.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunDbgHlp32"C:\WINDOWS\DbgHlp32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinSysM"C:\WINDOWS\192896M.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinSysW"C:\WINDOWS\192896L.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLotusHlp"C:\WINDOWS\LotusHlp.exe"