病毒名称(中文):
色情伪装下载器208896
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马下载器
病毒长度:
208896
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个木马下载器程序。它会自动调用IE浏览器,下载大量病毒到用户机器上,同时还会擅自登录Google页面搜索色情视频,让用户以为它是个色情广告软件。
1.程序运行后,生成文件
C:\smp.bat
C:\DocumentsandSettings\fish\Cookies\fish@google[1].txt
C:\DocumentsandSettings\fish\Cookies\fish@google[2].txt
C:\DocumentsandSettings\fish\LocalSettings\History\History.IE5\MSHist012008050620080507
C:\DocumentsandSettings\fish\LocalSettings\History\History.IE5\MSHist012008050620080507\index.dat
C:\DocumentsandSettings\fish\LocalSettings\Temp\A10-tmpaoi.exe
C:\DocumentsandSettings\fish\LocalSettings\Temp\Perflib_Perfdata_6e8.dat
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\2PF3QNZE\sU0He6l7Lhs[1].js
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\C4DGV5NI\drv32[1].data
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\C4DGV5NI\nav_logo3[1].png
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\R146ZVU7\search[1]
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\R146ZVU7\search[1].htm
C:\DocumentsandSettings\fish\LocalSettings\TemporaryInternetFiles\Content.IE5\TIH5F1C8\gcn[1].png
C:\WINDOWS\tokry.dll
2.病毒修改注册表的系统设置
HKEY_CURRENT_USER\Software\Microsoft\Bindcomment"3913170"
HKEY_CURRENT_USER\Software\Microsoft\Bindcomment2"f"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\{95E1D855-9232-48F7-80D9-1ADB65B7939C}@""
3.病毒会生成文件C:\smp.bat,去运行下载病毒。
4.病毒首次运行时,会自动联网去网上下载x**@google[1].txt,x**@google[2].txt病毒列表,然后去下载病毒.