病毒名称(中文):
劫持者远程控制器57344
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
木马程序
病毒长度:
8192
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个远程木马程序。它会在磁盘中释放出文件,修改注册表创建系统服务,然后映像劫持大量的杀毒软件和安全辅助软件,以及一些对它自己具有威胁的其它安全工具。完成劫持后,就连接到病毒作者指定的远程地址,等待黑客指令,协助黑客控制中毒电脑。病毒还会利用AUTO技术实现自动传播
在磁盘中释放出以下文件:
C:\ProgramFiles\CommonFiles\MicrosoftShared\MSINFO\rejoice101.exe
C:\AutoRun.inf
C:\rejoice101.exe
在注册表中创建了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\DrvAnti.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe"
在注册表中设置了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\DrvAnti.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe""Debugger""ntsd-d"
病毒会连接作者指定的网址,下载最新的配置文件,实现自我更新,并等待黑客的指令
http://update.1***22.cn/product/ppsvodnet/update.ini
域名:"update.1***22.cn"端口:80(TCP)
update.1***22.cn/product/ppsvodnet/update.ini