病毒名称(中文):
冒牌Skype131212
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
91136
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这个盗号木马会伪装成SkypeClient通讯软件,骗取用户下载,进入系统后建立监视,记录用户输入的信息。并连接指定的远程地址。它还会映像劫持大量的安全软件。
在磁盘中释放出以下文件:
C:\sys_32.ini
C:\WINDOWS\TEMP\SkypeClient.exe
在注册表中创建了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\vsstat.exe"
在注册表中设置了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe""Debugger""ntsd-d"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\vsstat.exe""Debugger""ntsd-d"
病毒会连接作者指定的网址:
域名:"****"端口:80(TCP)
在系统中创建了以下进程:
"SkypeClient.exe"
病毒会连接网络进行数据与指令的传播