Worm.Delf.cc.131212

王朝other·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

冒牌Skype131212

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

木马程序

病毒长度:

91136

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这个盗号木马会伪装成SkypeClient通讯软件,骗取用户下载,进入系统后建立监视,记录用户输入的信息。并连接指定的远程地址。它还会映像劫持大量的安全软件。

在磁盘中释放出以下文件:

C:\sys_32.ini

C:\WINDOWS\TEMP\SkypeClient.exe

在注册表中创建了以下信息:

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\vsstat.exe"

在注册表中设置了以下信息:

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\FYFireWall.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPF.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPFW32.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32kui.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avconsol.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\webscanx.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NPFMntor.exe""Debugger""ntsd-d"

"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\vsstat.exe""Debugger""ntsd-d"

病毒会连接作者指定的网址:

域名:"****"端口:80(TCP)

在系统中创建了以下进程:

"SkypeClient.exe"

病毒会连接网络进行数据与指令的传播

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航