病毒名称(中文):
艾妮变种17920
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
木马程序
病毒长度:
28000
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个远程控制木马。它会映像劫持许多主流安全软件的进程,令它们瘫痪,然后连接到病毒作者指定的远程地址。此毒还可利用AUTO技术进行迅速传播。
在磁盘中释放出以下文件:
C:\WINDOWS\system\36Otray.exe
C:\autorun.inf
C:\ntldr.exe
N:\autorun.inf
N:\ntldr.exe
在注册表中创建了以下信息:
"HKLM\Software\logogo"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Logo_1.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NMain.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\navw32.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVFW.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVSvcUI.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPFW.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVSrvXP.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVwsc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KWatchUI.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360rpt.exe"
在注册表中设置了以下信息:
"HKLM\Software\logogo""setup""yes"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Logo_1.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NMain.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\navw32.EXE""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVFW.EXE""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVSvcUI.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPFW.EXE""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVSrvXP.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVwsc.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVsvc.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KWatchUI.EXE""Debugger""C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
在注册表中修改了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAV32.exe""Debugger""C:\WINDOWS\system\36Otray.exe"
病毒会连接作者指定的网址:
域名:"**tp.m**l.ru"端口:25(TCP)
在系统中创建了以下进程:
"EXPLORER"
病毒尝试使用[SeDebugPrivilege]权限枚举进程
病毒尝试枚举系统进程,可能会对一些安全进程进行关闭操作
"36Otray.exe"
