病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
38126
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是个盗取用户QQ帐号的蠕虫,可以通过可移动磁盘传播,并对抗安全软件。
1、释放以下文件并设置为隐藏和系统属性。
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe
2、在每个分区的根目录下生成文件:Autorun.inf和病毒复制体:OSO.exe,并修改相关注册表项以使用户双击打开该分区时运行病毒体:
修改的注册表项:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun0xB5
Autorun.inf内容如下:
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
3、添加或修改注册表项以隐藏病毒文件:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue"0"
4、添加以下注册表项以达到自启动的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj"%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato"%WINDIR%\System32\severe.exe"
5、修改以下注册表项以达到随Explorer进程启动的目的:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell"Explorer.exe%WINDIR%\System32\drivers\conime.exe"
6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\MagicSet.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rav.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\avp.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvDetect.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonXP.kxp\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\mmsk.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WoptiClean.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kabaload.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\runiep.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\iparmo.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\adam.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavMon.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREng.EXE\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ras.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\regedit.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.com\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFWLiveUpdate.exe\Debugger"%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts文件以达到阻止用户访问安全网站的目的:
127.0.0.1mmsk.cn
127.0.0.1ikaka.com
127.0.0.1safe.qq.com
127.0.0.1360safe.com
127.0.0.1www.mmsk.cn
127.0.0.1www.ikaka.com
127.0.0.1tool.ikaka.com
127.0.0.1www.360safe.com
127.0.0.1zs.kingsoft.com
127.0.0.1forum.ikaka.com
127.0.0.1up.rising.com.cn
127.0.0.1scan.kingsoft.com
127.0.0.1kvup.jiangmin.com
127.0.0.1reg.rising.com.cn
127.0.0.1update.rising.com.cn
127.0.0.1update7.jiangmin.com
127.0.0.1download.rising.com.cn
127.0.0.1dnl-us1.kaspersky-labs.com
127.0.0.1dnl-us2.kaspersky-labs.com
127.0.0.1dnl-us3.kaspersky-labs.com
127.0.0.1dnl-us4.kaspersky-labs.com
127.0.0.1dnl-us5.kaspersky-labs.com
127.0.0.1dnl-us6.kaspersky-labs.com
127.0.0.1dnl-us7.kaspersky-labs.com
127.0.0.1dnl-us8.kaspersky-labs.com
127.0.0.1dnl-us9.kaspersky-labs.com
127.0.0.1dnl-us10.kaspersky-labs.com
127.0.0.1dnl-eu1.kaspersky-labs.com
127.0.0.1dnl-eu2.kaspersky-labs.com
127.0.0.1dnl-eu3.kaspersky-labs.com
127.0.0.1dnl-eu4.kaspersky-labs.com
127.0.0.1dnl-eu5.kaspersky-labs.com
127.0.0.1dnl-eu6.kaspersky-labs.com
127.0.0.1dnl-eu7.kaspersky-labs.com
127.0.0.1dnl-eu8.kaspersky-labs.com
127.0.0.1dnl-eu9.kaspersky-labs.com
127.0.0.1dnl-eu10.kaspersky-labs.com
8、查找含有以下字符串的窗口,找到则将其关闭:
杀毒、专杀、病毒、木马、注册表
9、停止并禁用以下安全服务:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、终止以下安全软件相关进程:
PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe,
RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe,
Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp,
kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe
11、删除QQ的以下文件:
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe
12、创建键盘和鼠标消息钩子,寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送到指定邮箱。
