描述
Trojan/PopMonster
病毒長度:變長
病毒類型:木馬
危害等級:*
影響平台:Win9X/2000/XP/NT/Me
Trojan/PopMonster是一個不能自動激活的程式,運行時首先會進行安裝。
傳播過程及特徵:
1.修改註冊表:
添加下列鍵值:
HKEY_CURRENT_USER\Software\180solutions\msbb
HKEY_LOCAL_MACHINE\Software\iefeatures\"lastdate"
HKEY_LOCAL_MACHINE\Software\iefeatures\"popstate"
HKEY_LOCAL_MACHINE\Software\iefeatures\"sys"
HKEY_LOCAL_MACHINE\Software\iefeatures\"userid"
HKEY_LOCAL_MACHINE\Software\iefeatures\"version"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"iefeatures" = "%Windir%\IEFEATURES.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"msbb" = "%Windir%\MSBB\MSBB.EXE"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MSVersion"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\msbb
"DisplayName" = "PAD Lookups by n-CASE "
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\msbb
"default" = "UninstallString"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
"DisplayName" = "Interstitial Ad Delivery by n-CASE"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://popnav.com"
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://popnav.com"
2.生成檔案:
%Windir%\Desktop\Eliminate Popups.url
%Windir%\Desktop\Internet Privacy Software.url
%Windir%\Desktop\Yahoo.url
%Windir%\Favorites\Ebay.url
%Windir%\Favorites\Search Now.url
%Windir%\Favorites\Stop Popups.url
%Windir%\Favorites\Internet Tools\Internet Privacy Software.url
%Windir%\Favorites\Internet Tools\Online Virus Scan.url
%Windir%\Favorites\Internet Tools\Popup Blocker.url
%Windir%\Favorites\Search\Search Casinos.url
%Windir%\Favorites\Search\Search Dating.url
%Windir%\Favorites\Search\Search Now.url
%Windir%\Favorites\Search\Search Sports.url
%Windir%\Favorites\Shopping\Best Buy.url
%Windir%\Favorites\Shopping\Buy.com.url
%Windir%\Favorites\Shopping\Ebay.url
%Windir%\Favorites\Shopping\WalMart.url
%System%\iefeatures.exe
%System%\MSrdk.xml
%System%\msbb\kyf.dat
%System%\msbb\msbb.exe
