簡介
病毒別名: 處理時間:2006-12-06 威脅級別:★
中文名稱: 病毒類型:木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
這是個盜取用戶QQ帳號的木馬!
1、將自身複製為:
%WINDOWS%\Help\wshmcepts.chm
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dat
2、釋放檔案:
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll
3、每個三秒就添加以下註冊表項來自啟動:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ ""
HKCR\CLSID\\(Default) ""
HKCR\CLSID\\InProcServer32\(Default) "%\Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll"
HKCR\CLSID\\InProcServer32\ThreadingModel "Apartment"
4、嘗試禁用以下與安全軟體相關的服務:
navapsvc、RsRavMon、RsRavMon、kavsvc、KVWSC、kvsrvxp、wscsvc、kpfwsvc、KWatchSvc、SNDSrvc、ccProxy、ccEvtMgr、CCSETMGR、SPBBCSvc、
Symantec Core LC、NPFMntor、MskService、FireSvc、mcshield、McTaskManager、McAfeeFramework、RfwService、SKNFW、SkyProcs、AVP
5、嘗試刪除以下與安全軟體相關的註冊表項:
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccapp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvPpWall_autorun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SKYNET Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Jiangmin KVFW
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Rapdateiyr
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
6、嘗試卸載以下安全軟體:
KV2006
KVFW
rising
KINGSOFT\ANTIVIRUS
Kaspersky Anti-Virus Personal
rising\Rfw
綠鷹PC萬能精靈
VIRUSCAN8000
7、檢測用戶計算機上是否安裝還原精靈,如果發現安裝則進行還原精靈轉存使還原精靈失效。
8、創建訊息鉤子。
9、當檢測到QQ運行時將以下檔案的後綴改為.bak: QQLiveUpdate.exe、npkcrypt.sys、BDLiveUpdate.exe。
