Win32.Troj.QQPass.aa

Win32.Troj.QQPass.aa

Win32.Troj.QQPass.aa 病毒別名: 處理時間:2007-04-06 威脅級別:★ 中文名稱: 病毒類型:木馬

名詞解釋

Win32.Troj.QQPass.aa
病毒別名: 處理時間:2007-04-06 威脅級別:★
中文名稱: 病毒類型木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為:
這是個盜取用戶QQ帳號的蠕蟲,可以通過可移動磁碟傳播,並對抗安全軟體。

病毒行為

1、釋放以下檔案並設定為隱藏系統屬性
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe
2、在每個分區的根目錄下生成檔案:Autorun.inf 和病毒複製體OSO.exe ,並修改相關註冊表項以使用戶雙擊打開該分區時運行病毒體:
修改的註冊表項:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5
Autorun.inf內容如下:
【AutoRun】
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
3、添加或修改註冊表項以隱藏病毒檔案:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0"
4、添加以下註冊表項以達到自啟動的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe"
5、修改以下註冊表項以達到隨Explorer進程啟動的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe %WINDIR%\System32\drivers\conime.exe"
6、添加以下註冊表項來重定向相關安全軟體到病毒檔案以達到阻止其運行的目的:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kregex.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts檔案以達到阻止用戶訪問安全網站的目的:
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-Us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
8、查找含有以下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表
9、停止並禁用以下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、終止以下安全軟體相關進程:
PFW.exe, kav.exe, KVOL.exe, kvfw.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, ccapp.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, mcagent.exe, KAVPLUS.exe, RavMonD.exe, rtvscan.exe,
nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, rfwmain.exe, KWATCHUI.exe, mcvsescn.exe, mskagent.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, ravtimer.exe, RRfwMain.exe, FireTray.exe, updaterui.exe, KVSrvXp_1.exe, RavService.exe
11、刪除QQ的以下檔案:
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe
12、創建鍵盤和滑鼠訊息鉤子,尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送到指定信箱。

相關詞條

相關搜尋

熱門詞條

聯絡我們