病毒別名:
處理時間:2007-02-06 威脅級別:★中文名稱: 病毒類型:木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為:
這是一個盜取QQ帳號密碼的木馬病毒。1、複製自身到如下路徑:
%system%\severe.exe
%system%\jusodl.exe
%system%\drivers\pnvifj.exe
%system%\drivers\conime.exe
釋放病毒檔案到%system%\jusodl.dll
2、在每個磁碟根目錄下生成如下病毒檔案,當用戶雙擊盤符時會激活病毒OSO.exe、autorun.inf
3、改寫hosts檔案,禁止如下安全網站:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-Us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
4、修改如下註冊表項開機自動啟動:
【HKLM\Software\Microsoft\Windows\CurrentVersion\Run】
"pnvifj"="C:\WINDOWS\system32\jusodl.exe"
【HKLM\Software\Microsoft\Windows\CurrentVersion\Run】
"jusodl"="C:\WINDOWS\system32\severe.exe"
【HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon】
"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\conime.exe"
修改如下項,隱藏病毒檔案:
【HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall】
CheckedValue="0"
修改如下鍵值,使正常檔案的運行路徑指向病毒檔案:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
5、查找含有如下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表。
停止並禁用如下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
終止如下安全進程:
"cmd.exe"
"net.exe"
"sc1.exe"
"net1.exe"
"pfw.exe"
"kav.exe"
"KVOL.exe"
"kvfw.exe"
"adam.exe"
"qqav.exe"
"qqkav.exe"
"TBMon.exe"
"kav32.exe"
"kvwsc.exe"
"ccapp.exe"
"KRegEx.exe"
"kavsvc.exe"
"VPTray.exe"
"RAVMON.exe"
"EGHOST.exe"
"KavPFW.exe"
"SHSTAT.exe"
"RavTask.exe"
"TrojDie.kxp"
"Iparmor.exe"
"MAILMON.exe"
"mcagent.exe"
"KAVPLUS.exe"
"RavMonD.exe"
"rtvscan.exe"
"nvsvc32.exe"
"KVMonXP.exe"
"Kvsrvxp.exe"
"CCenter.exe"
"KpopMon.exe"
"rfwmain.exe"
"KWATCHUI.exe"
"mcvsescn.exe"
"mskagent.exe"
"kvolself.exe"
"KVCenter.kxp"
"kavstart.exe"
"ravtimer.exe"
"RRfwMain.exe"
"FireTray.exe"
"updaterui.exe"
"KVSrvXp_1.exe"
"RavService.exe"
7、尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送出去。
