Win32.Troj.QQPass.nw

病毒名稱:“QQ大盜”變種NW(Win32.Troj.QQPass.nw)威脅級別為一星級,它是木馬類型的病毒。能影響Win 9x/ME,Win 2000/NT,Win XP,Win 2003 。該病毒會關閉大量防毒軟體的監控進程以掩護自身,同時獲取QQ用戶的登錄視窗,將竊取的信息通過郵件傳送給木馬種植者。該病毒運行後,會釋放severe.exe等多個病毒檔案並修改註冊表,還會搜尋並關閉含有“防毒、專殺、木馬”等字元串的視窗,和終止多個防毒軟體的保護進程。

病毒介紹

病毒別名: 處理時間:2007-02-06 威脅級別:★
中文名稱: 病毒類型:木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行為

這是一個盜取QQ帳號密碼木馬病毒
1、複製自身到如下路徑
%system%\severe.exe
%system%\jusodl.exe
%system%\drivers\pnvifj.exe
%system%\drivers\conime.exe
釋放病毒檔案到%system%\jusodl.dll
2、在每個磁碟根目錄下生成如下病毒檔案,當用戶雙擊盤符時會激活病毒
OSO.exe、autorun.inf
3、改寫hosts檔案,禁止如下安全網站:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-Us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
4、修改如下註冊表項開機自動啟動:
【HKLM\Software\Microsoft\Windows\CurrentVersion\Run】
"pnvifj"="C:\WINDOWS\system32\jusodl.exe"
【HKLM\Software\Microsoft\Windows\CurrentVersion\Run】
"jusodl"="C:\WINDOWS\system32\severe.exe"
【HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon】
"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\conime.exe"
修改如下項,隱藏病毒檔案:
【HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall】
CheckedValue="0"
修改如下鍵值,使正常檔案的運行路徑指向病毒檔案:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
5、查找含有如下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表。
停止並禁用如下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
終止如下安全進程:
"cmd.exe"
"net.exe"
"sc1.exe"
"net1.exe"
"pfw.exe"
"kav.exe"
"KVOL.exe"
"kvfw.exe"
"adam.exe"
"qqav.exe"
"qqkav.exe"
"TBMon.exe"
"kav32.exe"
"kvwsc.exe"
"ccapp.exe"
"KRegEx.exe"
"kavsvc.exe"
"VPTray.exe"
"RAVMON.exe"
"EGHOST.exe"
"KavPFW.exe"
"SHSTAT.exe"
"RavTask.exe"
"TrojDie.kxp"
"Iparmor.exe"
"MAILMON.exe"
"mcagent.exe"
"KAVPLUS.exe"
"RavMonD.exe"
"rtvscan.exe"
"nvsvc32.exe"
"KVMonXP.exe"
"Kvsrvxp.exe"
"CCenter.exe"
"KpopMon.exe"
"rfwmain.exe"
"KWATCHUI.exe"
"mcvsescn.exe"
"mskagent.exe"
"kvolself.exe"
"KVCenter.kxp"
"kavstart.exe"
"ravtimer.exe"
"RRfwMain.exe"
"FireTray.exe"
"updaterui.exe"
"KVSrvXp_1.exe"
"RavService.exe"
7、尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送出去。

相關詞條

相關搜尋

熱門詞條

聯絡我們