Adware/Slagent是用VC++編寫並經UPX壓縮的木馬,它試圖殺死各類反病毒進程,並有能力從特定的URL下載自身的更新檔案。
基本介紹
- 中文名:Adware/Slagent
- 病毒類型:木馬
- 病毒長度:17,408 Bytes
- 影響平台:Win9X/2000/XP/NT/Me/2003
Adware/Slagent
傳播過程及特徵:
1.插入下列檔案:
%Windir%\Navpmc\Uninstall.exe
%Windir%\Navpmc\Navpmc.exe
%Windir%\Navpmc\2_info_persist
%Windir%\Navpmc\2_navpmc.dll
2.修改註冊表:
/添加鍵值:
"cpntmgc" = "%windows%\navpmc\navpmc.exe"
"MC" = ""
到註冊表:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/添加鍵值:
"UninstallString" = "%windows%\navpmc\navpmc.exe"
"DisplayName" = "navpmc"
到註冊表:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\UnInstall
/添加下列子鍵:
HKEY_CLASSES_ROOT\TypeLib\{BA49BD6A-039C-428E-AF33-8C1288D75A7B}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MagicControl.MagicComponent.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MagicControl.MagicComponent
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{D7A82A12-05F5-42D8-B30D-6EF995075D2D}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{6D3F48F4-B40A-4C3F-A95C-85E23C3A8A91}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{BA49BD6A-039C-428E-AF33-8C1288D75A7B}
3.校驗是否能連線到指定的站點,並能從站點下載內容。
4.試圖結束下列進程:
Symproxysvc.exe
Smc.exe
Persfw.exe
Agentw.exe
Zonealarm.exe
Blackice.exe
註:%Windir%為變數,一般為C:\Windows 或 C:\Winnt;
%System%為變數,一般為C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), 或
C:\Windows\System32 (Windows XP)。