基本介紹
操作信息
[被禁止廣告] 當Downloader.Admincash 運行時,它執行以下操作:
創建如下互斥實例,以確保同時只有一個木馬運行:
BeavisMutex
ButtheadMutex
將自身拷貝為 %System%\soft.exe 和 %System%\[隨機生成檔案名稱].exe
提示: %System% 是系統目錄變數,默認情況下它是C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32(Windows NT/2000),或 C:\Windows\System32 (Windows XP).
創建如下註冊表項:
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
將下述鍵值:
"Web Service" = "%System%\[random file name].exe"
添加到如下註冊表項:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run
添加註冊表鍵值
"run" = "%System%\soft.exe"
到:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows
添加註冊表鍵值:
"DisableSR" = "0x00000001"
到:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SystemRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SystemRestore
添加鍵值:
"EnableFirewall" = "0x00000001"
到註冊表項:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile
以用於禁用Windows 的Windows Firewall。