Trojan/Startpage.fi修改註冊表並重寫Hosts檔案,通常是通過其它的木馬下載並執行。它實際上是一個用regsvr32.exe, rundll32.exe或其它程式註冊的DLL檔案。
基本介紹
- 軟體名稱:Trojan/Startpage.fi
- 軟體大小:90,112 位元組
- 病毒類型:木馬
- 影響平台:Win9X/2000/XP/NT/Me
基本信息,傳播過程,
基本信息
Trojan/Startpage。fi
危害等級:*
傳播過程
1.用文本內容:
127.0.0.1 localhost
重寫檔案Hosts:
%Windir%\Hosts
%Windir%System\Drivers\Etc\Hosts
2.修改註冊表:
/添加鍵值:"Host"=""
到註冊表:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/添加子鍵:
HKEY_CLASSES_ROOT\DP.MIMEFilter
HKEY_CLASSES_ROOT\DP.MIMEFilter.1
HKEY_CLASSES_ROOT\CLSID\{657F70CB-580A-412A-B71F-AA29DBEAC0C3}
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\TypeLib\{5B71F990-53CD-4832-8CA2-36EA2D70B871}
/刪除子鍵:
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVErsion\Explorer\Browser Helper Objects
/修改鍵值:HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
"(Default)"="DP.MIMEFilter"
"CLSID"="{657F70CB-580A-412A-B71F-AA29DBEAC0C3}"
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"SearchAssistant" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"CustomizeSearch" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Search_URL" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Search Bar" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Start Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/"
"Search Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Search Bar" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Default_Search_URL" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Search Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Start Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/"
/修改鍵值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"SearchAssistant" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"CustomizeSearch" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"(Default)" = "http://%65%68%74%74%70%2E%63%63/?"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
"www" = "http://%65%68%74%74%70%2E%63%63/?"
註:%Windir%為變數,一般為C:\Windows 或 C:\Winnt;
%System%為變數,一般為C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), 或
C:\Windows\System32 (Windows XP)。