該病毒運行後,衍生病毒檔案到多個目錄下,添加註冊表多處啟動項,並修改檔案執行映射 以啟動病毒體。病毒體連線網路下載其它病毒體到本機運行,下載的病毒病毒體多為網路遊戲盜 號程式。由於該病毒修改了多處程式執行映射,可能會造成用戶應用程式不能運行。此病毒可通 過移動存儲體傳播。
基本介紹
- 中文名:盜竊者
- 外文名:Trojan-PSW.Win32.OnLineGames.uw
- 病毒類型:木馬型
- 檔案 MD5:48dfe0f0633d321670dfdecb144673e7
- 公開範圍:完全公開
- 危害等級:4
- 檔案長度:脫殼前 41343 位元組,脫殼後200704 位元組
- 感染系統:Win9X以上系統
- 開發工具:Microsoft Visual C++ 6.0
- 加殼工具:NsPacK V3.7 -> LiuXingPing [Overlay]
行為分析,清除方案,
行為分析
1 、衍生下列副本與檔案:
%Program Files%\bxiedby.inf
%Program Files%\meex.exe
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\mppds.exe
%WinDir%\upxdnd.exe
%System32%\5E15.dll
%System32%\10J20.dll
%System32%\cmdbcs.dll
%System32%\Kvsc3.dll
%System32%\mppds.dll
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\nwizwmgjs.dll
%System32%\nwizwmgjs.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%Program Files%\Common Files\Microsoft Shared\irijjmn.exe
%Program Files%\Common Files\System\ccqwyxt.exe
2 、新建下列應用程式註冊表執行映射鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AgentSvr.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AppSvc32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ArSwp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AST.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\autoruns.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avconsol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgrssvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccSvcHst.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FileDsty.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FTCleanerShell.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FYFireWall.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\isPwdSvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KaScrScn.SCR\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASMain.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASTask.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAV32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVDX.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPF.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVSetup.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVStart.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KISLnchr.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMailMon.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMFilter.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32X.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPfwSvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRepair\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KsLoader.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvfwMcl.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP_1.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvReport.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVScan.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVStub.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvupload.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP_1.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Opions\KWatch9x.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatchX.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\loaddll.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcconsol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Executin Options\mmqczj.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Navapsvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Navapw32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32kui.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\NPFMntor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QHSET.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QQKav.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RegClean.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwcfg.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwmain.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safelive.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\scan32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\shcfg32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SmartUp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.EXE\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\symlcsvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SysSafe.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UIHost.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAgent.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAttachment.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxCfg.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxFwHlp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxPol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\upiea.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpLive.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\USBCleaner.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\vsstat.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\webscanx.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
3 、新建下列註冊表自動運行鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\Description
Value: String: " 允許 Administrators 組的成員進行遠程調試。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%System32\rundll32.exe RemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxiedby
Value: String: "%Program Files%\Common Files\System\ccqwyxt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmdbcs
Value: String: "%WinDir%\cmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvsc3
Value: String: "%WinDir%\Kvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mppds
Value: String: "%WinDir%\mppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oatrfhf
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upxdnd
Value: String: "%WinDir%upxdnd.exe"
4 、修改下列註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\LastTraceFailure
New: DWORD: 4 (0x4)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\TracesProcessed
New: DWORD: 50 (0x32)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\TracesSuccessful
New: DWORD: 49 (0x31)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
5 、刪除下列註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
6、訪問下列伺服器地址,下載病毒體到本機運行:
(5*.5*.5*.9*)qq.5*0*f/81/11.exe
qq.5*0*f/*j/yj*6*9.txt( 讀取此檔案,以獲得病毒更新地址 )
www.5*60*.cn/xzz/xxxxxxxx.exe
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1)使用安天木馬防線斷開網路,結束病毒進程:
ccqwyxt.exe
irijjmn.exe
(2)刪除病毒衍生檔案:
%Program Files%\bxiedby.inf
%Program Files%\meex.exe
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\mppds.exe
%WinDir%\upxdnd.exe
%System32%\5E15.dll
%System32%\10J20.dll
%System32%\cmdbcs.dll
%System32%\Kvsc3.dll
%System32%\mppds.dll
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\nwizwmgjs.dll
%System32%\nwizwmgjs.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%Program Files%\Common Files\Microsoft Shared\irijjmn.exe
%Program Files%\Common Files\System\ccqwyxt.exe
(3)刪除下列註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\Description
Value: String: " 允許 Administrators 組的成員進行遠程調試。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%System32\rundll32.exe RemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\bxiedby
Value: String: "%Program Files%\Common
Files\System\ccqwyxt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\cmdbcs
Value: String: "%WinDir%\cmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Kvsc3
Value: String: "%WinDir%\Kvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\mppds
Value: String: "%WinDir%\mppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\oatrfhf
Value: String: "%Program Files%\Common Files\
MicrosoftShared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\upxdnd
Value: String: "%WinDir%upxdnd.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Image File Execution Options\*.*
( 此外為列出的新建的鍵值 )\Debugger
(4)恢復註冊表修改項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\LastTraceFailure
New: DWORD: 4 (0x4)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\TracesProcessed
New: DWORD: 50 (0x32)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\TracesSuccessful
New: DWORD: 49 (0x31)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\
Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)