基本介紹
- 中文名:QQ賬號及密碼盜竊者
- 外文名:Trojan-PSW.Win32.QQPass.uw
- 病毒類型:木馬類
- 公開範圍:完全公開
名稱,簡介,行為分析,衍生下列副本與檔案,新建註冊表鍵值,修改下列註冊表鍵值,修改 host 檔案,清除方案,
名稱
病毒名稱: Trojan-PSW.Win32.QQPass.uw
中文名稱: QQ賬號及密碼盜竊者
簡介
病毒類型: 木馬類
檔案 MD5: B1558FBAA833D098C84553D4986660B2
公開範圍: 完全公開
危害等級: 5
檔案長度: 加殼後 31,979 位元組,脫殼後186,880 位元組
感染系統: Win9X以上系統
開發工具: Borland Delphi 6.0 - 7.0
加殼類型: Upack 0.3.9 beta2s -> Dwing
命名對照: BitDefender Generic.PWStealer.F82FE48A
McAfee PWS-QQRob
行為分析
衍生下列副本與檔案
%System32%\severe.exe
%System32%\xwwume.dll
%System32%\xwwume.exe
%System32%\drivers\jyoapg.com
% 移動設備 %\servet.exe
% 移動設備 %\autorun.inf
新建註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\360Safe.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\adam.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\avp.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\avp.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\IceSword.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\iparmo.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\kabaload.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\mmsk.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\msconfig.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\msconfig.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\NOD32.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\PFW.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\Ras.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\Rav.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\RavMon.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\regedit.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\regedit.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\runiep.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\SREng.EXE\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindOWS%\CurrentVersion\
Run\jyoapg
Value: String: "%WINDOWS%\System32\xwwume.exe"
修改下列註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Winlogon\Shell
New: String: "Explorer.exe %WINDOWS%\System32\severe.exe"
Old: String: "Explorer.exe"
修改 host 檔案
127.0.0.1 mmsk.cn
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
--------------------------------------------------------------------------------
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。(1) 使用 安天木馬防線“進程管理”關閉病毒進程 severe.exe
xwwume.exe
jyoapg.com\
刪除並恢復病毒添加與修改的註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\360Safe.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\adam.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\avp.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\avp.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\IceSword.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\iparmo.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\kabaload.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\mmsk.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\msconfig.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\msconfig.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\NOD32.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\PFW.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\ PFWLiveUpdate.exe\
Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\Ras.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\Rav.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\RavMon.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\regedit.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\regedit.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\runiep.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\SREng.EXE\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindOWS%\Current
Version\Run\jyoapg
Value: String: "%WINDOWS%\System32\xwwume.exe"
刪除病毒釋放檔案
%System32%\severe.exe
%System32%\xwwume.dll
%System32%\xwwume.exe
%System32%\drivers\jyoapg.com
% 移動設備 %\servet.exe
% 移動設備 %\autorun.inf