Trojan.Win32.Qhost. it是一種木馬類電腦病毒。該病毒運行後,衍生病毒檔案到系統程式目錄下。添加註冊表自動運行項以隨機引導病毒體,從某伺服器下載壓縮檔案,釋放後自動運行。修改 Host 檔案,以阻止用戶查詢病毒信息。
基本介紹
- 病毒名稱:Trojan.Win32.Qhost.it
- 病毒類型: 木馬類
- 檔案長度: 212,992 位元組
- 感染系統:Win9X以上系統
概要,行為分析,清除方案,
概要
中文名稱: MHost
檔案 MD5: 21FE5BDA68A6D95AF49ACBCD2877D2D6
公開範圍: 完全公開
危害等級: 3
開發工具: Microsoft Visual C++ 6.0
行為分析
1 、衍生下列副本與檔案:
%System32%\ltcyvsj.dll
%System32%\abcdefgh.dll
%WinDir%\msdrvctrl.exe
%WinDir%\msdrv.exe
%WinDir%\iedrives.dll
%System32%\msdrivers\driverpp.sys
%System32%\msdrivers\iedrives.dll
%System32%\msdrivers\msdrv.exe
%System32%\msdrivers\msdrvctrl.exe
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\di.exe
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\driverpp.sys
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\iedrives.dll
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\install.bat
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\install2.bat
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\maindll.dll
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\msdrv.exe
2 、新建註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run\msdrvctrl
Value: String: "C:\WINDOWS\msdrvctrl.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Svcs: Dnscache
Value: String: "C:\DOCUME~1\ 當前用戶名 \LOCALS~1\Temp\17292\explorer.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\DisplayName
Value: String: "Windows 套接字 2 .0 Non-IFS 服務提供程式支持環境 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\ImagePath
Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes
\SystemRoot\System32\drivers\ws2ifsl.sys.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driverpp\DisplayName
Value: String: "Plug and Play Support Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driverpp\ImagePath
Value: Type: REG_EXPAND_SZ Length: 46 (0x2e) bytes
\C:\WINDOWS\system32\msdrives\driverpp.sys.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32\@
Value: String: "C:\WINDOWS\System32\oqjje.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32\ThreadingModel
Value: String: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\SharedTaskScheduler\{2C1CD3D7-86AC-4068-93BC-A02304B60787}
Value: String: "DCOM Server 60787"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\DCOM Server 60787
Value: String: "{2C1CD3D7-86AC-4068-93BC-A02304B60787}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
3 、修改下列註冊 LSP 項:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000002\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000003\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000004\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll ..
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000005\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll ..
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000006\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000007\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000008\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000009\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000010\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000011\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
abcdefgh.dll.system32\mswsock.dll.
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
4 、病毒修改 host 檔案,試圖阻止用戶連線把反病毒廠商 Web:
5 、從下列伺服器下載壓縮檔案:
6*.1*1.1*5.1*9/data15.tgz HTTP:80
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
--------------------------------------------------------------------------------
清除方案
:
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 刪除病毒添加的註冊表項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run\msdrvctrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Svcs: Dnscache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{2C1CD3D7-86AC-4068-93BC-A02304B60787}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\ShellServiceObjectDelayLoad\DCOM Server 60787
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000012\PackedCatalogItem
……………….
……………….
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000023\PackedCatalogItem
參考“修改註冊表項”修改下列註冊表項為原值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
00000000001\PackedCatalogItem
……………….
……………….
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000011\PackedCatalogItem
(2) 重新啟動計算機
(3) 刪除病毒釋放檔案
%System32%\ltcyvsj.dll
%System32%\abcdefgh.dll
%WinDir%\msdrvctrl.exe
%WinDir%\msdrv.exe
%System32%\msdrivers\driverpp.sys
%System32%\msdrivers\iedrives.dll
%System32%\msdrivers\msdrv.exe
%System32%\msdrivers\msdrvctrl.exe
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\di.exe
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\driverpp.sys
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\iedrives.dll
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\install.bat
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\install2.bat
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\maindll.dll
%\DOCUME~1\% 當前用戶名 \LOCALS~1\Temp\msdrv.exe