這是個盜取用戶QQ帳號的木馬
基本介紹
- 中文名:Win32.PSWTroj.QQ.lt.88064
- 處理時間::2006-12-06
- 威脅級別::★
- 病毒類型::木馬
病毒簡介,病毒行為,
病毒簡介
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
這是個盜取用戶QQ帳號的木馬!
1、將自身複製為:
%WINDOWS%\Help\wshmcepts.chm
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dat
2、釋放檔案:
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll
3、每個三秒就添加以下註冊表項來自啟動:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2} ""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\(Default) ""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\(Default) "%\Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll"
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\ThreadingModel "Apartment"
4、嘗試禁用以下與安全軟體相關的服務:
navapsvc、RsRavMon、RsRavMon、kavsvc、KVWSC、KVSrvXP、wscsvc、KPfwSvc、KWatchSvc、SNDSrvc、ccProxy、ccEvtMgr、ccSetMgr、SPBBCSvc、
Symantec Core LC、NPFMntor、MskService、FireSvc、McShield、McTaskManager、McAfeeFramework、RfwService、SKNFW、SkyProcs、AVP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvPpWall_autorun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SKYNET Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Jiangmin KVFW
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Rapdateiyr
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
6、嘗試卸載以下安全軟體:
KV2006
KVFW
rising
KINGSOFT\ANTIVIRUS
Kaspersky Anti-Virus Personal
rising\Rfw
綠鷹PC萬能精靈
VIRUSCAN8000
7、檢測用戶計算機上是否安裝還原精靈,如果發現安裝則進行還原精靈轉存使還原精靈失效。
8、創建訊息鉤子。
9、當檢測到QQ運行時將以下檔案的後綴改為.bak: QQLiveUpdate.exe、npkcrypt.sys、BDLiveUpdate.exe。
