Win32.PSWTroj.QQPass,名為:【QQ偽裝盜號者】是一種QQ盜號木馬,它會注入用戶電腦的系統進程中運行,盜取病毒作者指定的帳號和密碼以及其號碼的其他信息。
基本介紹
- 外文名:Win32.PSWTroj.QQPass
- 處理時間:2007-03-30
- 病毒類型:木馬
- 影響系統:Win 9x/ME
關於Win32.PSWTroj.QQPass,病毒標籤,病毒描述,行為分析,清除方案,
關於Win32.PSWTroj.QQPass
1、生成的檔案
2、添加啟動項
3、結束下列進程
5、該病毒在d,e,f,g,h,i盤生成
6、使用互斥體,使下列進程不能運行7、訪問下列網址,並會嘗試下載
7、訪問下列網址,並會嘗試下載
8、生成並執行hx1.bat處理檔案
9、調用sc.exe程式停止相關反病毒軟體服務
10、映像劫持,使得不能使用下列軟體
11、修改host檔案,禁止下列網址
病毒標籤
Win32.PSWTroj.QQPass
病毒別名: 處理時間:2007-03-30
威脅級別:★
中文名稱: 病毒類型:木馬
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒描述
該病毒是一個QQ盜號木馬。
行為分析
1、生成的檔案
%SystemRoot%\system32\severe.exe
%SystemRoot%\system32\mmlucj.exe
%SystemRoot%\system32\drivers\avipit.exe
%SystemRoot%\system32\drivers\conime.exe
%SystemRoot%\system32\mmlucj.dll
2、添加啟動項
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mmlucj" = "%SystemRoot%\system32\severe.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"avipit" = "%SystemRoot%\system32\mmlucj.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "%SystemRoot%\system32\drivers\conime.exe"
3、結束下列進程
PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe,RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe,Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp,kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe
4、修改註冊表使系統總是不顯示隱藏檔案。
software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
"CheckedValue" = "0"
5、該病毒在d,e,f,g,h,i盤生成autorun.inf和OSO.exe作成autorun啟動。
--------------------------------
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
---------------------------------
6、使用互斥體,使下列進程不能運行
A}cNqqc{[TWQkgdfv7(3 = ExeMutex_QQRobber2.0
@ijNqqc{[TWQkgdfv7(3 = DllMutex_QQRobber2.0
AntiTrojan3721
ASSISTSHELLMUTEX
SKYNET_PERSONAL_FIREWALL
KingsoftAntivirusScanProgram7Mutex
7、訪問下列網址,並會嘗試下載@#$#.htm、30w.txt、dqhx1.txt、down.txt、dqhx3.txt等檔案。
lqrs>*)tsr(``642*fin = http://***.cd321.com
lqrs>*)tsr(``642*kcw = http://***.cd321.net
lqrs>*)tsr(532?43+eli = http://***.677977.com
lqrs>*)tsr(`ps757+eli = http://***.ctv163.com
lqrs>*)tsr(``642*kcw+66t*q~w = http://***.cd321.net/30w.txt
lqrs>*)tsr(`ps757+eli*ggilh,`jqm*q~w = http://***.cd321.com/admin/down.txt
8、生成並執行hx1.bat處理檔案,設定系統時間為2004-1-22。
9、調用sc.exe程式停止相關反病毒軟體服務和禁止啟動運行
-----------------------------------------
stop KVWSC
config KVWSC start= disabled
stop KVSrvXP
config KVSrvXP start= disabled
stop kavsvc
config kavsvc start= disabled
stop RsCCenter
config RsCCenter start= disabled
stop RsRavMon
------------------------------------------
10、映像劫持,使得不能使用下列軟體
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
11、修改host檔案,禁止下列網址
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
