Win32.Troj.Agent.jf

病毒別名：

這是一個木馬程式，該病毒會劫持LSP，註冊BHO，下載檔案，注入進程，並且會監控病毒本身的檔案和註冊表項，創建AutoRun.inf,並且會通過隨身碟傳播，危害比較大.

1.生成檔案：

%Windows%\java\java.dll

%Windows%\system32\%MS%HCopy.dkt

%Windows%\system32\kernel32.sys

%Windows%\system32\mfc48.dll

\RECYCLER\RECYCLER\autorun.exe

2.添加註冊表:

HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09} @ "Java Class"

HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32 @ "C:\WINNT\java\java.dll"

HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32ThreadingModel "Apartment"

HKLM\SOFTWARE\Microsoft\Internet Explorer

GUID

DC

UT

3.修改註冊表:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

ShowSuperHidden

原值:dword:00000001

dword:00000000

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs

原值:"userinit.dll"

"kernel32.sys"

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\TcpIp_Protocol

4.設定互斥量:

"DKFSInitMutex"

5.創建事件:

“DKFSFileSpyIsRunEvent”

6.創建信號量:

DKFSRegDaemonSemaphore

DKFileSpySystemDaemonSemaphore

DKFSUsbFileTransferSemaphore

DKFSHDFileTransferSemaphore1

DKFSUSBFileCopySemaphore

DKFSHDFileCopySemaphore

7.結束進程

iparm.exe

8.連線網址

'61.128.197.212

9.注入進程:

explorer.exe

qq.exe

msmsgs.exe

kavstart.exe

svchost.exe

winlogon.exe

lsass.exe

smss.exe

alg.exe

inetinfo.exe

conime.exe

wuauclt.exe