該病毒是一個修改瀏覽器主頁的木馬病毒。該病毒運行後不停地添加啟動項,修改瀏覽器主頁,嚴重影響了系統的性能;該病毒還會會禁止大量站點,給網民造成了很大的不便。
基本介紹
- 中文名:Win32.Troj.Goweh.a
- 處理時間:2005-10-11
- 威脅級別:★
- 病毒類型:木馬
- 影響系統:Win 9x/ME,Win 2000/NT,Win XP等
- 生成檔案:%Current%\network.sys
病毒介紹,病毒行為,預防措施,修復措施,
病毒介紹
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"UserSystem" = "%CurrentFile%"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"UserSystem" = "%CurrentFile%"
修改主頁
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://smartsearch.ws"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = "http://smartsearch.ws"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Start Page" = "http://smartsearch.ws"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Default_Page_URL" = "http://smartsearch.ws"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Search Page" = "http://smartsearch.ws/?q="
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Search Bar" = "http://smartsearch.ws/?q="
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Search_URL" = "http://smartsearch.ws/?q="
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
"SearchURL" = "http://smartsearch.ws/?q="
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
"Search" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Search Page" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Search Bar" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Default_Search_URL" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
"SearchURL" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
"Search" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"default" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
"www" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"SearchAssistant" = "http://smartsearch.ws/?q="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"CustomizeSearch"= "http://smartsearch.ws/?q="
通過改寫hosts檔案禁止以下網站
127.0.0.1 forums.spywareinfo.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org
127.0.0.1 spywareinfo.com
127.0.0.1 www.computercops.biz
127.0.0.1 computercops.biz
127.0.0.1 dslreports.com
127.0.0.1 www.dslreports.com
127.0.0.1 www.lavasoftsupport.com
127.0.0.1 lavasoftsupport.com
127.0.0.1 www.lurkhere.com
127.0.0.1 lurkhere.com
127.0.0.1 forums.net-integration.net
127.0.0.1 www.pctalk.info
127.0.0.1 pctalk.info
127.0.0.1 www.suggestafix.com
127.0.0.1 suggestafix.com
127.0.0.1 forums.thiefware.com
127.0.0.1 www.tomcoyote.org
127.0.0.1 tomcoyote.org
127.0.0.1 www.wilderssecurity.com
127.0.0.1 wilderssecurity.com
127.0.0.1 www.winguides.com
127.0.0.1 winguides.com
127.0.0.1 www.spybot-spyware.com
127.0.0.1 spybot-spyware.com
127.0.0.1 1spybot.com
127.0.0.1 www.1spybot.com
127.0.0.1 www.lavasoftusa.com
127.0.0.1 lavasoftusa.com
127.0.0.1 www.spychecker.com
127.0.0.1 spychecker.com
127.0.0.1 www.grc.com
127.0.0.1 grc.com
127.0.0.1 www.cexx.org
127.0.0.1 cexx.org
127.0.0.1 security.kolla.de
127.0.0.1 www.security.kolla.de
127.0.0.1 simplythebest.net
127.0.0.1 www.simplythebest.net
127.0.0.1 www.spywareguide.com
127.0.0.1 spywareguide.com
127.0.0.1 www.spyware.co.uk
127.0.0.1 spyware.co.uk
127.0.0.1 www.lavasoft.de
127.0.0.1 lavasoft.de
127.0.0.1 www.webopedia.com
127.0.0.1 webopedia.com
127.0.0.1 www.ZeroSpyWare.com
127.0.0.1 ZeroSpyWare.com
127.0.0.1 www.spectorsoft.com
127.0.0.1 spectorsoft.com
127.0.0.1 www.Spy--Software.com
127.0.0.1 Spy--Software.com
127.0.0.1 www.sunbelt-software.com
127.0.0.1 sunbelt-software.com
127.0.0.1 www.spycleaner.net
127.0.0.1 spycleaner.net
127.0.0.1 www.EnigmaSoftwareGroup.com
127.0.0.1 EnigmaSoftwareGroup.com
127.0.0.1 www.no-spybot.com
127.0.0.1 no-spybot.com
預防措施
在%Current%\下建立同名資料夾,資料夾里利用dos命令md n..\建立資料夾,可保證病毒檔案不能生成。
