Win32.Troj.QQPass.aa 病毒別名:
基本介紹
- 外文名:Win32.Troj.QQPass.aa
- 處理時間:2007-04-06
- 威脅級別:★
- 病毒類型:木馬
影響系統,病毒描述,行為分析,清除方案,
影響系統
Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒描述
行為分析
1、釋放以下檔案並設定為隱催您腿肯藏和系統屬性。
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe
修改的註冊表項:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5
Autorun.inf內容如下:
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
3、添加或修改註冊表項以隱藏病毒檔案:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0"
4、添加以下註冊表項以達到自啟動的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe"
5、修改以下註冊表項以達到隨Explorer進程啟動鑽重旬府的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe %WINDIR%\System32\drivers\conime.exe"
6、添加以下註冊表項來重定向相關安全軟體到病毒檔案以達到阻止其運行的目的:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts檔案以達到阻止用戶訪問安全網站的目的:
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
8、查找含有以下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表
9、停止並禁用以下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、終止以下安全軟體相關進程:
PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,
Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe
11、刪除QQ的以下檔案:
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe
12、創建鍵盤和滑鼠訊息鉤子,尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送到指定信箱。
清除方案
1、使用安天木馬防線可徹底清除此病毒(推薦)。 2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts檔案以達到阻止用戶訪問安全網站的目的:
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
8、查找含有以下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表
9、停止並禁用以下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、終止以下安全軟體相關進程:
PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,
Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe
