Win32.Troj.QQPass.doD_中文百科全書

病毒別名：處理時間：2007-02-06 威脅級別：★

中文名稱：病毒類型：木馬影響系統：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

基本介紹

中文名：Win32.Troj.QQPass.doD
處理時間：2007-02-06
病毒類型：木馬
影響系統：Win 9x/ME,Win 2000/NT,Win XP等

病毒行為

這是一個盜取QQ賬號密碼的木馬病毒。

1、複製自身到如下路徑：

%system%\severe.exe

%system%\jusodl.exe

%system%\drivers\pnvifj.exe

%system%\drivers\conime.exe

釋放病毒檔案到%system%\jusodl.dll

2、在每個磁碟根目錄下生成如下病毒檔案，當用戶雙擊盤符時會激活病毒

OSO.EXE、autorun.inf

3、改寫hosts檔案，禁止如下安全網站：

127.0.0.1 localhost

127.0.0.1 mmsk.cn

127.0.0.1 ikaka.com

127.0.0.1 safe.qq.com

127.0.0.1 360safe.com

127.0.0.1 www.mmsk.cn

127.0.0.1 www.ikaka.com

127.0.0.1 tool.ikaka.com

127.0.0.1 www.360safe.com

127.0.0.1 zs.kingsoft.com

127.0.0.1 forum.ikaka.com

127.0.0.1 up.rising.com.cn

127.0.0.1 scan.kingsoft.com

127.0.0.1 kvup.jiangmin.com

127.0.0.1 reg.rising.com.cn

127.0.0.1 update.rising.com.cn

127.0.0.1 update7.jiangmin.com

127.0.0.1 download.rising.com.cn

127.0.0.1 dnl-us1.kaspersky-labs.com

127.0.0.1 dnl-us2.kaspersky-labs.com

127.0.0.1 dnl-us3.kaspersky-labs.com

127.0.0.1 dnl-us4.kaspersky-labs.com

127.0.0.1 dnl-us5.kaspersky-labs.com

127.0.0.1 dnl-us6.kaspersky-labs.com

127.0.0.1 dnl-us7.kaspersky-labs.com

127.0.0.1 dnl-us8.kaspersky-labs.com

127.0.0.1 dnl-us9.kaspersky-labs.com

127.0.0.1 dnl-us10.kaspersky-labs.com

127.0.0.1 dnl-eu1.kaspersky-labs.com

127.0.0.1 dnl-eu2.kaspersky-labs.com

127.0.0.1 dnl-eu3.kaspersky-labs.com

127.0.0.1 dnl-eu4.kaspersky-labs.com

127.0.0.1 dnl-eu5.kaspersky-labs.com

127.0.0.1 dnl-eu6.kaspersky-labs.com

127.0.0.1 dnl-eu7.kaspersky-labs.com

127.0.0.1 dnl-eu8.kaspersky-labs.com

127.0.0.1 dnl-eu9.kaspersky-labs.com

127.0.0.1 dnl-eu10.kaspersky-labs.com

4、修改如下註冊表項開機自動啟動：

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"pnvifj"="C:\WINDOWS\system32\jusodl.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"jusodl"="C:\WINDOWS\system32\severe.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\conime.exe"

修改如下項，隱藏病毒檔案：

[HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]

CheckedValue="0"

修改如下鍵值，使正常檔案的運行路徑指向病毒檔案：

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"

5、查找含有如下字元串的視窗，找到則將其關閉：

防毒、專殺、病毒、木馬、註冊表。

停止並禁用如下安全服務：

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

終止如下安全進程：

"cmd.exe"

"net.exe"

"sc1.exe"

"net1.exe"

"PFW.exe"

"Kav.exe"

"KVOL.exe"

"KVFW.exe"

"adam.exe"

"qqav.exe"

"qqkav.exe"

"TBMon.exe"

"kav32.exe"

"kvwsc.exe"

"CCAPP.exe"

"KRegEx.exe"

"kavsvc.exe"

"VPTray.exe"

"RAVMON.exe"

"EGHOST.exe"

"KavPFW.exe"

"SHSTAT.exe"

"RavTask.exe"

"TrojDie.kxp"

"Iparmor.exe"

"MAILMON.exe"

"MCAGENT.exe"

"KAVPLUS.exe"

"RavMonD.exe"

"Rtvscan.exe"

"Nvsvc32.exe"

"KVMonXP.exe"

"Kvsrvxp.exe"

"CCenter.exe"

"KpopMon.exe"

"RfwMain.exe"

"KWATCHUI.exe"

"MCVSESCN.exe"

"MSKAGENT.exe"

"kvolself.exe"

"KVCenter.kxp"

"kavstart.exe"

"RAVTIMER.exe"

"RRfwMain.exe"

"FireTray.exe"

"UpdaterUI.exe"

"KVSrvXp_1.exe"

"RavService.exe"

7、尋找QQ登入視窗，記錄鍵盤，獲得用戶密碼後通過自身的郵件引擎傳送出去。

Win32.Troj.QQPass.doD

基本介紹

相關詞條

熱門詞條