Win32.Troj.QQPass.sd,一種木馬病毒,威脅等級一顆星。一個盜取QQ賬號密碼的病毒。
基本介紹
- 中文名:Win32.Troj.QQPass.sd
- 威脅級別:★
- 病毒類型:木馬
- 影響系統:Win 9x/ME,Win 2000/NT,Win XP
概述,病毒行為,
概述
病毒別名: 處理時間:2007-02-06 威脅級別:★
中文名稱: 病毒類型:木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
這是一個盜取QQ賬煮嫌埋號密碼的木馬病毒。
1、複製自身到催尋獄阿如下路徑:
%system%\severe.exe
%system%\jusodl.exe
%system%\drivers\pnvifj.exe
%system%\drivers\conime.exe
釋放病毒檔案到%system%\jusodl.dll
2、在每個磁碟根目錄下生成如下病毒檔案,當用戶雙擊盤符時會激活病毒
OSO.EXE、autorun.inf
3、改寫hosts檔案,屏棕厚戰永蔽如下安全網站鑽習多匙府:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
4、修夜乎組改如下註冊表項開機自動啟動:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"pnvifj"="C:\WINDOWS\system32\jusodl.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"jusodl"="灑店棄C:\WINDOWS\system32\severe.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\conime.exe"
修改如下項,隱藏病毒檔案:
[HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue="0"
修改如下鍵值,使正常檔案的運行路徑指向病毒檔案:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
5、查找含有如下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表。
停止並禁用如下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
終止如下安全進程:
"cmd.exe"
"net.exe"
"sc1.exe"
"net1.exe"
"PFW.exe"
"Kav.exe"
"KVOL.exe"
"KVFW.exe"
"adam.exe"
"qqav.exe"
"qqkav.exe"
"TBMon.exe"
"kav32.exe"
"kvwsc.exe"
"CCAPP.exe"
"KRegEx.exe"
"kavsvc.exe"
"VPTray.exe"
"RAVMON.exe"
"EGHOST.exe"
"KavPFW.exe"
"SHSTAT.exe"
"RavTask.exe"
"TrojDie.kxp"
"Iparmor.exe"
"MAILMON.exe"
"MCAGENT.exe"
"KAVPLUS.exe"
"RavMonD.exe"
"Rtvscan.exe"
"Nvsvc32.exe"
"KVMonXP.exe"
"Kvsrvxp.exe"
"CCenter.exe"
"KpopMon.exe"
"RfwMain.exe"
"KWATCHUI.exe"
"MCVSESCN.exe"
"MSKAGENT.exe"
"kvolself.exe"
"KVCenter.kxp"
"kavstart.exe"
"RAVTIMER.exe"
"RRfwMain.exe"
"FireTray.exe"
"UpdaterUI.exe"
"KVSrvXp_1.exe"
"RavService.exe"
7、尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送出去。
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
4、修改如下註冊表項開機自動啟動:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"pnvifj"="C:\WINDOWS\system32\jusodl.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"jusodl"="C:\WINDOWS\system32\severe.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\drivers\conime.exe"
修改如下項,隱藏病毒檔案:
[HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue="0"
修改如下鍵值,使正常檔案的運行路徑指向病毒檔案:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger "C:\WINDOWS\system32\drivers\pnvifj.exe"
5、查找含有如下字元串的視窗,找到則將其關閉:
防毒、專殺、病毒、木馬、註冊表。
停止並禁用如下安全服務:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
終止如下安全進程:
"cmd.exe"
"net.exe"
"sc1.exe"
"net1.exe"
"PFW.exe"
"Kav.exe"
"KVOL.exe"
"KVFW.exe"
"adam.exe"
"qqav.exe"
"qqkav.exe"
"TBMon.exe"
"kav32.exe"
"kvwsc.exe"
"CCAPP.exe"
"KRegEx.exe"
"kavsvc.exe"
"VPTray.exe"
"RAVMON.exe"
"EGHOST.exe"
"KavPFW.exe"
"SHSTAT.exe"
"RavTask.exe"
"TrojDie.kxp"
"Iparmor.exe"
"MAILMON.exe"
"MCAGENT.exe"
"KAVPLUS.exe"
"RavMonD.exe"
"Rtvscan.exe"
"Nvsvc32.exe"
"KVMonXP.exe"
"Kvsrvxp.exe"
"CCenter.exe"
"KpopMon.exe"
"RfwMain.exe"
"KWATCHUI.exe"
"MCVSESCN.exe"
"MSKAGENT.exe"
"kvolself.exe"
"KVCenter.kxp"
"kavstart.exe"
"RAVTIMER.exe"
"RRfwMain.exe"
"FireTray.exe"
"UpdaterUI.exe"
"KVSrvXp_1.exe"
"RavService.exe"
7、尋找QQ登入視窗,記錄鍵盤,獲得用戶密碼後通過自身的郵件引擎傳送出去。
