Win32.TrojDownloader.Agent.105984

影響系統:Win9xWin2000WinXP

病毒運行後會衍生病毒檔案至系統目錄下,並將生成的DLL檔案注入到進程當中.

該病毒運行後會通過網際網路下載其他的病毒檔案至客戶的機器上.

1.生成檔案

C:\WINDOWS\system32\lyzm7prr.dll

C:\WINDOWS\system32\drivers\8vnag.sys

C:\WINDOWS\system32\drivers\hbbmjb2l4.sys

C:\DocumentsandSettings\lok\Favorites\收藏.url

2.修改註冊表

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IE4

Main="c328bcbf-38ba-481188456994"

3.修改註冊表,添加服務

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

Type=dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

Start=dword:00000002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

ErrorControl=dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

ImagePath=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,64,72,69,76,65,72,73,5c,38,76,6e,61,67,2e,73,79,73,00,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

DisplayName="8vnag"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\8vnag

setonce

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

Type=dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

Start=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

ErrorControl=dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

ImagePath=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,68,62,62,6d,6a,62,32,6c,34,2e,73,79,73,00,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

DisplayName="hbbmjb2l4"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbbmjb2l4

Group="SystemBusExtender"

4.病毒運行後會把DLL檔案注入到進程當中.

5.病毒會通過網際網路從以下的網站下載其他的病毒檔案至客戶的機器上