Win32.TrojDownloader.Agent.139383

木馬下載器病毒長凳抹嬸度:139383

影響系統:Win9xWin2000WinXP

利用了IFEO重定向劫持技術，使大量的防毒軟體和安全相關工具無法運行；簽夜姜會破壞籃催剃協安全模式，使中毒用戶無法在安全模式下查殺病毒；

會下載大量病毒到用戶計算機來盜取用戶有價值的信息和某些帳號.

1.生成檔案

c:\ProgramFiles\meex.exe

c:\ProgramFiles\CommonFile\System\.exe

c:\ProgramFiles\CommonFiles\MicrosoftShared\.exe

2.修改注拳符辨冊表，添加啟動項，以達到隨機啟動的目的

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Default="C:\ProgramFiles\CommonFiles\System\.exe"

3.刪除註冊表安全模式的有關信息，當開機時不能啟動安全模式

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

Defualt="DiskDrive"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

Defualt="DiskDrive"

4.改變注愚雅冊表值使隱藏檔案不可見，循狼白榜達到病毒體隱藏目的

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

CheckedValue=dword:00000000

5.禁用此計算機上的幫助與支持中心服務：殃全煮

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc

Start=dword:00000004

6.禁用網路地址轉換、定址、名稱解析、和入侵保護服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

Start=dword:00000004

7.禁用監視系統安全設定和配置服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

Start=dword:00000004

8.禁用下載和安裝Windows更新服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Start=dword:00000004

9.映像劫持

通過在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions下添加註冊表項來進行檔案映像劫持，可阻止大量安全軟體及系統管理軟體運行，並執行病毒體。

被劫持的軟體包括：

360rpt.exe;

360Safe.exe;

360tray.exe;

adam.exe;

AgentSvr.exe;

AppSvc32.exe;

autoruns.exe;

avgrssvc.exe;

AvMonitor.exe;

avp.exe;

CCenter.exe;

ccSvcHst.exe;

FileDsty.exe;

FTCleanerShell.exe;

HijackThis.exe;

IceSword.exe;

iparmo.exe;

Iparmor.exe;

isPwdSvc.exe;

kabaload.exe;

KaScrScn.SCR;

KASMain.exe;

KASTask.exe;

KAV32.exe;

KAVDX.exe;

KAVPFW.exe;

KAVSetup.exe;

KAVStart.exe;

KISLnchr.exe;

KMailMon.exe;

KMFilter.exe;

KPFW32.exe;

KPFW32X.exe;

KPFWSvc.exe;

KRegEx.exe;

KsLoader.exe;

KVCenter.kxp;

KvDetect.exe;

KvfwMcl.exe;

KVMonXP.kxp;

KVMonXP_1.kxp;

kvol.exe;

kvolself.exe;

KvReport.kxp;

KVScan.kxp;

KVSrvXP.exe;

KVStub.kxp;

kvupload.exe;

kvwsc.exe;

KvXP.kxp;

KvXP_1.kxp;

KWatch.exe;

KWatch9x.exe;

KWatchX.exe;

loaddll.exe;

MagicSet.exe;

mcconsol.exe;

mmqczj.exe;

mmsk.exe;

NAVSetup.exe;

nod32krn.exe;

nod32kui.exe;

PFW.exe;

PFWLiveUpdate.exe;

QHSET.exe;

Ras.exe;

Rav.exe;

RavMon.exe;

RavMonD.exe;

RavStub.exe;

RavTask.exe;

RegClean.exe;

rfwcfg.exe;

RfwMain.exe;

rfwProxy.exe;

rfwsrv.exe;

RsAgent.exe;

Rsaupd.exe;

runiep.exe;

safelive.exe;

scan32.exe;

shcfg32.exe;

SmartUp.exe;

SREng.exe;

symlcsvc.exe;

SysSafe.exe;

TrojanDetector.exe;

Trojanwall.exe;

TrojDie.kxp;

UIHost.exe;

UmxAgent.exe;

UmxAttachment.exe;

UmxCfg.exe;

UmxFwHlp.exe;

UmxPol.exe;

UpLive.EXE.exe;

WoptiClean.exe;

zxsweep.exe;

10.該病毒在各個驅動器下創建.exe前，首先判斷驅動器的根目錄下是否存在.exe檔案或資料夾，如果存在則先嘗試刪除，

然後創建autorun.inf檔案和對應可執行病毒檔案。

11.從其他網址下載其他病毒檔案至客戶機器.

Start=dword:00000004

6.禁用網路地址轉換、定址、名稱解析、和入侵保護服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

Start=dword:00000004

7.禁用監視系統安全設定和配置服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

Start=dword:00000004

8.禁用下載和安裝Windows更新服務：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Start=dword:00000004

9.映像劫持

通過在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions下添加註冊表項來進行檔案映像劫持，可阻止大量安全軟體及系統管理軟體運行，並執行病毒體。

被劫持的軟體包括：

360rpt.exe;

360Safe.exe;

360tray.exe;

adam.exe;

AgentSvr.exe;

AppSvc32.exe;

autoruns.exe;

avgrssvc.exe;

AvMonitor.exe;

avp.exe;

CCenter.exe;

ccSvcHst.exe;

FileDsty.exe;

FTCleanerShell.exe;

HijackThis.exe;

IceSword.exe;

iparmo.exe;

Iparmor.exe;

isPwdSvc.exe;

kabaload.exe;

KaScrScn.SCR;

KASMain.exe;

KASTask.exe;

KAV32.exe;

KAVDX.exe;

KAVPFW.exe;

KAVSetup.exe;

KAVStart.exe;

KISLnchr.exe;

KMailMon.exe;

KMFilter.exe;

KPFW32.exe;

KPFW32X.exe;

KPFWSvc.exe;

KRegEx.exe;

KsLoader.exe;

KVCenter.kxp;

KvDetect.exe;

KvfwMcl.exe;

KVMonXP.kxp;

KVMonXP_1.kxp;

kvol.exe;

kvolself.exe;

KvReport.kxp;

KVScan.kxp;

KVSrvXP.exe;

KVStub.kxp;

kvupload.exe;

kvwsc.exe;

KvXP.kxp;

KvXP_1.kxp;

KWatch.exe;

KWatch9x.exe;

KWatchX.exe;

loaddll.exe;

MagicSet.exe;

mcconsol.exe;

mmqczj.exe;

mmsk.exe;

NAVSetup.exe;

nod32krn.exe;

nod32kui.exe;

PFW.exe;

PFWLiveUpdate.exe;

QHSET.exe;

Ras.exe;

Rav.exe;

RavMon.exe;

RavMonD.exe;

RavStub.exe;

RavTask.exe;

RegClean.exe;

rfwcfg.exe;

RfwMain.exe;

rfwProxy.exe;

rfwsrv.exe;

RsAgent.exe;

Rsaupd.exe;

runiep.exe;

safelive.exe;

scan32.exe;

shcfg32.exe;

SmartUp.exe;

SREng.exe;

symlcsvc.exe;

SysSafe.exe;

TrojanDetector.exe;

Trojanwall.exe;

TrojDie.kxp;

UIHost.exe;

UmxAgent.exe;

UmxAttachment.exe;

UmxCfg.exe;

UmxFwHlp.exe;

UmxPol.exe;

UpLive.EXE.exe;

WoptiClean.exe;

zxsweep.exe;

10.該病毒在各個驅動器下創建.exe前，首先判斷驅動器的根目錄下是否存在.exe檔案或資料夾，如果存在則先嘗試刪除，

然後創建autorun.inf檔案和對應可執行病毒檔案。

11.從其他網址下載其他病毒檔案至客戶機器.