基本介紹
病毒行為
病毒運行後
在系統的System32目錄下生成winshost.exe和wiwshost.exe
wiwshost.exe注入到Explorer.exe進程中
並在註冊表中填加如下一項
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" - "C:\WINNT\System32\winshost.exe"
遍歷系統正在運行的進程並強制關閉進程
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
刪除下面的檔案
mysuperprog.exe
更改下面檔案的名稱
CCSETMGR.EXE 改名為 C1CSETMGR.EXE
CCEVTMGR.EXE 改名為 CC1EVTMGR.EXE
NAVAPSVC.EXE 改名為 NAV1APSVC.EXE
NPFMNTOR.EXE 改名為 NPFM1NTOR.EXE
symlcsvc.exe 改名為 s1ymlcsvc.exe
SPBBCSvc.exe 改名為 SP1BBCSvc.exe
SNDSrvc.exe 改名為 SND1Srvc.exe
ccApp.exe 改名為 ccA1pp.exe
ccl30.dll 改名為 cc1l30.dll
ccvrtrst.dll 改名為 ccv1rtrst.dll
LUALL.EXE 改名為 LUAL1L.EXE
AUPDATE.EXE 改名為 AUPD1ATE.EXE
Luupdate.exe 改名為 Luup1date.exe
LUINSDLL.DLL 改名為 LUI1NSDLL.DLL
RuLaunch.exe 改名為 RuLa1unch.exe
CMGrdian.exe 改名為 CM1Grdian.exe
Mcshield.exe 改名為 Mcsh1ield.exe
outpost.exe 改名為 outp1ost.exe
Avconsol.exe 改名為 Avc1onsol.exe
Vshwin32.exe 改名為 Vshw1in32.exe
VsStat.exe 改名為 Vs1Stat.exe
Avsynmgr.exe 改名為 Av1synmgr.exe
kavmm.exe 改名為 kav12mm.exe
Up2Date.exe 改名為 Up222Date.exe
KAV.exe 改名為 K2A2V.exe
avgcc.exe 改名為 avgc3c.exe
avgemc.exe 改名為 avg23emc.exe
zonealarm.exe 改名為 zo3nealarm.exe
zatutor.exe 改名為 zatu6tor.exe
zlavscan.dll 改名為 zl5avscan.dll
zlclient.exe 改名為 zlcli6ent.exe
isafe.exe 改名為 is5a6fe.exe
cafix.exe 改名為 c6a5fix.exe
vsvault.dll 改名為 vs6va5ult.dll
av.dll 改名為 a5v.dll
vetredir.dll 改名為 ve6tre5dir.dll
刪除下列註冊表值、項
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV CfgWiz"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Guardian"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee.InstantUpdate.Monitor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KAV50"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avg7_cc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avg7_emc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Zone Labs]
阻止下列服務
wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD