Win32.PSWTroj.QQPass

Win32.PSWTroj.QQPass,名為:【QQ偽裝盜號者】是一種QQ盜號木馬,它會注入用戶電腦的系統進程中運行,盜取病毒作者指定的帳號和密碼以及其號碼的其他信息。

簡介

Win32.PSWTroj.QQPass
病毒別名: 處理時間:2007-03-30 威脅級別:★
中文名稱: 病毒類型:木馬 影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行為:

該病毒是一個QQ盜號木馬
1、生成的檔案
%SystemRoot%\system32\severe.exe
%SystemRoot%\system32\mmlucj.exe
%SystemRoot%\system32\drivers\avipit.exe
%SystemRoot%\system32\drivers\conime.exe
%SystemRoot%\system32\mmlucj.dll
2、添加啟動項
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mmlucj" = "%SystemRoot%\system32\severe.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"avipit" = "%SystemRoot%\system32\mmlucj.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "%SystemRoot%\system32\drivers\conime.exe"
3、結束下列進程
pfw.exe,kav.exe,KVOL.exe,kvfw.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,ccapp.exe,kregex.exe,kavsvc.exe,VPTray.exe,RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,mcagent.exe,KAVPLUS.exe,RavMonD.exe,rtvscan.exe,nvsvc32.exe,KVMonXP.exe,kvsrvxp.exe,CCenter.exe,KpopMon.exe,rfwmain.exe,KWATCHUI.exe,mcvsescn.exe,mskagent.exe,kvolself.exe,KVCenter.kxp,kavstart.exe,ravtimer.exe,RRfwMain.exe,FireTray.exe,updaterui.exe,kvsrvxp_1.exe,RavService.exe
4、修改註冊表使系統總是不顯示隱藏檔案。
software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
"CheckedValue" = "0"
5、該病毒在d,e,f,g,h,i盤生成autorun.inf和OSO.exe作成autorun啟動。
--------------------------------
【AutoRun】
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
---------------------------------
6、使用互斥體,使下列進程不能運行
A}cNqqc{【TWQkgdfv7(3 = ExeMutex_QQRobber2.0
@ijNqqc{【TWQkgdfv7(3 = DllMutex_QQRobber2.0
AntiTrojan3721
ASSISTSHELLMUTEX
SKYNET_PERSONAL_FIREWALL
KingsoftAntivirusScanProgram7Mutex
7、訪問下列網址,並會嘗試下載@#$#.htm、30w.txt、dqhx1.txt、down.txt、dqhx3.txt等檔案。
lqrs>*)tsr(``642*fin = http://***.cd321.com
lqrs>*)tsr(``642*kcw = http://***.cd321.net
lqrs>*)tsr(532?43+eli = http://***.677977.com
lqrs>*)tsr(`ps757+eli = http://***.ctv163.com
lqrs>*)tsr(``642*kcw+66t*q~w = http://***.cd321.net/30w.txt
lqrs>*)tsr(`ps757+eli*ggilh,`jqm*q~w = http://***.cd321.com/admin/down.txt
8、生成並執行hx1.bat處理檔案,設定系統時間為2004-1-22。
9、調用sc.exe程式停止相關反病毒軟體服務和禁止啟動運行
-----------------------------------------
stop KVWSC
config KVWSC start= disabled
stop KVSrvXP
config KVSrvXP start= disabled
stop kavsvc
config kavsvc start= disabled
stop RsCCenter
config RsCCenter start= disabled
stop RsRavMon
------------------------------------------
10、映像劫持,使得不能使用下列軟體
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe
"Debugger" = "%SystemRoot%\system32\drivers\avipit.exe"
11、修改host檔案,禁止下列網址
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-Us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

相關搜尋

熱門詞條

聯絡我們