簡介
處理時間:2007-02-08威脅級別:★
病毒類型:木馬
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
這是個流氓軟體安裝包。運行病毒讀會再系統中安裝多寬流氓軟體。建議電腦用戶不要隨便運行不明程式,以免中毒受害。1、生成的檔案
%Program Files%\Common Files\System\Updaterun.exe
%SystemRoot%\system32\wbem\ocmor.dll
%SystemRoot%\system32\wbem\jqtyi.dll
%SystemRoot%\system32\rundllfromwin2000.exe
%Documents and Settings%\administrator\Favorites\多特軟體站-最安全放心的軟體站.url
%SystemRoot%\bar.exe
%Program Files%\superutilbar\superutilbar.dll
%Program Files%\superutilbar\uninst.exe
2、添加啟動項
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"System" = "%Program Files%\Common Files\System\Updaterun.exe"
3、添加偽系統服務
HKLM\System\CurrentControlSet\Services\BRGNS
"Type" = "0x10"
HKLM\System\CurrentControlSet\Services\BRGNS
"Start" = "0x2"
HKLM\System\CurrentControlSet\Services\BRGNS
"ImagePath" = "%SystemRoot%\SYSTEM32\RUNDLLFROMWIN2000.EXE %SystemRoot%\SYSTEM32\WBEM\JQTYI.DLL,Export 1087"
HKLM\System\CurrentControlSet\Services\BRGNS
"DisplayName" = "Microsoft Update Service"
HKLM\System\CurrentControlSet\Services\BRGNS
"Description" = "提供Microsoft(R) Windows 及應用程式的升級和安全漏洞修復服務。"
4、添加註冊信息
HKCU\SOFTWARE\Microsoft\Internet Explorer\typedUrls\
"url5" = "http://www.3839.***/index.html"
HKCR\6781.TOOLBAR.1
"(Default)" = "實用搜尋工具條2.0"
HKCR\6781.TOOLBAR.1\CLSID
"(Default)" = ""
HKCR\6781.TOOLBARLOADER.1
"(Default)" = "實用搜尋"
HKCR\6781.TOOLBARLOADER\CLSID
"(Default)" = ""
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\實用搜尋工具條
"URLInfoAbout" = "http://www.shiyongsousuo.***"
5、註冊CLSID組件
HKCR\CLSID\
"(Default)" = "實用搜尋工具條2.0"
HKCR\CLSID\\InprocServer32
"(Default)" = "%Program Files%\superutilbar\superutilbar.dll"
HKCR\CLSID\
"(Default)" = "實用搜尋"
HKCR\CLSID\\InprocServer32
"(Default)" = "%Program Files%\superutilbar\superutilbar.dll"
6、添加BHO組建
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
"(Default)" = "實用搜尋"
7、添加工具條
HKLM\Software\Microsoft\Internet Explorer\Toolbar
"" = "實用搜尋工具條2.0"
