簡介
威脅級別:★
病毒類型:木馬
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為:
這是一個傳送QQ訊息的木馬病毒,病毒運行後會釋放病毒檔案,修改註冊表,並在後台尋找QQ聊天視窗,找到後自動向好友傳送訊息。
特徵
1、釋放病毒檔案到如下路徑:
%system32%\1A783BD2.EXE
%system32%\1A783BD2T.EXE
%system32%\1A783BD2.dll
%system%為可變路徑,一般為c:\windows\system32
2、釋放.bat檔案到%system32%\delme.bat刪除病毒體自身。
3、修改註冊表項,添加服務1A783BD2:
HKLM\System\CurrentControlSet\Services\1A783BD2
HKLM\System\CurrentControlSet\Services\1A783BD2\Type 0x10
HKLM\System\CurrentControlSet\Services\1A783BD2\Start 0x2
HKLM\System\CurrentControlSet\Services\1A783BD2\ErrorControl 0x1
HKLM\System\CurrentControlSet\Services\1A783BD2\ImagePath "C:\WINDOWS\system32\1A783BD2.EXE -service"
HKLM\System\CurrentControlSet\Services\1A783BD2\DisplayName "1A783BD2"
HKLM\System\CurrentControlSet\Services\1A783BD2\ObjectName "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\1A783BD2\Description "為系統提供加速啟動功能。"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\NextInstance 0x1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Control\*NewlyCreated* 0x0
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Service "1A783BD2"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Legacy 0x1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\ConfigFlags SUCCESS 0x0
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\Class "LegacyDriver"
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\ClassGUID ""
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_1A783BD2\0000\DeviceDesc "1A783BD2"
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\0 "Root\LEGACY_1A783BD2\0000"
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\Count 0x1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A783BD2\Enum\NextInstance 0x1
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_1A783BD2\0000\Control\ActiveService "1A783BD2"
4、插入Winlogon.exe和Explorer.exe進程,下載配置檔案,根據配置檔案修改用戶主頁。
5、遍歷當前所有視窗,當找到QQ聊天視窗時,自動向好友傳送訊息。
