请输入您要查询的百科知识:

 

词条 Trojan-PSW.Win32.QQPass.uw
释义

该病毒运行后,衍生病毒文件到系统目录下。添加注册表随机运行项以跟随系统启动来引导 病毒体。病毒体试图关闭掉若干安全软件的服务,并修改 host文件,试图阻截安全类软件升级。 此病毒会自动在移动设备中释放病毒副本,并添加Atuorun.inf文件来起到传播自身的目的。此 外,病毒会卸载有关瑞星产品的注册表键值,修改regedit.exe、msconfig.exe等文件映射路径, 此病毒为一个盗取QQ账号的病毒。

名称

病毒名称: Trojan-PSW.Win32.QQPass.uw

中文名称: QQ账号及密码盗窃者

简介

病毒类型: 木马类

文件 MD5: B1558FBAA833D098C84553D4986660B2

公开范围: 完全公开

危害等级: 5

文件长度: 加壳后 31,979 字节,脱壳后186,880 字节

感染系统: Win9X以上系统

开发工具: Borland Delphi 6.0 - 7.0

加壳类型: Upack 0.3.9 beta2s -> Dwing

命名对照: BitDefender Generic.PWStealer.F82FE48A

McAfee PWS-QQRob

行为分析

1 、衍生下列副本与文件

%System32%\\severe.exe

%System32%\\xwwume.dll

%System32%\\xwwume.exe

%System32%\\drivers\\jyoapg.com

% 移动设备 %\\servet.exe

% 移动设备 %\\autorun.inf

2 、新建注册表键值

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\360Safe.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\adam.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\avp.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\avp.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\EGHOST.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\IceSword.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\iparmo.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\kabaload.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\KRegEx.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\KvDetect.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\KVMonXP.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\KvXP.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\MagicSet.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\mmsk.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\msconfig.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\msconfig.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\OD32.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\PFW.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\PFWLiveUpdate.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\QQDoctor.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\Ras.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\Rav.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\RavMon.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\regedit.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\regedit.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\runiep.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\SREng.EXE\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\TrojDie.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\

Image File Execution Options\\WoptiClean.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindOWS%\\CurrentVersion\\

Run\\jyoapg

Value: String: "%WINDOWS%\\System32\\xwwume.exe"

3 、修改下列注册表键值

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\

CurrentVersion\\Winlogon\\Shell

New: String: "Explorer.exe %WINDOWS%\\System32\\severe.exe"

Old: String: "Explorer.exe"

4 、修改 host 文件

127.0.0.1 mmsk.cn

127.0.0.1 safe.qq.com

127.0.0.1 360safe.com

127.0.0.1 www.mmsk.cn

127.0.0.1 www.360safe.com

127.0.0.1 zs.kingsoft.com

127.0.0.1 forum.ikaka.com

127.0.0.1 up.rising.com.cn

127.0.0.1 scan.kingsoft.com

127.0.0.1 kvup.jiangmin.com

127.0.0.1 reg.rising.com.cn

127.0.0.1 update.rising.com.cn

127.0.0.1 update7.jiangmin.com

127.0.0.1 download.rising.com.cn

127.0.0.1 dnl-us1.kaspersky-labs.com

127.0.0.1 dnl-us2.kaspersky-labs.com

127.0.0.1 dnl-us3.kaspersky-labs.com

127.0.0.1 dnl-us4.kaspersky-labs.com

127.0.0.1 dnl-us5.kaspersky-labs.com

127.0.0.1 dnl-us6.kaspersky-labs.com

127.0.0.1 dnl-us7.kaspersky-labs.com

127.0.0.1 dnl-us8.kaspersky-labs.com

127.0.0.1 dnl-us9.kaspersky-labs.com

127.0.0.1 dnl-us10.kaspersky-labs.com

127.0.0.1 dnl-eu1.kaspersky-labs.com

127.0.0.1 dnl-eu2.kaspersky-labs.com

127.0.0.1 dnl-eu3.kaspersky-labs.com

127.0.0.1 dnl-eu4.kaspersky-labs.com

127.0.0.1 dnl-eu5.kaspersky-labs.com

127.0.0.1 dnl-eu6.kaspersky-labs.com

127.0.0.1 dnl-eu7.kaspersky-labs.com

注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 , windows95/98/me 中默认的安装路径是 C:\\Windows\\System , windowsXP 中默认的安装路径是 C:\\Windows\\System32 。

--------------------------------------------------------------------------------

清除方案

1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。(1) 使用 安天木马防线“进程管理”关闭病毒进程 severe.exe

xwwume.exe

jyoapg.com

(2) 删除并恢复病毒添加与修改的注册表键值

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\360Safe.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\adam.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\avp.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\avp.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\EGHOST.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\IceSword.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\iparmo.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\kabaload.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\KRegEx.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\KvDetect.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\KVMonXP.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\KvXP.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\MagicSet.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\mmsk.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\msconfig.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\msconfig.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\OD32.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\PFW.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\ PFWLiveUpdate.exe\\

Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\QQDoctor.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\Ras.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\Rav.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\RavMon.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\regedit.com\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\regedit.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\runiep.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\SREng.EXE\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\TrojDie.kxp\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\Current

Version\\Image File Execution Options\\WoptiClean.exe\\Debugger

Value: String: "%WINDOWS%\\System32\\drivers\\jyoapg.com"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindOWS%\\Current

Version\\Run\\jyoapg

Value: String: "%WINDOWS%\\System32\\xwwume.exe"

(3) 删除病毒释放文件

%System32%\\severe.exe

%System32%\\xwwume.dll

%System32%\\xwwume.exe

%System32%\\drivers\\jyoapg.com

% 移动设备 %\\servet.exe

% 移动设备 %\\autorun.inf

随便看

 

百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。

 

Copyright © 2004-2023 Cnenc.net All Rights Reserved
更新时间:2024/12/23 10:36:30