| 词条 | Win32.PSWTroj.QQPass |
| 释义 | Win32.PSWTroj.QQPass,名为:【QQ伪装盗号者】是一种QQ盗号木马,它会注入用户电脑的系统进程中运行,盗取病毒作者指定的帐号和密码以及其号码的其他信息。 关于Win32.PSWTroj.QQPa1、生成的文件 2、添加启动项 3、结束下列进程 4、修改注册表使系统总是不显示隐藏文件 5、该病毒在d,e,f,g,h,i盘生成 6、使用互斥体,使下列进程不能运行7、访问下列网址,并会尝试下载 7、访问下列网址,并会尝试下载 8、生成并执行hx1.bat处理文件 9、调用sc.exe程序停止相关反病毒软件服务 10、映像劫持,使得不能使用下列软件 11、修改host文件,屏蔽下列网址 病毒标签Win32.PSWTroj.QQPass 病毒别名: 处理时间:2007-03-30 威胁级别:★ 中文名称: 病毒类型:木马 影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003 病毒描述该病毒是一个QQ盗号木马。 行为分析1、生成的文件 %SystemRoot%\\system32\\severe.exe %SystemRoot%\\system32\\mmlucj.exe %SystemRoot%\\system32\\drivers\\avipit.exe %SystemRoot%\\system32\\drivers\\conime.exe %SystemRoot%\\system32\\mmlucj.dll 2、添加启动项 HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "mmlucj" = "%SystemRoot%\\system32\\severe.exe" HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "avipit" = "%SystemRoot%\\system32\\mmlucj.exe" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon "Shell" = "%SystemRoot%\\system32\\drivers\\conime.exe" 3、结束下列进程 PFW.exe,Kav.exe,KVOL.exe,KVFW.exe,adam.exe,qqav.exe,qqkav.exe,TBMon.exe,kav32.exe,kvwsc.exe,CCAPP.exe,KRegEx.exe,kavsvc.exe,VPTray.exe,RAVMON.exe,EGHOST.exe,KavPFW.exe,SHSTAT.exe,RavTask.exe,TrojDie.kxp,Iparmor.exe,MAILMON.exe,MCAGENT.exe,KAVPLUS.exe,RavMonD.exe,Rtvscan.exe,Nvsvc32.exe,KVMonXP.exe,Kvsrvxp.exe,CCenter.exe,KpopMon.exe,RfwMain.exe,KWATCHUI.exe,MCVSESCN.exe,MSKAGENT.exe,kvolself.exe,KVCenter.kxp,kavstart.exe,RAVTIMER.exe,RRfwMain.exe,FireTray.exe,UpdaterUI.exe,KVSrvXp_1.exe,RavService.exe 4、修改注册表使系统总是不显示隐藏文件。 software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall "CheckedValue" = "0" 5、该病毒在d,e,f,g,h,i盘生成autorun.inf和OSO.exe作成autorun启动。 -------------------------------- [AutoRun] open=OSO.exe shellexecute=OSO.exe shell\\Auto\\command=OSO.exe --------------------------------- 6、使用互斥体,使下列进程不能运行 A}cNqqc{[TWQkgdfv7(3 = ExeMutex_QQRobber2.0 @ijNqqc{[TWQkgdfv7(3 = DllMutex_QQRobber2.0 AntiTrojan3721 ASSISTSHELLMUTEX SKYNET_PERSONAL_FIREWALL KingsoftAntivirusScanProgram7Mutex 7、访问下列网址,并会尝试下载@#$#.htm、30w.txt、dqhx1.txt、down.txt、dqhx3.txt等文件。 lqrs>*)tsr(``642*fin = http://***.cd321.com lqrs>*)tsr(``642*kcw = http://***.cd321.net lqrs>*)tsr(532?43+eli = http://***.677977.com lqrs>*)tsr(`ps757+eli = http://***.ctv163.com lqrs>*)tsr(``642*kcw+66t*q~w = http://***.cd321.net/30w.txt lqrs>*)tsr(`ps757+eli*ggilh,`jqm*q~w = http://***.cd321.com/admin/down.txt 8、生成并执行hx1.bat处理文件,设置系统时间为2004-1-22。 9、调用sc.exe程序停止相关反病毒软件服务和禁止启动运行 ----------------------------------------- stop KVWSC config KVWSC start= disabled stop KVSrvXP config KVSrvXP start= disabled stop kavsvc config kavsvc start= disabled stop RsCCenter config RsCCenter start= disabled stop RsRavMon ------------------------------------------ 10、映像劫持,使得不能使用下列软件 HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MagicSet.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Rav.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.com "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRegEx.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvDetect.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP.kxp "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojDie.kxp "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP.kxp "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\IceSword.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmsk.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WoptiClean.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kabaload.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360Safe.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\runiep.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iparmo.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\adam.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMon.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctor.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SREng.EXE "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Ras.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.com "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.com "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFW.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFWLiveUpdate.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EGHOST.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\OD32.exe "Debugger" = "%SystemRoot%\\system32\\drivers\\avipit.exe" 11、修改host文件,屏蔽下列网址 127.0.0.1 localhost 127.0.0.1 mmsk.cn 127.0.0.1 ikaka.com 127.0.0.1 safe.qq.com 127.0.0.1 360safe.com 127.0.0.1 www.mmsk.cn 127.0.0.1 www.ikaka.com 127.0.0.1 tool.ikaka.com 127.0.0.1 www.360safe.com 127.0.0.1 zs.kingsoft.com 127.0.0.1 forum.ikaka.com 127.0.0.1 up.rising.com.cn 127.0.0.1 scan.kingsoft.com 127.0.0.1 kvup.jiangmin.com 127.0.0.1 reg.rising.com.cn 127.0.0.1 update.rising.com.cn 127.0.0.1 update7.jiangmin.com 127.0.0.1 download.rising.com.cn 127.0.0.1 dnl-us1.kaspersky-labs.com 127.0.0.1 dnl-us2.kaspersky-labs.com 127.0.0.1 dnl-us3.kaspersky-labs.com 127.0.0.1 dnl-us4.kaspersky-labs.com 127.0.0.1 dnl-us5.kaspersky-labs.com 127.0.0.1 dnl-us6.kaspersky-labs.com 127.0.0.1 dnl-us7.kaspersky-labs.com 127.0.0.1 dnl-us8.kaspersky-labs.com 127.0.0.1 dnl-us9.kaspersky-labs.com 127.0.0.1 dnl-us10.kaspersky-labs.com 127.0.0.1 dnl-eu1.kaspersky-labs.com 127.0.0.1 dnl-eu2.kaspersky-labs.com 127.0.0.1 dnl-eu3.kaspersky-labs.com 127.0.0.1 dnl-eu4.kaspersky-labs.com 127.0.0.1 dnl-eu5.kaspersky-labs.com 127.0.0.1 dnl-eu6.kaspersky-labs.com 127.0.0.1 dnl-eu7.kaspersky-labs.com 127.0.0.1 dnl-eu8.kaspersky-labs.com 127.0.0.1 dnl-eu9.kaspersky-labs.com 127.0.0.1 dnl-eu10.kaspersky-labs.com 清除方案1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。 (1) 使用 安天木马防线 “进程管理”关闭病毒进程 (2) 删除病毒文件 (3) 恢复病毒修改的注册表项目,删除病毒添加的注册表项 |
| 随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。