“Win32.Troj.QQPass.aa”的意思、由来-中文百科全书

影响系统

Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒描述

这是个盗取用户QQ帐号的蠕虫，可以通过可移动磁盘传播，并对抗安全软件。

行为分析

1、释放以下文件并设置为隐藏和系统属性。

%WINDIR%\\system32\\bryato.dll

%WINDIR%\\system32\\bryato.exe

%WINDIR%\\system32\\severe.exe

%WINDIR%\\system32\\drivers\\conime.exe

%WINDIR%\\system32\\drivers\\fubcwj.exe

2、在每个分区的根目录下生成文件：Autorun.inf 和病毒复制体：OSO.exe ，并修改相关注册表项以使用户双击打开该分区时运行病毒体：

修改的注册表项：HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\oDriveTypeAutoRun 0xB5

Autorun.inf内容如下：

[AutoRun]

open=OSO.exe

shellexecute=OSO.exe

shell\\Auto\\command=OSO.exe

3、添加或修改注册表项以隐藏病毒文件：

HKLM\\software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall\\CheckedValue "0"

4、添加以下注册表项以达到自启动的目的。

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\fubcwj "%WINDIR%\\System32\\bryato.exe"

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\bryato "%WINDIR%\\System32\\severe.exe"

5、修改以下注册表项以达到随Explorer进程启动的目的：

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell "Explorer.exe %WINDIR%\\System32\\drivers\\conime.exe"

6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的：

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MagicSet.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Rav.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRegEx.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvDetect.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojDie.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\IceSword.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmsk.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WoptiClean.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kabaload.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360Safe.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\runiep.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iparmo.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\adam.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMon.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctor.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SREng.EXE\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Ras.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFW.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFWLiveUpdate.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe"

7、修改hosts文件以达到阻止用户访问安全网站的目的：

127.0.0.1 mmsk.cn

127.0.0.1 ikaka.com

127.0.0.1 safe.qq.com

127.0.0.1 360safe.com

127.0.0.1 www.mmsk.cn

127.0.0.1 www.ikaka.com

127.0.0.1 tool.ikaka.com

127.0.0.1 www.360safe.com

127.0.0.1 zs.kingsoft.com

127.0.0.1 forum.ikaka.com

127.0.0.1 up.rising.com.cn

127.0.0.1 scan.kingsoft.com

127.0.0.1 kvup.jiangmin.com

127.0.0.1 reg.rising.com.cn

127.0.0.1 update.rising.com.cn

127.0.0.1 update7.jiangmin.com

127.0.0.1 download.rising.com.cn

127.0.0.1 dnl-us1.kaspersky-labs.com

127.0.0.1 dnl-us2.kaspersky-labs.com

127.0.0.1 dnl-us3.kaspersky-labs.com

127.0.0.1 dnl-us4.kaspersky-labs.com

127.0.0.1 dnl-us5.kaspersky-labs.com

127.0.0.1 dnl-us6.kaspersky-labs.com

127.0.0.1 dnl-us7.kaspersky-labs.com

127.0.0.1 dnl-us8.kaspersky-labs.com

127.0.0.1 dnl-us9.kaspersky-labs.com

127.0.0.1 dnl-us10.kaspersky-labs.com

127.0.0.1 dnl-eu1.kaspersky-labs.com

127.0.0.1 dnl-eu2.kaspersky-labs.com

127.0.0.1 dnl-eu3.kaspersky-labs.com

127.0.0.1 dnl-eu4.kaspersky-labs.com

127.0.0.1 dnl-eu5.kaspersky-labs.com

127.0.0.1 dnl-eu6.kaspersky-labs.com

127.0.0.1 dnl-eu7.kaspersky-labs.com

127.0.0.1 dnl-eu8.kaspersky-labs.com

127.0.0.1 dnl-eu9.kaspersky-labs.com

127.0.0.1 dnl-eu10.kaspersky-labs.com

8、查找含有以下字符串的窗口，找到则将其关闭：

杀毒、专杀、病毒、木马、注册表

9、停止并禁用以下安全服务：

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

10、终止以下安全软件相关进程：

PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,

RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,

Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,

kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe

11、删除QQ的以下文件：

QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe

12、创建键盘和鼠标消息钩子，寻找QQ登陆窗口，记录键盘，获得用户密码后通过自身的邮件引擎发送到指定邮箱。

清除方案

1、使用安天木马防线可彻底清除此病毒(推荐)。 2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

词条	Win32.Troj.QQPass.aa
释义	Win32.Troj.QQPass.aa 病毒别名：处理时间：2007-04-06 威胁级别：★ 中文名称：病毒类型：木马影响系统病毒描述行为分析清除方案影响系统 Win 9x/ME,Win 2000/NT,Win XP,Win 2003 病毒描述这是个盗取用户QQ帐号的蠕虫，可以通过可移动磁盘传播，并对抗安全软件。行为分析 1、释放以下文件并设置为隐藏和系统属性。 %WINDIR%\\system32\\bryato.dll %WINDIR%\\system32\\bryato.exe %WINDIR%\\system32\\severe.exe %WINDIR%\\system32\\drivers\\conime.exe %WINDIR%\\system32\\drivers\\fubcwj.exe 2、在每个分区的根目录下生成文件：Autorun.inf 和病毒复制体：OSO.exe ，并修改相关注册表项以使用户双击打开该分区时运行病毒体：修改的注册表项：HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\oDriveTypeAutoRun 0xB5 Autorun.inf内容如下： [AutoRun] open=OSO.exe shellexecute=OSO.exe shell\\Auto\\command=OSO.exe 3、添加或修改注册表项以隐藏病毒文件： HKLM\\software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall\\CheckedValue "0" 4、添加以下注册表项以达到自启动的目的。 HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\fubcwj "%WINDIR%\\System32\\bryato.exe" HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\bryato "%WINDIR%\\System32\\severe.exe" 5、修改以下注册表项以达到随Explorer进程启动的目的： HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell "Explorer.exe %WINDIR%\\System32\\drivers\\conime.exe" 6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的： HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MagicSet.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Rav.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRegEx.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvDetect.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojDie.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP.kxp\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\IceSword.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmsk.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WoptiClean.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kabaload.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360Safe.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\runiep.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iparmo.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\adam.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMon.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctor.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SREng.EXE\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Ras.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regedit.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msconfig.com\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFW.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFWLiveUpdate.exe\\Debugger "%WINDIR%\\System32\\drivers\\fubcwj.exe" 7、修改hosts文件以达到阻止用户访问安全网站的目的： 127.0.0.1 mmsk.cn 127.0.0.1 ikaka.com 127.0.0.1 safe.qq.com 127.0.0.1 360safe.com 127.0.0.1 www.mmsk.cn 127.0.0.1 www.ikaka.com 127.0.0.1 tool.ikaka.com 127.0.0.1 www.360safe.com 127.0.0.1 zs.kingsoft.com 127.0.0.1 forum.ikaka.com 127.0.0.1 up.rising.com.cn 127.0.0.1 scan.kingsoft.com 127.0.0.1 kvup.jiangmin.com 127.0.0.1 reg.rising.com.cn 127.0.0.1 update.rising.com.cn 127.0.0.1 update7.jiangmin.com 127.0.0.1 download.rising.com.cn 127.0.0.1 dnl-us1.kaspersky-labs.com 127.0.0.1 dnl-us2.kaspersky-labs.com 127.0.0.1 dnl-us3.kaspersky-labs.com 127.0.0.1 dnl-us4.kaspersky-labs.com 127.0.0.1 dnl-us5.kaspersky-labs.com 127.0.0.1 dnl-us6.kaspersky-labs.com 127.0.0.1 dnl-us7.kaspersky-labs.com 127.0.0.1 dnl-us8.kaspersky-labs.com 127.0.0.1 dnl-us9.kaspersky-labs.com 127.0.0.1 dnl-us10.kaspersky-labs.com 127.0.0.1 dnl-eu1.kaspersky-labs.com 127.0.0.1 dnl-eu2.kaspersky-labs.com 127.0.0.1 dnl-eu3.kaspersky-labs.com 127.0.0.1 dnl-eu4.kaspersky-labs.com 127.0.0.1 dnl-eu5.kaspersky-labs.com 127.0.0.1 dnl-eu6.kaspersky-labs.com 127.0.0.1 dnl-eu7.kaspersky-labs.com 127.0.0.1 dnl-eu8.kaspersky-labs.com 127.0.0.1 dnl-eu9.kaspersky-labs.com 127.0.0.1 dnl-eu10.kaspersky-labs.com 8、查找含有以下字符串的窗口，找到则将其关闭：杀毒、专杀、病毒、木马、注册表 9、停止并禁用以下安全服务： srservice sharedaccess KVWSC KVSrvXP kavsvc RsRavMon RsCCenter RsRavMon 10、终止以下安全软件相关进程： PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe, RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe, Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp, kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe 11、删除QQ的以下文件： QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe 12、创建键盘和鼠标消息钩子，寻找QQ登陆窗口，记录键盘，获得用户密码后通过自身的邮件引擎发送到指定邮箱。清除方案 1、使用安天木马防线可彻底清除此病毒(推荐)。 2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。
随便看	LINES LineScroll LINEST函数 LineTo line up LinFox ling LING-IMAGE LINGO lingoes Lingoes.exe LingoWare V3.0 lingpipe lingua Latina lining link Link 2 Pat's Trick Link2SD LINK8 linkbucks LinkButton linkchina link city 连城新天地 LinkedIn Linkedln