请输入您要查询的百科知识:

 

词条 Trojan.Win32.Qhost.it
释义

病毒名称: Trojan.Win32.Qhost.it

中文名称: MHost

病毒类型: 木马类

文件 MD5: 21FE5BDA68A6D95AF49ACBCD2877D2D6

公开范围: 完全公开

危害等级: 3

文件长度: 212,992 字节

感染系统: Win9X以上系统

开发工具: Microsoft Visual C++ 6.0

病毒描述:

该病毒运行后,衍生病毒文件到系统程序目录下。添加注册表自动运行项以随机引导病毒体,从某服务器下载压缩文件,释放后自动运行。修改 Host 文件,以阻止用户查询病毒信息。

行为分析:

1 、衍生下列副本与文件:

%System32%\\ltcyvsj.dll

%System32%\\abcdefgh.dll

%WinDir%\\msdrvctrl.exe

%WinDir%\\msdrv.exe

%WinDir%\\iedrives.dll

%System32%\\msdrivers\\driverpp.sys

%System32%\\msdrivers\\iedrives.dll

%System32%\\msdrivers\\msdrv.exe

%System32%\\msdrivers\\msdrvctrl.exe

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\di.exe

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\driverpp.sys

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\iedrives.dll

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\install.bat

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\install2.bat

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\maindll.dll

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\msdrv.exe

2 、新建注册表键值:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\policies\\Explorer\\Run\\msdrvctrl

Value: String: "C:\\WINDOWS\\msdrvctrl.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\Svcs: Dnscache

Value: String: "C:\\DOCUME~1\\ 当前用户名 \\LOCALS~1\\Temp\\17292\\explorer.exe"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\DisplayName

Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境 "

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ImagePath

Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes

\\SystemRoot\\System32\\drivers\\ws2ifsl.sys.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\driverpp\\DisplayName

Value: String: "Plug and Play Support Driver"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\driverpp\\ImagePath

Value: Type: REG_EXPAND_SZ Length: 46 (0x2e) bytes

\\C:\\WINDOWS\\system32\\msdrives\\driverpp.sys.

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\

{2C1CD3D7-86AC-4068-93BC-A02304B60787}\\InProcServer32\\@

Value: String: "C:\\WINDOWS\\System32\\oqjje.dll"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\

{2C1CD3D7-86AC-4068-93BC-A02304B60787}\\InProcServer32\\ThreadingModel

Value: String: "Apartment"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\

Explorer\\SharedTaskScheduler\\{2C1CD3D7-86AC-4068-93BC-A02304B60787}

Value: String: "DCOM Server 60787"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\

ShellServiceObjectDelayLoad\\DCOM Server 60787

Value: String: "{2C1CD3D7-86AC-4068-93BC-A02304B60787}"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000013\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000014\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000015\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll .

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000016\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000017\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000018\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000019\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000020\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000021\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000022\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

3 、修改下列注册 LSP 项:

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000001\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000002\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000003\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000004\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll ..

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000005\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll ..

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000006\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000007\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000008\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000009\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000010\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000011\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

abcdefgh.dll.system32\\mswsock.dll.

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

4 、病毒修改 host 文件,试图阻止用户连接把反病毒厂商 Web:

127.0.0.1 www.trendmicro.com

127.0.0.1 rads.mcafee.com

127.0.0.1 customer.symantec.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 www.nai.com

127.0.0.1 secure.nai.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 mast.mcafee.com

127.0.0.1 ca.com

127.0.0.1 www.ca.com

127.0.0.1 networkassociates.com

127.0.0.1 www.networkassociates.com

127.0.0.1 avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 downloads4.kaspersky-labs.com

127.0.0.1 downloads3.kaspersky-labs.com

127.0.0.1 downloads2.kaspersky-labs.com

127.0.0.1 downloads1.kaspersky-labs.com

127.0.0.1 www.f-secure.com

127.0.0.1 viruslist.com

127.0.0.1 www.viruslist.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.sophos.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 www.symantec.com

5 、从下列服务器下载压缩文件:

6*.1*1.1*5.1*9/data15.tgz HTTP:80

注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 , windows95/98/me 中默认的安装路径是 C:\\Windows\\System , windowsXP 中默认的安装路径是 C:\\Windows\\System32 。

--------------------------------------------------------------------------------

清除方案:

1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。

(1) 删除病毒添加的注册表项

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\policies\\Explorer\\Run\\msdrvctrl

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\Svcs: Dnscache

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\

{2C1CD3D7-86AC-4068-93BC-A02304B60787}

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Current

Version\\ShellServiceObjectDelayLoad\\DCOM Server 60787

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000012\\PackedCatalogItem

……………….

……………….

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000023\\PackedCatalogItem

参考“修改注册表项”修改下列注册表项为原值:

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

00000000001\\PackedCatalogItem

……………….

……………….

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\

WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\

000000000011\\PackedCatalogItem

(2) 重新启动计算机

(3) 删除病毒释放文件

%System32%\\ltcyvsj.dll

%System32%\\abcdefgh.dll

%WinDir%\\msdrvctrl.exe

%WinDir%\\msdrv.exe

%System32%\\msdrivers\\driverpp.sys

%System32%\\msdrivers\\iedrives.dll

%System32%\\msdrivers\\msdrv.exe

%System32%\\msdrivers\\msdrvctrl.exe

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\di.exe

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\driverpp.sys

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\iedrives.dll

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\install.bat

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\install2.bat

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\maindll.dll

%\\DOCUME~1\\% 当前用户名 \\LOCALS~1\\Temp\\msdrv.exe
随便看

 

百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。

 

Copyright © 2004-2023 Cnenc.net All Rights Reserved
更新时间:2025/3/30 0:23:11