爱毒霸社区
拒绝当“肉鸡” 保安获大奖!
顽固病毒解决方案大全
一点一滴学电脑应用技巧
毒霸2008教程——清理专家
欺骗是攻击者最热衷的手法
爱毒霸社区推荐安全工具下载
如何使用命令行查毒
远程清除机器狗病毒实战
清理专家在手,菜鸟杀毒不愁
如何判断进程或程序是否安全
windows安全漏洞的解释索引
史上最强磁碟机病毒清除思路
金山ARP防火墙1.2版功能简介
Win32.Troj.QQPass.aa
病毒名称(中文):
病毒别名:
威胁级别:
★☆☆☆☆
病毒类型:
木马程序
病毒长度:
38126
影响系统:
Win9x WinMe WinNT Win2000 WinXP Win2003
病毒行为:
这是个盗取用户QQ帐号的蠕虫,可以通过可移动磁盘传播,并对抗安全软件。
1、释放以下文件并设置为隐藏和系统属性。
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe
2、在每个分区的根目录下生成文件:Autorun.inf 和病毒复制体:OSO.exe ,并修改相关注册表项以使用户双击打开该分区时运行病毒体:
修改的注册表项:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5
Autorun.inf内容如下:
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
3、添加或修改注册表项以隐藏病毒文件:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0"
4、添加以下注册表项以达到自启动的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe"
5、修改以下注册表项以达到随Explorer进程启动的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe %WINDIR%\System32\drivers\conime.exe"
6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts文件以达到阻止用户访问安全网站的目的:
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
8、查找含有以下字符串的窗口,找到则将其关闭:
杀毒、专杀、病毒、木马、注册表
9、停止并禁用以下安全服务:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、终止以下安全软件相关进程:
PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,
Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe
11、删除QQ的以下文件:
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe
12、创建键盘和鼠标消息钩子,寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送到指定邮箱。
特别提示:上述描述仅为金山软件进行病毒或其他恶意、不良程序测试过程中的事实情况记录,病毒或其他恶意、不良程序在不同的软硬件环境下具体行为可能存在差异,该显示结果并不必然具备推广适用性。