主页

Win32.PSWTroj.Mapdimp.a.720896

病毒名称(中文):
劫持者盗号器720896
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
偷密码的木马
病毒长度:
1067808
影响系统:
Win9x WinMe WinNT Win2000 WinXP Win2003

病毒行为:

这是一个盗号木马。会在磁盘中释放出文件,会修改注册表,会试图映像劫持大量的杀毒软件,让它们不能正常运行,为病毒执行盗号扫除阻碍。

在磁盘中释放出以下文件:
C:\WINDOWS\TEMP\hua0999.tmp

在注册表中创建了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe"

在注册表中设置了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe" "Debugger" "ntsd -d"

在系统中创建了消息监控。

病毒会连接指定的网络,发送偷到的数据。




特别提示:上述描述仅为金山软件进行病毒或其他恶意、不良程序测试过程中的事实情况记录,病毒或其他恶意、不良程序在不同的软硬件环境下具体行为可能存在差异,该显示结果并不必然具备推广适用性。