病毒大百科

这是一个远程木马程序。它会在磁盘中释放出文件，修改注册表创建系统服务，然后映像劫持大量的杀毒软件和安全辅助软件，以及一些对它自己具有威胁的其它安全工具。完成劫持后，就连接到病毒作者指定的远程地址，等待黑客指令，协助黑客控制中毒电脑。病毒还会利用AUTO技术实现自动传播

在磁盘中释放出以下文件:
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
C:\AutoRun.inf
C:\rejoice101.exe

在注册表中创建了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe"

在注册表中设置了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe" "Debugger" "ntsd -d"

病毒会连接作者指定的网址，下载最新的配置文件，实现自我更新，并等待黑客的指令
http://update.1***22.cn/product/ppsvodnet/update.ini
域名:"update.1***22.cn" 端口:80 (TCP)
update.1***22.cn/product/ppsvodnet/update.ini