病毒名称(中文):
劫持者下载器139378
病毒别名:
威胁级别:
★★☆☆☆
病毒类型:
木马下载器
病毒长度:
139378
影响系统:
Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
该病毒为一个木马下载器。病毒运行后复制自身到系统目录,修改注册表、添加启动项,以达到随机启动的目的。它会破坏杀毒软件和安全辅助工具的正常运行,还会使中毒用户无法进入安全模式下查杀病毒。病毒发作后期,它会下载其它木马,盗取用户电脑上的敏感资料。
1.生成文件
c:\ProgramFiles\meex.exe
c:\ProgramFiles\CommonFile\System\.exe
c:\ProgramFiles\CommonFiles\MicrosoftShared\.exe
2.修改注册表,添加启动项,以达到随机启动的目的
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Default="C:\ProgramFiles\CommonFiles\System\.exe"
3.删除注册表安全模式的有关信息,当开机时不能启动安全模式
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
Defualt="DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
Defualt="DiskDrive"
4.改变注册表值使隐藏文件不可见,达到病毒体隐藏目的
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue=dword:00000000
5.禁用此计算机上的帮助与支持中心服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc
Start=dword:00000004
6.禁用网络地址转换、寻址、名称解析、和入侵保护服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start=dword:00000004
7.禁用监视系统安全设置和配置服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start=dword:00000004
8.禁用下载和安装Windows更新服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start=dword:00000004
9.映像劫持
通过在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions下添加注册表项来进行文件映像劫持,可阻止大量安全软件及系统治理软件运行,并执行病毒体。
被劫持的软件包括:
360rpt.exe;
360Safe.exe;
360tray.exe;
adam.exe;
AgentSvr.exe;
AppSvc32.exe;
autoruns.exe;
avgrssvc.exe;
AvMonitor.exe;
avp.com;
avp.exe;
CCenter.exe;
ccSvcHst.exe;
FileDsty.exe;
FTCleanerShell.exe;
HijackThis.exe;
IceSword.exe;
iparmo.exe;
Iparmor.exe;
isPwdSvc.exe;
kabaload.exe;
KaScrScn.SCR;
KASMain.exe;
KASTask.exe;
KAV32.exe;
KAVDX.exe;
KAVPFW.exe;
KAVSetup.exe;
KAVStart.exe;
KISLnchr.exe;
KMailMon.exe;
KMFilter.exe;
KPFW32.exe;
KPFW32X.exe;
KPFWSvc.exe;
KRegEx.exe;
KRepair.COM;
KsLoader.exe;
KVCenter.kxp;
KvDetect.exe;
KvfwMcl.exe;
KVMonXP.kxp;
KVMonXP_1.kxp;
kvol.exe;
kvolself.exe;
KvReport.kxp;
KVScan.kxp;
KVSrvXP.exe;
KVStub.kxp;
kvupload.exe;
kvwsc.exe;
KvXP.kxp;
KvXP_1.kxp;
KWatch.exe;
KWatch9x.exe;
KWatchX.exe;
loaddll.exe;
MagicSet.exe;
mcconsol.exe;
mmqczj.exe;
mmsk.exe;
NAVSetup.exe;
nod32krn.exe;
nod32kui.exe;
PFW.exe;
PFWLiveUpdate.exe;
QHSET.exe;
Ras.exe;
Rav.exe;
RavMon.exe;
RavMonD.exe;
RavStub.exe;
RavTask.exe;
RegClean.exe;
rfwcfg.exe;
RfwMain.exe;
rfwProxy.exe;
rfwsrv.exe;
RsAgent.exe;
Rsaupd.exe;
runiep.exe;
safelive.exe;
scan32.exe;
shcfg32.exe;
SmartUp.exe;
SREng.exe;
symlcsvc.exe;
SysSafe.exe;
TrojanDetector.exe;
Trojanwall.exe;
TrojDie.kxp;
UIHost.exe;
UmxAgent.exe;
UmxAttachment.exe;
UmxCfg.exe;
UmxFwHlp.exe;
UmxPol.exe;
UpLive.EXE.exe;
WoptiClean.exe;
zxsweep.exe;
10.该病毒在各个驱动器下创建.exe前,首先判定驱动器的根目录下是否存在.exe文件或文件夹,假如存在则先尝试删除,
然后创建autorun.inf文件和对应可执行病毒文件。
11.从以下网址下载其他病毒文件至客户机器.
http://www.*****.com/Rettwn.txt
http://www.wt*****.com/TDown1.exe
