Win32.Troj.QQpass68

病毒别名：

处理时间：

威胁级别：★

中文名称：QQ杀手

病毒类型：木马

影响系统：Windows 2000, Windows 95, Windows 98, Windows Me,

病毒行为:

编写工具:

vb

传染条件:

将自己伪装成flash动画,诱使用户双击运行

发作条件:

当用户登陆QQ时,此木马将记录用户的qq密码并通过邮件发送给攻击者.

系统修改:

1,拷贝自身到:

C:wel.txt

C:DebugFi.txt

C:Program FilestRtlRu.EXE

D:Documents and SettingsillMMifz.EXE

%system%EXPLOREA.EXE

E:Documents and SettingsGTduayy.EXE

E:Program FilesEazr.EXE

E:Program Filesswbp.EXE

E:RECYCLERlYUiEcO.EXE

E:System Volume InformationVKal.EXE

F:BackupgAQCH.EXE

2,修改下列注册表键值:

HKEY_CLASSES_ROOTchm.fileshellopencommand ""D:WINNThh.exe" %1" "F:BackupgAQCH.EXE %1"

HKEY_CLASSES_ROOTexefileshellopencommand ""%1" %*" "E:System Volume InformationVKal.EXE %1 %*"

HKEY_CLASSES_ROOTinifileshellopencommand "E:Program FilesEazr.EXE %1"

HKEY_CLASSES_ROOT

egfileshellopencommand "regedit.exe "%1"" "D:Documents and SettingsillMMifz.EXE %1"

HKEY_CLASSES_ROOTscrfileshellopencommand ""%1" /S" "E:Program Filesswbp.EXE %1"

HKEY_CLASSES_ROOT xtfileshellopencommand "E:RECYCLERlYUiEcO.EXE %1"

HKEY_LOCAL_MACHINESOFTWAREClasseschm.fileshellopencommand ""D:WINNThh.exe" %1" "F:BackupgAQCH.EXE %1"

HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommand ""%1" %*" "E:System Volume InformationVKal.EXE %1 %*"

HKEY_LOCAL_MACHINESOFTWAREClassesinifileshellopencommand "E:Program FilesEazr.EXE %1"

HKEY_LOCAL_MACHINESOFTWAREClasses

egfileshellopencommand "regedit.exe "%1"" "D:Documents and SettingsillMMifz.EXE %1"

HKEY_LOCAL_MACHINESOFTWAREClassesscrfileshellopencommand ""%1" /S" "E:Program Filesswbp.EXE %1"

HKEY_LOCAL_MACHINESOFTWAREClasses xtfileshellopencommand "E:RECYCLERlYUiEcO.EXE %1"

这样当用户打开扩展名为chm exe ini reg src txt文件时,木马就会自动运行

3,病毒运行后将会用windows的记事本打开一个自己生成的文件C:wel.txt, 内容为Welcome!

发作现象:

木马运行后会自动打开一个windows的记事本,标题问wel.txt,内容为welcome!

特别说明: