Win32.Hack.Firefly.aa
威胁级别:★
病毒类型:黑客程序
影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个黑客后门程序,病毒运行后会连接远程主机,使用户受控于黑客。
1、释放病毒文件到如下路径:
C:Program Filesfirefly-remoteInstall.DLL
C:Program Filesfirefly-remoteFirefly.ini
C:Program Filesfirefly-remoteFirefly.exe
2、添加如下注册表项,注册服务,开机自动启动:
HKLMSystemCurrentControlSetServicesRemote Control
Type = 0x110
HKLMSystemCurrentControlSetServicesRemote Control
Start = 0x2
HKLMSystemCurrentControlSetServicesRemote Control
ErrorControl = 0x0
HKLMSystemCurrentControlSetServicesRemote Control
ImagePath = "C:Program Filesfirefly-remotefirefly.exe"
HKLMSystemCurrentControlSetServicesRemote Control
ObjectName = "LocalSystem"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL
NextInstance = 0x1
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000Control
*NewlyCreated*=0x0
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
Service="Remote Control"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
Legacy=0x1
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
ConfigFlags=0x0
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
Class="LegacyDriver"
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
ClassGUID=""
HKLMSYSTEMCURRENTCONTROLSETENUMROOTLEGACY_REMOTE_CONTROL�000
DeviceDesc = "Remote Control"
HKLMSYSTEMCURRENTCONTROLSETSERVICESRemote ControlEnum
0="RootLEGACY_REMOTE_CONTROL�000"
HKLMSYSTEMCURRENTCONTROLSETSERVICESRemote ControlEnum
Count=0x1
HKLMSYSTEMCURRENTCONTROLSETSERVICESRemote ControlEnum
NextInstance=0x1
3、插入IE进程,连接远程主机,等待黑客命令。