Win32.PSWTroj.QQ.lt.88064

王朝百科·作者佚名 2010-01-30

宽屏版字体: 小|中|大|超大

病毒别名：处理时间：2006-12-06 威胁级别：★

中文名称：病毒类型：木马影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

这是个盗取用户QQ帐号的木马！

1、将自身复制为：

%WINDOWS%Helpwshmcepts.chm

%Program Files%Common FilesMicrosoft SharedMSINFOF80D61C2.dat

2、释放文件：

%Program Files%Common FilesMicrosoft SharedMSINFOF80D61C2.dll

3、每个三秒就添加以下注册表项来自启动：

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{D61CF80D-F80D-61C2-0D61-80D1C80D61C2} ""

HKCRCLSID{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}(Default) ""

HKCRCLSID{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}InProcServer32(Default) "%Program Files%Common FilesMicrosoft SharedMSINFOF80D61C2.dll"

HKCRCLSID{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}InProcServer32ThreadingModel "Apartment"

4、尝试禁用以下与安全软件相关的服务：

navapsvc、RsRavMon、RsRavMon、kavsvc、KVWSC、KVSrvXP、wscsvc、KPfwSvc、KWatchSvc、SNDSrvc、ccProxy、ccEvtMgr、ccSetMgr、SPBBCSvc、

Symantec Core LC、NPFMntor、MskService、FireSvc、McShield、McTaskManager、McAfeeFramework、RfwService、SKNFW、SkyProcs、AVP

5、尝试删除以下与安全软件相关的注册表项：

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavMon

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVPersonal50

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTimer

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTask

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKvMonXP

HKLMSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVRun

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKpopMon

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKulansyn

HKLMSoftWareMicrosoftWindowsCurrentVersionRunccApp

HKLMSoftWareMicrosoftWindowsCurrentVersionRunSSC_UserPrompt

HKLMSoftWareMicrosoftWindowsCurrentVersionRunNAV CfgWiz

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCAgentExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcRegWiz

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCUpdateExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKAGENTEXE

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKDetectorExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunVirusScan Online

HKLMSoftWareMicrosoftWindowsCurrentVersionRunVSOCheckTask

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI

HKLMSoftWareMicrosoftWindowsCurrentVersionRunNetwork Associates Error Reporting Service

HKLMSoftWareMicrosoftWindowsCurrentVersionRunShStatEXE

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKavStart

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRfwMain

HKLMSoftWareMicrosoftWindowsCurrentVersionRunSonudMan

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKvPpWall_autorun

HKLMSoftWareMicrosoftWindowsCurrentVersionRunSKYNET Personal FireWall

HKLMSoftWareMicrosoftWindowsCurrentVersionRunJiangmin KVFW

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRapdateiyr

HKCUSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall

HKCUSoftWareMicrosoftWindowsCurrentVersionRunKavPFW

HKCUSoftWareMicrosoftWindowsCurrentVersionRunKvXP

HKCUSoftwareMicrosoftWindowsCurrentVersionRuninternat.exe

6、尝试卸载以下安全软件：

KV2006

KVFW

rising

KINGSOFTANTIVIRUS

Kaspersky Anti-Virus Personal

risingRfw

绿鹰PC万能精灵

VIRUSCAN8000

7、检测用户计算机上是否安装还原精灵，如果发现安装则进行还原精灵转存使还原精灵失效。

8、创建消息钩子。

9、当检测到QQ运行时将以下文件的后缀改为.bak: QQLiveUpdate.exe、npkcrypt.sys、BDLiveUpdate.exe。