Win32.Troj.QQRobber.lh

王朝百科·作者佚名 2010-01-30

宽屏版字体: 小|中|大|超大

病毒别名：处理时间：2006-12-06 威胁级别：★

中文名称：病毒类型：木马影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

这是一个盗取QQ号码的木马，病毒伪装成jpg图片欺骗用户点击运行。病毒会记录用户的QQ号码和密码，并发送给种马者。

1、病毒运行后会复制自身到%system%

tdhcp.exe，并运行。

2、添加如下注册表项，以便开机自启：

[HKLMSoftWareMicrosoftWindowsCurrentVersionRun]

"NTdhcp"="C:WINDOWSsystem32NTdhcp.exe"

3、修改注册表，禁用反病毒软件服务，即将以下键的start值改为0x04,：

HKLMSYSTEMCurrentControlSetServices

avapsvc

HKLMSYSTEMCurrentControlSetServicesRsRavMon

HKLMSYSTEMCurrentControlSetServicesRsCCenter

HKLMSYSTEMCurrentControlSetServiceskavsvc

HKLMSYSTEMCurrentControlSetServicesKVSrvXP

HKLMSYSTEMCurrentControlSetServiceswscsvc

HKLMSYSTEMCurrentControlSetServicesKPfwSvc

HKLMSYSTEMCurrentControlSetServicesKWatchSvc

HKLMSYSTEMCurrentControlSetServicesSNDSrvc

HKLMSYSTEMCurrentControlSetServicesccProxy

HKLMSYSTEMCurrentControlSetServicesccEvtMgr

HKLMSYSTEMCurrentControlSetServicesccSetMgr

HKLMSYSTEMCurrentControlSetServicesSPBBCSvc

HKLMSYSTEMCurrentControlSetServicesSymantec Core LC

HKLMSYSTEMCurrentControlSetServicesNPFMntor

HKLMSYSTEMCurrentControlSetServicesMskService

HKLMSYSTEMCurrentControlSetServicesFireSvc

HKLMSYSTEMCurrentControlSetServicesMcShield

HKLMSYSTEMCurrentControlSetServicesMcTaskManager

HKLMSYSTEMCurrentControlSetServicesMcAfeeFramework

HKLMSYSTEMCurrentControlSetServicesRfwService

HKLMSYSTEMCurrentControlSetServicesKVWSC

4、删除如下注册表项，使杀毒进程无法开机自动运行。

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavMon

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVPersonal50

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTimer

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRavTask

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKvMonXP

HKLMSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKAVRun

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKpopMon

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKulansyn

HKCUSoftWareMicrosoftWindowsCurrentVersionRuniDuba Personal FireWall

HKCUSoftWareMicrosoftWindowsCurrentVersionRunKavPFW

HKCUSoftWareMicrosoftWindowsCurrentVersionRunKvXP

HKLMSoftWareMicrosoftWindowsCurrentVersionRunccApp

HKLMSoftWareMicrosoftWindowsCurrentVersionRunSSC_UserPrompt

HKLMSoftWareMicrosoftWindowsCurrentVersionRunNAV CfgWiz

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCAgentExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcRegWiz

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMCUpdateExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKAGENTEXE

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMSKDetectorExe

HKLMSoftWareMicrosoftWindowsCurrentVersionRunVirusScan Online

HKLMSoftWareMicrosoftWindowsCurrentVersionRunVSOCheckTask

HKLMSoftWareMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI

HKLMSoftWareMicrosoftWindowsCurrentVersionRunNetwork Associates Error Reporting Service

HKLMSoftWareMicrosoftWindowsCurrentVersionRunShStatEXE

HKLMSoftWareMicrosoftWindowsCurrentVersionRunVSOCheckTask

HKLMSoftWareMicrosoftWindowsCurrentVersionRunRfwMain

HKLMSoftWareMicrosoftWindowsCurrentVersionRunSonudMan

HKLMSoftWareMicrosoftWindowsCurrentVersionRunKavStart

5、病毒运行过程中会搜寻杀毒软件窗口，若找到则发送WM_QUIT消息，令其退出。