Win32.Troj.QQPass.aa

王朝百科·作者佚名 2010-02-05

宽屏版字体: 小 | 中 | 大 | 超大

病毒别名：处理时间：2007-04-06 威胁级别：★

中文名称：病毒类型：木马影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

这是个盗取用户QQ帐号的蠕虫，可以通过可移动磁盘传播，并对抗安全软件。

1、释放以下文件并设置为隐藏和系统属性。

%WINDIR%system32ryato.dll

%WINDIR%system32ryato.exe

%WINDIR%system32severe.exe

%WINDIR%system32driversconime.exe

%WINDIR%system32driversfubcwj.exe

2、在每个分区的根目录下生成文件：Autorun.inf 和病毒复制体：OSO.exe ，并修改相关注册表项以使用户双击打开该分区时运行病毒体：

修改的注册表项：HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun 0xB5

Autorun.inf内容如下：

[AutoRun]

open=OSO.exe

shellexecute=OSO.exe

shellAutocommand=OSO.exe

3、添加或修改注册表项以隐藏病毒文件：

HKLMsoftwaremicrosoftwindowscurrentversionexploreradvancedfolderhiddenshowallCheckedValue "0"

4、添加以下注册表项以达到自启动的目的。

HKLMSoftwareMicrosoftWindowsCurrentVersionRunfubcwj "%WINDIR%System32ryato.exe"

HKLMSoftwareMicrosoftWindowsCurrentVersionRunryato "%WINDIR%System32severe.exe"

5、修改以下注册表项以达到随Explorer进程启动的目的：

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell "Explorer.exe %WINDIR%System32driversconime.exe"

6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的：

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMagicSet.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.comDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxpDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojDie.kxpDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP.kxpDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmsk.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWoptiClean.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options

uniep.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsiparmo.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsadam.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMon.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQDoctor.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSREng.EXEDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsconfig.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options

egedit.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options

egedit.comDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsconfig.comDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFW.exeDebugger "%WINDIR%System32driversfubcwj.exe"

HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFWLiveUpdate.exeDebugger "%WINDIR%System32driversfubcwj.exe"

7、修改hosts文件以达到阻止用户访问安全网站的目的：

127.0.0.1 mmsk.cn

127.0.0.1 ikaka.com

127.0.0.1 safe.qq.com

127.0.0.1 360safe.com

127.0.0.1 www.mmsk.cn

127.0.0.1 www.ikaka.com

127.0.0.1 tool.ikaka.com

127.0.0.1 www.360safe.com

127.0.0.1 zs.kingsoft.com

127.0.0.1 forum.ikaka.com

127.0.0.1 up.rising.com.cn

127.0.0.1 scan.kingsoft.com

127.0.0.1 kvup.jiangmin.com

127.0.0.1 reg.rising.com.cn

127.0.0.1 update.rising.com.cn

127.0.0.1 update7.jiangmin.com

127.0.0.1 download.rising.com.cn

127.0.0.1 dnl-us1.kaspersky-labs.com

127.0.0.1 dnl-us2.kaspersky-labs.com

127.0.0.1 dnl-us3.kaspersky-labs.com

127.0.0.1 dnl-us4.kaspersky-labs.com

127.0.0.1 dnl-us5.kaspersky-labs.com

127.0.0.1 dnl-us6.kaspersky-labs.com

127.0.0.1 dnl-us7.kaspersky-labs.com

127.0.0.1 dnl-us8.kaspersky-labs.com

127.0.0.1 dnl-us9.kaspersky-labs.com

127.0.0.1 dnl-us10.kaspersky-labs.com

127.0.0.1 dnl-eu1.kaspersky-labs.com

127.0.0.1 dnl-eu2.kaspersky-labs.com

127.0.0.1 dnl-eu3.kaspersky-labs.com

127.0.0.1 dnl-eu4.kaspersky-labs.com

127.0.0.1 dnl-eu5.kaspersky-labs.com

127.0.0.1 dnl-eu6.kaspersky-labs.com

127.0.0.1 dnl-eu7.kaspersky-labs.com

127.0.0.1 dnl-eu8.kaspersky-labs.com

127.0.0.1 dnl-eu9.kaspersky-labs.com

127.0.0.1 dnl-eu10.kaspersky-labs.com

8、查找含有以下字符串的窗口，找到则将其关闭：

杀毒、专杀、病毒、木马、注册表

9、停止并禁用以下安全服务：

srservice

sharedaccess

KVWSC

KVSrvXP

kavsvc

RsRavMon

RsCCenter

RsRavMon

10、终止以下安全软件相关进程：

PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,

RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,

Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,

kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe

11、删除QQ的以下文件：

QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe

12、创建键盘和鼠标消息钩子，寻找QQ登陆窗口，记录键盘，获得用户密码后通过自身的邮件引擎发送到指定邮箱。