Win32.Troj.Poseidon

王朝百科·作者佚名 2010-02-15

宽屏版字体: 小|中|大|超大

病毒别名：处理时间：2007-06-14 威胁级别：★

中文名称：AV终结者病毒类型：木马影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003

病毒行为:

该病毒利用了IFEO重定向劫持技术,会使大量的杀毒软件和安全相关工具无法运行；会破坏安全模式，使中毒用户无法在安全模式下查杀病毒；会下载大量病毒到用户计算机来盗取用户有价值的信息和某些帐号；能通过可移动存储介质传播。

1.生成文件

%programfiles%Common FilesMicrosoft SharedMSInfo{随机8位字母+数字名字}.dat

C:Program FilesCommon FilesMicrosoft SharedMSInfo{随机8位字母+数字名字}.dll

%windir%{随机8位字母+数字名字}.hlp

%windir%Help{随机8位字母+数字名字}.chm

也有可能生成如下文件

%sys32dir%{随机字母}.exe

替换%sys32dir%verclsid.exe文件

2.生成以下注册表项来达到使病毒随系统启动而启动的目的

HKEY_CLASSES_ROOTCLSID"随机CLSID"\InprocServer32 "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID"随机CLSID" "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks "生成的随机CLSID" ""

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "随机字符串" "病毒文件全路径"

3.生成以下注册表项来进行文件映像劫持(IFEO劫持)，使用户运行文件名映像被劫持的文件时先运行病毒文件，从而阻止相关安全软件运行。

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsadam.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAppSvc32.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsautoruns.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavgrssvc.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAvMonitor.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.com Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSvcHst.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFileDsty.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFTCleanerShell.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsHijackThis.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiparmo.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsisPwdSvc.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKaScrScn.SCR Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASMain.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASTask.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVDX.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSetup.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISLnchr.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMailMon.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMFilter.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32X.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFWSvc.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRepair.COM Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKsLoader.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVCenter.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvfwMcl.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP_1.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvol.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvolself.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvReport.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVScan.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVStub.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvupload.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvwsc.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP_1.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch9x.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchX.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsloaddll.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMagicSet.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcconsol.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmqczj.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmsk.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNAVSetup.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

od32krn.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

od32kui.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFW.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFWLiveUpdate.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQHSET.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMon.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMonD.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavStub.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavTask.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRegClean.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwcfg.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRfwMain.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwProxy.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwsrv.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsAgent.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsaupd.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

uniep.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssafelive.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsscan32.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsshcfg32.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSmartUp.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSREng.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssymlcsvc.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysSafe.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanDetector.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanwall.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojDie.kxp Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUIHost.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAgent.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAttachment.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxCfg.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxFwHlp.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxPol.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUpLive.EXE.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsWoptiClean.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionszxsweep.exe Debugger "病毒文件全路径"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc Start dword:00000004

4.修改以下注册表，导致无法显示隐藏文件

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Hidden dword:00000002

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL CheckedValue dword:00000000

5、修改以下服务的启动类型来禁止Windows的自更新和系统自带的防火墙。

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess Start dword:00000004

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv Start dword:00000004

6.删除以下注册表项，使用户无法进入安全模式

HKEY_CURRENT_USERSYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_CURRENT_USERSYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}

7.连接网络下载病毒

hxxp://www.webxxx.com/xxx.exe

8.关闭杀毒软件实时监控窗口，如瑞星、卡巴，通过自动点击"跳过"按钮来逃过查杀

9.尝试关闭包含以下关键字窗口

Anti

AgentSvr

CCenter

Rsaupd

SmartUp

FileDsty

RegClean

360tray

360safe

kabaload

safelive

KASTask

KPFW32

KPFW32X

KvXP_1

KVMonXP_1

KvReport

KvXP

KVMonXP

nter

TrojDie

avp.com

KRepair.COM

Trojan

KvNative

Virus

Filewall

Kaspersky

JiangMin

RavMonD

RavStub

RavTask

adam

cSet

PFWliveUpdate

mmqczj

Trojanwall

Ras.exe

runiep.exe

avp.exe

PFW.exe

rising

ikaka

.duba

kingsoft

木马

社区

aswBoot

...

10.禁止用户通过浏览器访问包含特殊字符串（如：病毒）的网页。

11.注入Explorer.exe和TIMPlatform.exe反弹连接，以逃过防火墙的内墙的审核。

12.隐藏病毒进程，但是可以通过结束桌面进程显示出来

13.在硬盘分区生成文件：autorun.inf 和随机字母+数字组成的病毒复制体，并修改“NoDriveTypeAutoRun”使病毒可以随可移动存储介质传播。