Win32.Troj.Small.dx
病毒别名: 处理时间:2007-06-01 威胁级别:★
中文名称: 病毒类型:木马 影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
该病毒是一个下载木马。其本身并没对系统造成破坏,但它会下载并执行其他两个木马。
1、下载地址
http://**.95.146.206/winsp5.exe
http://**.95.148.188/20509.exe
2、该病毒会读取http://**.95.146.206/loaderbb.php?l=0804&adv=23网址内容解密下载地址。
3、20509.exe病毒会行后在系统目录下生成ijupd.dll文件,并添加SLSID组件添加启动项和修改host文件屏蔽相关安全网站
HKLMSOFTWAREClassesCLSID{2C1CD3D7-86AC-4068-93BC-A02304B20509}InProcServer32
"(Default)" = "%SystemRoot%system32ijupd.dll"
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
"{2C1CD3D7-86AC-4068-93BC-A02304B20509}" = "DCOM Server 20509"
--------------------------------------
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
--------------------------------------
4、winsp5.exe为一下载木马,该病毒会访问208.72.168.**地址和SLSID添加组件。