Trojan-PSW.Win32.OnLineGames.uw

王朝百科·作者佚名 2010-02-19

宽屏版字体: 小|中|大|超大

病毒名称： Trojan-PSW.Win32.OnLineGames.uw

中文名称：盗窃者

病毒类型：木马类

文件 MD5： 48dfe0f0633d321670dfdecb144673e7

公开范围：完全公开

危害等级： 4

文件长度：脱壳前 41,343 字节，脱壳后200,704 字节

感染系统： Win9X以上系统

开发工具： Microsoft Visual C++ 6.0

加壳工具： NsPacK V3.7 -> LiuXingPing [Overlay]

病毒描述：

该病毒运行后，衍生病毒文件到多个目录下，添加注册表多处启动项，并修改文件执行映射

以启动病毒体。病毒体连接网络下载其它病毒体到本机运行，下载的病毒病毒体多为网络游戏盗

号程序。由于该病毒修改了多处程序执行映射，可能会造成用户应用程序不能运行。此病毒可通

过移动存储体传播。

行为分析：

1 、衍生下列副本与文件：

%Program Files%xiedby.inf

%Program Files%meex.exe

%WinDir%cmdbcs.exe

%WinDir%Kvsc3.exe

%WinDir%mppds.exe

%WinDir%upxdnd.exe

%System32%5E15.dll

%System32%10J20.dll

%System32%cmdbcs.dll

%System32%Kvsc3.dll

%System32%mppds.dll

%System32%

wiztlbb.dll

%System32%

wiztlbu.exe

%System32%

wizwmgjs.dll

%System32%

wizwmgjs.exe

%System32%RemoteDbg.dll

%System32%upxdnd.dll

%Program Files%Common FilesMicrosoft Sharedirijjmn.exe

%Program Files%Common FilesSystemccqwyxt.exe

2 、新建下列应用程序注册表执行映射键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionImage File Execution Options360rpt.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options360Safe.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options360tray.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsadam.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAgentSvr.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAppSvc32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsArSwp.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAST.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsautoruns.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavconsol.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavgrssvc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAvMonitor.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavp.comDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavp.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsCCenter.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsccSvcHst.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsEGHOST.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsFileDsty.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsFTCleanerShell.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsFYFireWall.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsHijackThis.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsIceSword.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsiparmo.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsIparmor.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsisPwdSvc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskabaload.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKaScrScn.SCRDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKASMain.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKASTask.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAV32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVDX.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVPF.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVPFW.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVSetup.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVStart.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKISLnchr.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKMailMon.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKMFilter.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPFW32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPFW32X.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPfwSvc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKRegEx.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKRepair.comDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKsLoader.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVCenter.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvDetect.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvfwMcl.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVMonXP.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVMonXP_1.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvol.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvolself.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvReport.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVScan.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVSrvXP.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVStub.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvupload.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvwsc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvXP.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvXP_1.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKWatch.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OpionsKWatch9x.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKWatchX.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsloaddll.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsMagicSet.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsmcconsol.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Executin Optionsmmqczj.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsmmsk.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsNavapsvc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsNavapw32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

od32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

od32krn.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

od32kui.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsNPFMntor.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsPFW.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsPFWLiveUpdate.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsQHSET.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsQQDoctor.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsQQKav.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRas.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRav.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavMon.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavMonD.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavStub.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavTask.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRegClean.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwcfg.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwmain.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwsrv.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRsAgent.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRsaupd.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

uniep.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionssafelive.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsscan32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsshcfg32.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSmartUp.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSREng.EXEDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionssymlcsvc.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSysSafe.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojanDetector.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojanwall.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojDie.kxpDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUIHost.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxAgent.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxAttachment.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxCfg.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxFwHlp.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxPol.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsupiea.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUpLive.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUSBCleaner.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsvsstat.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionswebscanx.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsWoptiClean.exeDebugger

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

3 、新建下列注册表自动运行键值：

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteDbgDescription

Value: String: " 允许 Administrators 组的成员进行远程调试。 "

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteDbgDisplayName

Value: String: "Remote Debug Service"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteDbgImagePath

Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes

%WinDir%System32

undll32.exe RemoteDbg.dll,input.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunxiedby

Value: String: "%Program Files%Common FilesSystemccqwyxt.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuncmdbcs

Value: String: "%WinDir%cmdbcs.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunKvsc3

Value: String: "%WinDir%Kvsc3.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunmppds

Value: String: "%WinDir%mppds.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunoatrfhf

Value: String: "%Program Files%Common FilesMicrosoft Sharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunupxdnd

Value: String: "%WinDir%upxdnd.exe"

4 、修改下列注册表键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionPrefetcherLastTraceFailure

New: DWORD: 4 (0x4)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionPrefetcherTracesProcessed

New: DWORD: 50 (0x32)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionPrefetcherTracesSuccessful

New: DWORD: 49 (0x31)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion

ExplorerAdvancedFolderHiddenSHOWALLCheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceshelpsvcStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessStart

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceswuauservStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceshelpsvcStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessStart

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauservStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

5 、删除下列注册表键值：

HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot

Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot

Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot

Network{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot

Network{4D36E967-E325-11CE-BFC1-08002BE10318}@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot

Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot

Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot

Network{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot

Network{4D36E967-E325-11CE-BFC1-08002BE10318}@

Value: String: "DiskDrive"

6、访问下列服务器地址，下载病毒体到本机运行：

(5*.5*.5*.9*)qq.5*0*f.org/81/11.exe

qq.5*0*f.org/*j/yj*6*9.txt( 读取此文件，以获得病毒更新地址 )

www.5*60*.cn/xzz/xxxxxxxx.exe

注： % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:WinntSystem32 ， windows95/98/me 中默认的安装路径是 C:WindowsSystem ， windowsXP 中默认的安装路径是 C:WindowsSystem32 。

清除方案：

1 、使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1)使用安天木马防线断开网络，结束病毒进程：

ccqwyxt.exe

irijjmn.exe

(2)删除病毒衍生文件：

%Program Files%xiedby.inf

%Program Files%meex.exe

%WinDir%cmdbcs.exe

%WinDir%Kvsc3.exe

%WinDir%mppds.exe

%WinDir%upxdnd.exe

%System32%5E15.dll

%System32%10J20.dll

%System32%cmdbcs.dll

%System32%Kvsc3.dll

%System32%mppds.dll

%System32%

wiztlbb.dll

%System32%

wiztlbu.exe

%System32%

wizwmgjs.dll

%System32%

wizwmgjs.exe

%System32%RemoteDbg.dll

%System32%upxdnd.dll

%Program Files%Common FilesMicrosoft Sharedirijjmn.exe

%Program Files%Common FilesSystemccqwyxt.exe

(3)删除下列注册表键值：

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesRemoteDbgDescription

Value: String: " 允许 Administrators 组的成员进行远程调试。 "

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesRemoteDbgDisplayName

Value: String: "Remote Debug Service"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesRemoteDbgImagePath

Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes

%WinDir%System32

undll32.exe RemoteDbg.dll,input.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunxiedby

Value: String: "%Program Files%Common

FilesSystemccqwyxt.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRuncmdbcs

Value: String: "%WinDir%cmdbcs.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunKvsc3

Value: String: "%WinDir%Kvsc3.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunmppds

Value: String: "%WinDir%mppds.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunoatrfhf

Value: String: "%Program Files%Common Files

MicrosoftSharedirijjmn.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunupxdnd

Value: String: "%WinDir%upxdnd.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT

CurrentVersionImage File Execution Options*.*

( 此外为列出的新建的键值 )Debugger

(4)恢复注册表修改项：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT

CurrentVersionPrefetcherLastTraceFailure

New: DWORD: 4 (0x4)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT

CurrentVersionPrefetcherTracesProcessed

New: DWORD: 50 (0x32)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT

CurrentVersionPrefetcherTracesSuccessful

New: DWORD: 49 (0x31)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionExplorerAdvancedFolder

HiddenSHOWALLCheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINESYSTEMControlSet001

ServiceshelpsvcStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMControlSet001

ServicesSharedAccessStart

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINESYSTEMControlSet001

ServiceswuauservStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServiceshelpsvcStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesSharedAccessStart

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServiceswuauservStart

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)