Trojan-PSW.Win32.QQPass.uw

該病毒運行後,衍生病毒檔案到系統目錄下。添加註冊表隨機運行項以跟隨系統啟動來引導 病毒體。病毒體試圖關閉掉若干安全軟體的服務,並修改 host檔案,試圖阻截安全類軟體升級。 此病毒會自動在移動設備中釋放病毒副本,並添加Atuorun.inf檔案來起到傳播自身的目的。此 外,病毒會卸載有關瑞星產品的註冊表鍵值,修改regedit.exe、msconfig.exe等檔案映射路徑, 此病毒為一個盜取QQ賬號的病毒。

基本介紹

  • 中文名:QQ賬號及密碼盜竊者
  • 外文名:Trojan-PSW.Win32.QQPass.uw
  • 病毒類型:木馬類
  • 公開範圍:完全公開
名稱,簡介,行為分析,衍生下列副本與檔案,新建註冊表鍵值,修改下列註冊表鍵值,修改 host 檔案,清除方案,

名稱

病毒名稱: Trojan-PSW.Win32.QQPass.uw
中文名稱: QQ賬號及密碼盜竊者

簡介

病毒類型: 木馬類
檔案 MD5: B1558FBAA833D098C84553D4986660B2
公開範圍: 完全公開
危害等級: 5
檔案長度: 加殼後 31,979 位元組,脫殼後186,880 位元組
感染系統: Win9X以上系統
開發工具: Borland Delphi 6.0 - 7.0
加殼類型: Upack 0.3.9 beta2s -> Dwing
命名對照: BitDefender Generic.PWStealer.F82FE48A
McAfee PWS-QQRob

行為分析

衍生下列副本與檔案

%System32%\severe.exe
%System32%\xwwume.dll
%System32%\xwwume.exe
%System32%\drivers\jyoapg.com
% 移動設備 %\servet.exe
% 移動設備 %\autorun.inf

新建註冊表鍵值

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\360Safe.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\adam.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\avp.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\avp.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\IceSword.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\iparmo.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\kabaload.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\mmsk.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\msconfig.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\msconfig.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\NOD32.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\PFW.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\Ras.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\Rav.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\RavMon.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\regedit.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\regedit.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\runiep.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\SREng.EXE\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindOWS%\CurrentVersion\
Run\jyoapg
Value: String: "%WINDOWS%\System32\xwwume.exe"

修改下列註冊表鍵值

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Winlogon\Shell
New: String: "Explorer.exe %WINDOWS%\System32\severe.exe"
Old: String: "Explorer.exe"

修改 host 檔案

127.0.0.1 mmsk.cn
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
--------------------------------------------------------------------------------

清除方案

1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。(1) 使用 安天木馬防線“進程管理”關閉病毒進程 severe.exe
xwwume.exe
jyoapg.com\
刪除並恢復病毒添加與修改的註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\360Safe.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\adam.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\avp.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\avp.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\IceSword.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\iparmo.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\kabaload.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\mmsk.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\msconfig.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\msconfig.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\NOD32.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\PFW.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\ PFWLiveUpdate.exe\
Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\Ras.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\Rav.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\RavMon.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\regedit.com\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\regedit.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\runiep.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\SREng.EXE\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%WINDOWS%\System32\drivers\jyoapg.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindOWS%\Current
Version\Run\jyoapg
Value: String: "%WINDOWS%\System32\xwwume.exe"
刪除病毒釋放檔案
%System32%\severe.exe
%System32%\xwwume.dll
%System32%\xwwume.exe
%System32%\drivers\jyoapg.com
% 移動設備 %\servet.exe
% 移動設備 %\autorun.inf

相關詞條

熱門詞條

聯絡我們