Win32.Troj.QQRobber.lh是一個盜取QQ號碼的木馬,病毒偽裝成jpg圖片欺騙用戶點擊運行。病毒會記錄用戶的QQ號碼和密碼,並傳送給種馬者。影響系統有:Win 9x/ME,Win 2000/NT,Win XP,Win 2003。
基本介紹
- 中文名:Win32.Troj.QQRobber.lh
- 處理時間::2006-12-06
- 威脅級別::★
- 病毒類型::木馬
基本信息,病毒行為,
基本信息
病毒別名: 處理時間:2006-12-06 威脅級別:★
中文名稱: 病毒類型:木馬
病毒行為
1、病毒運行後會複製自身到%system%\ntdhcp.exe,並運行。
2、添加如下註冊表項,以便開機自啟:
[HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run]
"NTdhcp"="C:\WINDOWS\system32\NTdhcp.exe"
3、修改註冊表,禁用反病毒軟體服務,即將以下鍵的start值改為0x04,:
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
HKLM\SYSTEM\CurrentControlSet\Services\MskService
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
HKLM\SYSTEM\CurrentControlSet\Services\McShield
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKLM\SYSTEM\CurrentControlSet\Services\RfwService
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC
4、刪除如下註冊表項,使防毒進程無法開機自動運行。
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
5、病毒運行過程中會搜尋防毒軟體視窗,若找到則傳送WM_QUIT訊息,令其退出。
