該病毒是一個QQ大盜變種。該病毒會將盜取的QQ號及密碼傳送到指定的電子信箱和提交到指定的網址。建議電腦用戶不要隨便運行不明程式,以免中毒受害。
基本介紹
- 外文名:Win32.Troj.QQRobber.xie
- 類型:QQ大盜變種
- 別名:N/A
- 威脅級別:★
- 影響系統:Win 9x/ME,Win 2000/NT,Win XP
病毒標籤,病毒行為,清除,
病毒標籤
病毒別名:N/A
處理時間:2006-12-08
威脅級別:★
中文名稱:N/A
病毒類型:木馬
影響系統:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行為
1、病毒拷貝自身到系統目錄下,並設定為隱藏。
%SystemRoot%\system32\NTdHcP.exe
2、刪除QQ保護檔案npkcrypt.sys,並保存為npkcrypt.bak檔案。
D:\Program Files\Tencent\QQ\npkcrypt.sys
3、添加註冊表啟動項
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run
"NTdhcp" = "%SystemRoot%\system32\NTdhcp.exe"
4、安裝了一個類型為WH_JOURNALRECORD的訊息鉤子,記錄連續的滑鼠和鍵盤事件。
其申請進程為:%SystemRoot%\system32\NTdHcP.exe
5、將下列服務啟動全設定為禁止啟動,並結束其進程。
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon\Start
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter\Start
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP\Start
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy\Start
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr\Start
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr\Start
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC\Start
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor\Start
HKLM\SYSTEM\CurrentControlSet\Services\MskService\Start
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\McShield\Start
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager\Start
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework\Start
HKLM\SYSTEM\CurrentControlSet\Services\RfwService\Start
7、嘗試刪除下列啟動項,並結束其進程。
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP NOTFOUND
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvPpWall_autorun
