Win32.Troj.QQPass.aa

编辑:外宾网互动百科 时间:2020-04-09 09:13:33
编辑 锁定
Win32.Troj.QQPass.aa 病毒别名:
外文名
Win32.Troj.QQPass.aa
 处理时间
2007-04-06 
威胁级别
★ 
病毒类型
木马

Win32.Troj.QQPass.aa影响系统

编辑
Win 9x/ME,Win 2000/NT,Win XP,Win 2003

Win32.Troj.QQPass.aa病毒描述

编辑
这是个盗取用户QQ帐号的蠕虫,可以通过可移动磁盘传播,并对抗安全软件

Win32.Troj.QQPass.aa行为分析

编辑
1、释放以下文件并设置为隐藏和系统属性。
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe
2、在每个分区的根目录下生成文件:Autorun.inf 和病毒复制体:OSO.exe ,并修改相关注册表项以使用户双击打开该分区时运行病毒体:
修改的注册表项:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 0xB5
Autorun.inf内容如下:
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
3、添加或修改注册表项以隐藏病毒文件:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue "0"
4、添加以下注册表项以达到自启动的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fubcwj "%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bryato "%WINDIR%\System32\severe.exe"
5、修改以下注册表项以达到随Explorer进程启动的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe %WINDIR%\System32\drivers\conime.exe"
6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
7、修改hosts文件以达到阻止用户访问安全网站的目的:
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
8、查找含有以下字符串的窗口,找到则将其关闭:
杀毒、专杀、病毒、木马、注册表
9、停止并禁用以下安全服务:
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon
10、终止以下安全软件相关进程:
PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,
Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe
11、删除QQ的以下文件:
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe
12、创建键盘和鼠标消息钩子,寻找QQ登陆窗口,记录键盘,获得用户密码后通过自身的邮件引擎发送到指定邮箱。

Win32.Troj.QQPass.aa清除方案

编辑
1、使用安天木马防线可彻底清除此病毒(推荐)。  2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
词条标签:
计算机学 病毒 电脑病毒