QQ巨盗行为

xianjian · 发表于 2008-7-22 23:16:06

上次朋友家电脑中了个QQ巨盗，这个病毒挺厉害的。。。杀软都被映像劫持。。只有靠手动。。够邪恶的。

下面发这个病毒的行为吧。。

1、该病毒被执行后，释放病毒文件并保存于下文件夹中：
c:\windows\system32\tfidma.exe
c:\windows\system32\severe.exe
c:\windows\system32\tfidma.dll
c:\windows\system32\hx1.bat(修改系统时间为2004年)
c:\windows\system32\drivers\adamrf.exe
c:\windows\system32\drivers\conime.exe

驱动器根目录：
OSO.exe
autorun.inf

2.修改以下注册表项：
首先把注册表反劫持回来
具体方法：cmd下来到c:\windows\system32\dllcache下利用copy命令给regedit改名，就可以使用注册表了。

强行修改查看属性为隐藏
[HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\explorer\advanced\folder\hidden\showall]
“CheckedValue = 0 “

执行CDROM或硬盘的AutoRun功能
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoDriveTypeAutoRun = b5”

添加启动项：
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell = Explorer.exe %system%\drivers\conime.exe”

映像劫持下列安全软件：
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution]
“MagicSet.exe\Debugger = %drivers%\adamrf.exe”
“Rav.exe\Debugger = %drivers%\adamrf.exe”
“avp.com\Debugger = %drivers%\adamrf.exe”
“avp.exe\Debugger = %drivers%\adamrf.exe”
“KRegEx.exe\Debugger = %drivers%\adamrf.exe”
“KvDetect.exe\Debugger = %drivers%\adamrf.exe”
“KvXP.kxp\Debugger = %drivers%\adamrf.exe”
“TrojDie.kxp\Debugger = %drivers%\adamrf.exe”
“KVMonXP.kxp\Debugger = %drivers%\adamrf.exe”
“IceSword.exe\Debugger = %drivers%\adamrf.exe”
“mmsk.exe\Debugger = %drivers%\adamrf.exe”
“WoptiClean.exe\Debugger = %drivers%\adamrf.exe”
“kabaload.exe\Debugger = %drivers%\adamrf.exe”
“360Safe.exe\Debugger = %drivers%\adamrf.exe”
“runiep.exe\Debugger = %drivers%\adamrf.exe”
“iparmo.exe\Debugger = %drivers%\adamrf.exe”
“adam.exe\Debugger = %drivers%\adamrf.exe”
“RavMon.exe\Debugger = %drivers%\adamrf.exe”
“QQDoctor.exe\Debugger = %drivers%\adamrf.exe”
“SREng.EXE\Debugger = %drivers%\adamrf.exe”
“Ras.exe\Debugger = %drivers%\adamrf.exe”
“msconfig.exe\Debugger = %drivers%\adamrf.exe”
“regedit.exe\Debugger = %drivers%\adamrf.exe”
“regedit.com\Debugger = %drivers%\adamrf.exe”
“msconfig.com\Debugger = %drivers%\adamrf.exe”
“PFW.exe\Debugger = %drivers%\adamrf.exe”
“PFWLiveUpdate.exe\Debugger = %drivers%\adamrf.exe”
“EGHOST.exe\Debugger = %drivers%\adamrf.exe”
“NOD32.exe\Debugger = %drivers%\adamrf.exe ”

3.将自动停止某些安全软件的进程：

4.修改Hosts文件禁止访问安全类网站：（c:\windows\system32\drivers\etc\）
127.0.0.1       localhost
127.0.0.1       mmsk.cn
127.0.0.1       ikaka.com
127.0.0.1       safe.qq.com
127.0.0.1       360safe.com
127.0.0.1       www.mmsk.cn
127.0.0.1       www.ikaka.com
127.0.0.1       tool.ikaka.com
127.0.0.1       www.360safe.com
127.0.0.1       zs.kingsoft.com
127.0.0.1       forum.ikaka.com
127.0.0.1       up.rising.com.cn
127.0.0.1       scan.kingsoft.com
127.0.0.1       kvup.jiangmin.com
127.0.0.1       reg.rising.com.cn
127.0.0.1       update.rising.com.cn
127.0.0.1       update7.jiangmin.com
127.0.0.1       download.rising.com.cn

御剑飞行 · 发表于 2008-7-23 16:35:55

看不懂

揮劍崭紅塵 · 发表于 2008-7-22 23:40:33

好麻烦啊~~~！！

帐号		自动登录	找回密码
密码			注册