病毒
来源:互联网 发布:知世故而不世故的出处 编辑:程序博客网 时间:2024/04/29 12:56
反病毒杀手变种BE危险等级:★★★病毒名称:Worm.Win32.AvKiller.be截获时间:2007-9-26类型:病毒感染的操作系统:Windows XP, Windows NT, Windows Server 2003, Windows 2000威胁情况:传播级别:高全球化传播态势:低清除难度:困难破坏力:高破坏手段:通过IM程序传播,从列表中下载病毒,偷盗用户敏感信息 这是一个蠕虫病毒,利用Upack程序进行保护 病毒会利用CreateMutex创建一个"system"的互斥,保证系统中只有一个实例在运行,如这个互斥已经存在,则病毒直接退出. 病毒运行后,先利用"LookupPrivilegeValueA","AdjustTokenPrivileges"提升自己的运行权限,然后遍历系统所有进程,查找下列进程: "360Safe.exe", "360tray.exe","VsTskMgr.exe","UpdaterUI.exe","TBMon.exe", "scan32.exe","VPC32.exe","VPTRAY.exe", "KRegEx.exe","KRegEx.exe","kvsrvxp.kxp","kvsrvxp.exe","KVWSC.EXE", "Iparmor.exe","AST.EXE",如发现上述中的进程,则利用"TerminateProcess"关掉进程,使当前系统失去保护. 病毒将自身复制到%SYSTEM32%目录,并将自已重命名为iexplrer.exe和explorer.exe,并利用GetDriveType判断,向可移动存储设备和本地磁盘写入autorun.inf和病毒本身(explorer.exe),其实autorun.inf的内容如下: [autorun] Open=explorer.exe Shellexecute=explorer.exe Shell/Auto/command=explorer.exe Shell=Auto 病毒接下来,会修改注册表的如下地方 SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/showall/ 将CheckedValue值赋为0 修改这里是为了隐藏文件 HKEY_CLASSES_ROOT//Rising.QuickScan//shell//open//command 将这里的值改为C://windows//system32//iexplorer.exe 使杀毒软件扫描指向病毒. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360safe.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AVP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonxp.kxp/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVWSC.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Navapsvc.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Nod32kui.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Frameworkservice.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Mmsk.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Wuauclt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ast.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WOPTILITIES.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Regedit.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AutoRunKiller.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPC32.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPTRAY.exe/ 病毒会在上述键值内,加入 Debugger = "C:/WINDOWS/system32/iexplorer.exe"子键和键值.被修改后,如果运行上述程序,刚被直接指向到C:/WINDOWS/system32/iexplorer.exe这个病毒上面 接下来,病毒会开启一个Iexplore.exe,利用FindWindow查找IEFrame,利用GetWindowThreadProcessId得到进程ID,然后打开该进程后,利用VirtualAlloc申请一段内存空间,利用WriteProcessMemory写入一段代码,代码的作用就是依次从下面的网址下载程序,并保存在C:/winl.pif,C:/winns.pif,C:/system.pif,c:/windows.pif并运行。 网址如下: http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%6D%6D%62%65%73%74%39%39%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 上列地址已经失效,所以无法得知是何类型的病毒。 最后病毒利用SetTimer设置一个CallBack,每两分钟执行一次,该段代码的作用就是复制自身到%SYSTEM32%目录中,向可移动存储设备和本地磁盘写入autorun.inf和病毒本身,并通过一些即时通信软件(如:QQ等)向对方发送病毒本身,但名字改为一些比较有诱惑力的名字,如:我的性感照片等....
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- ???????病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- 病毒
- web 开发 debug 工具
- 常对象和常函数的关系 const
- 打造Pocket PC Emulator的中文环境
- 集成Hadoop和Hypertable
- Reporting Services 2005 for the DBA – Reporting Services Encryption 1 of 2
- 病毒
- MFC 对话框编程要点
- 深入浅出解释一下2B是什么意思
- 代码比较的工具
- 2008-5-22
- 每天你应该养成的习惯
- 性能、自动化,累
- jacob中的QueryInterface()方法
- 线性坐标系到对数坐标系的变换——EMC测试曲线的绘制