该病毒利用了IFEO重定向劫持技术,使大量的杀毒软件和安全相关工具无法运行;会破坏安全模式,使中毒用户无法在安全模式下查杀病毒;会下载大量病毒到用户计算机来盗取用户有价值的信息和某些帐号;能通过可移动存储介质传播。
1.生成文件
%programfiles%\Common Files\Microsoft Shared\MSInfo\{随机8位字母+数字名字}.dat
C:\Program Files\Common Files\Microsoft Shared\MSInfo\{随机8位字母+数字名字}.dll
%windir%\{随机8位字母+数字名字}.hlp
%windir%\Help\{随机8位字母+数字名字}.chm
也有可能生成如下文件
%sys32dir%\{随机字母}.exe
替换%sys32dir%\verclsid.exe文件 |
2.生成以下注册表项来达到使病毒随系统启动而启动的目的。
HKEY_CLASSES_ROOT\CLSID\"随机CLSID"\\InprocServer32 "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"随机CLSID" "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "
生成的随机CLSID" ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "随机字符串" "病毒文件全路径" |
3.生成以下注册表项来进行文件映像劫持,从而试图阻止相关安全软件运行,并执行病毒体。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360rpt.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360Safe.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360tray.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\adam.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AgentSvr.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AppSvc32.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\autoruns.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avgrssvc.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AvMonitor.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.com Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\CCenter.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\ccSvcHst.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FileDsty.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FTCleanerShell.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HijackThis.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\IceSword.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\iparmo.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Iparmor.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\isPwdSvc.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kabaload.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KaScrScn.SCR Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASMain.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASTask.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVDX.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVPFW.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVSetup.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVStart.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KISLnchr.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMailMon.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMFilter.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32X.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFWSvc.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRegEx.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRepair.COM Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KsLoader.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVCenter.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvDetect.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvfwMcl.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP_1.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvol.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvolself.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvReport.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVScan.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVSrvXP.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVStub.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvupload.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvwsc.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvXP.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvXP_1.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch9x.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatchX.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\loaddll.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\MagicSet.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mcconsol.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmqczj.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmsk.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\NAVSetup.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32krn.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32kui.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFW.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFWLiveUpdate.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QHSET.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ras.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rav.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMon.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMonD.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavStub.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavTask.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RegClean.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwcfg.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RfwMain.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwProxy.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwsrv.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RsAgent.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rsaupd.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\runiep.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\safelive.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\scan32.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\shcfg32.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SmartUp.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SREng.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\symlcsvc.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SysSafe.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojanDetector.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Trojanwall.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojDie.kxp Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UIHost.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAgent.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAttachment.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxCfg.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxFwHlp.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxPol.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UpLive.EXE.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\WoptiClean.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\zxsweep.exe Debugger "病毒文件全路径"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc Start dword:00000004 |
4.修改以下注册表,导致无法显示隐藏文件。
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
dword:00000002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidd
en\SHOWALL CheckedValue dword:00000000 |
5.修改以下服务的启动类型来禁止Windows的自更新和系统自带的防火墙。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess Start dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv Start dword:00000004 |
6.删除以下注册表项,使用户无法进入安全模式。
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-
BFC1-08002BE10318}
HKEY_CURRENT_USER\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-
08002BE10318} |
7.连接网络下载病毒:
hxxp://www.webxxx.com/xxx.exe |
8.关闭杀毒软件实时监控窗口,如瑞星、卡巴,通过自动点击"跳过"按钮来逃过查杀。
9.尝试关闭包含以下关键字窗口:
Anti
AgentSvr
CCenter
Rsaupd
SmartUp
FileDsty
RegClean
360tray
360safe
kabaload
safelive
KASTask
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KvXP
KVMonXP
nter
TrojDie
avp.com
KRepair.COM
Trojan
KvNative
Virus
Filewall
Kaspersky
JiangMin
RavMonD
RavStub
RavTask
adam
cSet
PFWliveUpdate
mmqczj
Trojanwall
Ras.exe
runiep.exe
avp.exe
PFW.exe
rising
ikaka
.duba
kingsoft
木马
社区
aswBoot
... |
10.注入Explorer.exe和TIMPlatform.exe反弹连接,以逃过防火墙的内墙的审核。
11.隐藏病毒进程,但是可以通过结束桌面进程显示出来。
12.在硬盘分区生成文件:autorun.inf 和 随机字母+数字组成的病毒复制体,并修改“NoDriveTypeAutoRun”使病毒可以随可移动存储介质传播。