本病毒所有命名：

影响系统：
Win9x,WinMe,Linux

简介：
1、关闭以下进程RSTray.exe、360TRAY.EXE、360SAFEBOX.EXE、360SAFE.EXE、SAFEBOXTRAY.EXE，从而屏蔽瑞星卡卡和360安全卫士

行为分析：
这是一个黑客木马程序。它会在用户电脑中开启敏感端口，建立后门，便于黑客入侵。该毒具有一定程度的对抗能力，会破坏一些常见安全软件的正常运行。

描述：
1、关闭以下进程RSTray.exe、360TRAY.EXE、360SAFEBOX.EXE、360SAFE.EXE、SAFEBOXTRAY.EXE，从而屏蔽瑞星卡卡和360安全卫士



2、创建了一个互斥体FUCKVM，防止重复运行



3、释放文件到系统目录%SystemRoot%Iasno.dll



4、创建了以下服务：

服务名: "Windows Management Acquisition"

映像路径: %SystemRoot%Iasno.dll



5、在注册表中创建并设置了以下信息:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIas]

"Type"=dword:00000120

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=%SystemRoot%System32svchost.exe -k netsvcs

"DisplayName"="Windows Management Acquisition"

"ObjectName"="LocalSystem"

"Description"="监测和监视新硬件设备并自动更新设备驱动"



[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIasParameters]

"ServiceDll"=C:WINDOWSsystem32Iasno.dll



[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIasSecurity]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00



[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIasEnum]

"0"="Root\LEGACY_IAS\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001



6、删除自身