金山毒霸2009
金山清理专家
专杀工具
在线杀毒
密保
网盾
系统急救箱
ARP防火墙
病毒名:Win32.Adware.Dodolook.ff.197120
本病毒所有命名:
影响系统:
Win9x,WinMe,Linux
简介:
在磁盘中释放出以下文件: C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files\_inimac
行为分析:
这是一个广告软件的变种。它会读取用户电脑所属区域数据等信息,将这些信息发送给病毒作者指定的地址,然后有针对性地弹出广告网页。
:
影响系统:
Win9x,WinMe,Linux
简介:
在磁盘中释放出以下文件: C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files\_inimac
行为分析:
这是一个广告软件的变种。它会读取用户电脑所属区域数据等信息,将这些信息发送给病毒作者指定的地址,然后有针对性地弹出广告网页。
描述:
在磁盘中释放出以下文件:
C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files
C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files\_inimac
在注册表中创建了以下信息:
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}"
在注册表中设置了以下信息:
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlloadtime" "1145298107"
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlt" "1145298107"
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlnmi" "1145298107"
会从以下注册表中读取信息:
"HKCUSoftwareBorlandLocales"
"HKCUSoftwareBorlandDelphiLocales"
"HKCR.key"
"HKLMSoftwareClassesCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}"
"HKLMSystemCurrentControlSetServicessysloader"
"HKLMSoftwareClassesCLSID{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}InprocServer32"
病毒会连接作者指定的网址:
http://loader.smartpv.cn:1207/geturl.php?version=1.0.7&fid=sample&mac=08-03-00-00-33-1C&lversion=&wversion=&day=0&name=sample
域名:"loader.smartpv.cn:1207" 端口:80 (TCP)
loader.smartpv.cn:1207/geturl.php?version=1.0.7&fid=sample&mac=08-03-00-00-33-1C&lversion=&wversion=&day=0&name=sample
http://gs.chnsystem.com/gs.php?12drbZo49uo7UGar1ZdkXZ9FQOblJ2q5X2q4X2q7X2q7X2Q4X2ExSrQH9ZEZ92c696Dkeu97QZ8ri2q5i2qLQuD5i2c6brDoQ40.
域名:"gs.chnsystem.com" 端口:80 (TCP)
gs.chnsystem.com/gs.php?12drbZo49uo7UGar1ZdkXZ9FQOblJ2q5X2q4X2q7X2q7X2Q4X2ExSrQH9ZEZ92c696Dkeu97QZ8ri2q5i2qLQuD5i2c6brDoQ40.
在磁盘中创建以下配置文件:
SVCHOST.INI [INFO] "version" "104"
SVCHOST.INI [INFO] "win" "WCZOZCDNSSNEDKYQ"
C:AutoRun.inf [AutoRun] "open" "RavMon.exe"
C:AutoRun.inf [AutoRun] "shellopen" "&O)"
C:AutoRun.inf [AutoRun] "shellopenCommand" "RavMon.exe"
在磁盘中释放出以下文件:
C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files
C:DOCUME~1SANDBOXLocal SettingsTemporary Internet Files\_inimac
在注册表中创建了以下信息:
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}"
在注册表中设置了以下信息:
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlloadtime" "1145298107"
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlt" "1145298107"
"HKLMSoftwareCLASSESCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}" "dlnmi" "1145298107"
会从以下注册表中读取信息:
"HKCUSoftwareBorlandLocales"
"HKCUSoftwareBorlandDelphiLocales"
"HKCR.key"
"HKLMSoftwareClassesCLSID{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}"
"HKLMSystemCurrentControlSetServicessysloader"
"HKLMSoftwareClassesCLSID{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}InprocServer32"
病毒会连接作者指定的网址:
http://loader.smartpv.cn:1207/geturl.php?version=1.0.7&fid=sample&mac=08-03-00-00-33-1C&lversion=&wversion=&day=0&name=sample
域名:"loader.smartpv.cn:1207" 端口:80 (TCP)
loader.smartpv.cn:1207/geturl.php?version=1.0.7&fid=sample&mac=08-03-00-00-33-1C&lversion=&wversion=&day=0&name=sample
http://gs.chnsystem.com/gs.php?12drbZo49uo7UGar1ZdkXZ9FQOblJ2q5X2q4X2q7X2q7X2Q4X2ExSrQH9ZEZ92c696Dkeu97QZ8ri2q5i2qLQuD5i2c6brDoQ40.
域名:"gs.chnsystem.com" 端口:80 (TCP)
gs.chnsystem.com/gs.php?12drbZo49uo7UGar1ZdkXZ9FQOblJ2q5X2q4X2q7X2q7X2Q4X2ExSrQH9ZEZ92c696Dkeu97QZ8ri2q5i2qLQuD5i2c6brDoQ40.
在磁盘中创建以下配置文件:
SVCHOST.INI [INFO] "version" "104"
SVCHOST.INI [INFO] "win" "WCZOZCDNSSNEDKYQ"
C:AutoRun.inf [AutoRun] "open" "RavMon.exe"
C:AutoRun.inf [AutoRun] "shellopen" "&O)"
C:AutoRun.inf [AutoRun] "shellopenCommand" "RavMon.exe"
回复
评论病毒
