金山毒霸2009
金山清理专家
专杀工具
在线杀毒
密保
网盾
系统急救箱
ARP防火墙
病毒名:Win32.TrojDownloader.small.196608
本病毒所有命名:
影响系统:
Win9x,WinMe,Linux
简介:
病毒经过FSG 2.0 -> bart/xt加壳 病毒会修改下列系统文件 comctl32.dll debug.exe tree.com userinit.exe 在C:下生成随机名的文件夹和文件
行为分析:
这是一个下载器程序。它会下载大量木马文件到系统中运行。同时,该毒具有较强的对抗杀软功能,还能穿透还原软件,对网吧等用户危害较大。
:
影响系统:
Win9x,WinMe,Linux
简介:
病毒经过FSG 2.0 -> bart/xt加壳 病毒会修改下列系统文件 comctl32.dll debug.exe tree.com userinit.exe 在C:下生成随机名的文件夹和文件
行为分析:
这是一个下载器程序。它会下载大量木马文件到系统中运行。同时,该毒具有较强的对抗杀软功能,还能穿透还原软件,对网吧等用户危害较大。
描述:
病毒经过FSG 2.0 -> bart/xt加壳
病毒会修改下列系统文件
comctl32.dll
debug.exe
tree.com
userinit.exe
在C:下生成随机名的文件夹和文件
修改和释放的文件执行下列功能:
1:连接"http://www.g***ia.net/prada.txt"下载一个文件列表,
然后从列表中读取地址,创建线程开始下载,下载失败就暂停8888ms再下载一次。
连接"http://www.b***ya.net/prada.txt"下载一个文件列表,
然后从列表中读取地址,创建线程开始下载,下载失败就暂停8888ms再下载一次。
2:添加镜像劫持使下列安全软件或系统软件失效:
"safeboxTray.exe"
"360rpt.exe"
"360tray.exe"
"360Safe.exe"
"SuperKiller.exe"
"avp.com"
"avp.exe"
"runiep.exe"
"PFW.exe"
"FYFireWall.exe"
"rfwmain.exe"
"rfwsrv.exe"
"KAVPF.exe"
"KPFW32.exe"
"nod32kui.exe"
"nod32.exe"
"Navapsvc.exe"
"Navapw32.exe"
"avconsol.exe"
"webscanx.exe"
"NPFMntor.exe"
"vsstat.exe"
"KPfwSvc.exe"
"Ras.exe"
"RavMonD.exe"
"mmsk.exe"
"WoptiClean.exe"
"QQKav.exe"
"QQDoctor.exe"
"EGHOST.exe"
"iparmo.exe"
"adam.exe"
"AgentSvr.exe"
"AppSvc32.exe"
"autoruns.exe"
"avgrssvc.exe"
"AvMonitor.exe"
"CCenter.exe"
"ccSvcHst.exe"
"FileDsty.exe"
"FTCleanerShell.exe"
"HijackThis.exe"
"Iparmor.exe"
"isPwdSvc.exe"
"kabaload.exe"
"KaScrScn.SCR"
"KASMain.exe"
"KASTask.exe"
"KAVDX.exe"
"KAVPFW.exe"
"KAVSetup.exe"
"KAVStart.exe"
"KISLnchr.exe"
"KMailMon.exe"
"KMFilter.exe"
"KPFW32.exe"
"KPFW32X.exe"
"KPFWSvc.exe"
"KRegEx.exe"
"KRepair.com"
"KsLoader.exe"
"KVCenter.kxp"
"KvDetect.exe"
"KvfwMcl.exe"
"KVMonXP.kxp"
"KVMonXP_1.kxp"
"kvol.exe"
"kvolself.exe"
"KvReport.kxp"
"KVScan.kxp"
"KVSrvXP.exe"
"KVStub.kxp"
"kvupload.exe"
"kvwsc.exe"
"KvXP.kxp"
"KvXP_1.kxp"
"KWatch.exe"
"KWatch9x.exe"
"KWatchX.exe"
"MagicSet.exe"
"mcconsol.exe"
"mmqczj.exe"
"KAV32.exe"
"nod32krn.exe"
"PFWLiveUpdate.exe"
"QHSET.exe"
"RavMonD.exe"
"RavStub.exe"
"RegClean.exe"
"rfwcfg.exe"
"RfwMain.exe"
"rfwsrv.exe"
"RsAgent.exe"
"Rsaupd.exe"
"safelive.exe"
"scan32.exe"
"shcfg32.exe"
"SmartUp.exe"
"SREng.EXE"
"symlcsvc.exe"
"SysSafe.exe"
"TrojanDetector.exe"
"Trojanwall.exe"
"TrojDie.kxp"
"UIHost.exe"
"UmxAgent.exe"
"UmxAttachment.exe"
"UmxCfg.exe"
"UmxFwHlp.exe"
"UmxPol.exe"
"UpLive.exe"
"procexp.exe"
"rfwstub.exe"
"RegTool.exe"
"rfwProxy.exe"
"RawCopy.exe"
"CCenter.exe"
"filemon.exe"
"regmon.exe"
"AntiArp.exe"
"GFUpd.exe"
"GFRing3.exe"
"taskmgr.exe"
"QQDoctorMain.exe"
"SelfUpdate.exe"
3:检查是否存在ProtectC.sys,XsMenu.exe,GuardField等还原保护软件,进行针对性的破坏。
4:释放驱动文件,获取nvata.sys,atapi.sys,fastfat.sys,ntfs.sys中的IRP处理例程,磁盘信息等,调用驱动文件,绕过还原软件,直接读写磁盘。
病毒经过FSG 2.0 -> bart/xt加壳
病毒会修改下列系统文件
comctl32.dll
debug.exe
tree.com
userinit.exe
在C:下生成随机名的文件夹和文件
修改和释放的文件执行下列功能:
1:连接"http://www.g***ia.net/prada.txt"下载一个文件列表,
然后从列表中读取地址,创建线程开始下载,下载失败就暂停8888ms再下载一次。
连接"http://www.b***ya.net/prada.txt"下载一个文件列表,
然后从列表中读取地址,创建线程开始下载,下载失败就暂停8888ms再下载一次。
2:添加镜像劫持使下列安全软件或系统软件失效:
"safeboxTray.exe"
"360rpt.exe"
"360tray.exe"
"360Safe.exe"
"SuperKiller.exe"
"avp.com"
"avp.exe"
"runiep.exe"
"PFW.exe"
"FYFireWall.exe"
"rfwmain.exe"
"rfwsrv.exe"
"KAVPF.exe"
"KPFW32.exe"
"nod32kui.exe"
"nod32.exe"
"Navapsvc.exe"
"Navapw32.exe"
"avconsol.exe"
"webscanx.exe"
"NPFMntor.exe"
"vsstat.exe"
"KPfwSvc.exe"
"Ras.exe"
"RavMonD.exe"
"mmsk.exe"
"WoptiClean.exe"
"QQKav.exe"
"QQDoctor.exe"
"EGHOST.exe"
"iparmo.exe"
"adam.exe"
"AgentSvr.exe"
"AppSvc32.exe"
"autoruns.exe"
"avgrssvc.exe"
"AvMonitor.exe"
"CCenter.exe"
"ccSvcHst.exe"
"FileDsty.exe"
"FTCleanerShell.exe"
"HijackThis.exe"
"Iparmor.exe"
"isPwdSvc.exe"
"kabaload.exe"
"KaScrScn.SCR"
"KASMain.exe"
"KASTask.exe"
"KAVDX.exe"
"KAVPFW.exe"
"KAVSetup.exe"
"KAVStart.exe"
"KISLnchr.exe"
"KMailMon.exe"
"KMFilter.exe"
"KPFW32.exe"
"KPFW32X.exe"
"KPFWSvc.exe"
"KRegEx.exe"
"KRepair.com"
"KsLoader.exe"
"KVCenter.kxp"
"KvDetect.exe"
"KvfwMcl.exe"
"KVMonXP.kxp"
"KVMonXP_1.kxp"
"kvol.exe"
"kvolself.exe"
"KvReport.kxp"
"KVScan.kxp"
"KVSrvXP.exe"
"KVStub.kxp"
"kvupload.exe"
"kvwsc.exe"
"KvXP.kxp"
"KvXP_1.kxp"
"KWatch.exe"
"KWatch9x.exe"
"KWatchX.exe"
"MagicSet.exe"
"mcconsol.exe"
"mmqczj.exe"
"KAV32.exe"
"nod32krn.exe"
"PFWLiveUpdate.exe"
"QHSET.exe"
"RavMonD.exe"
"RavStub.exe"
"RegClean.exe"
"rfwcfg.exe"
"RfwMain.exe"
"rfwsrv.exe"
"RsAgent.exe"
"Rsaupd.exe"
"safelive.exe"
"scan32.exe"
"shcfg32.exe"
"SmartUp.exe"
"SREng.EXE"
"symlcsvc.exe"
"SysSafe.exe"
"TrojanDetector.exe"
"Trojanwall.exe"
"TrojDie.kxp"
"UIHost.exe"
"UmxAgent.exe"
"UmxAttachment.exe"
"UmxCfg.exe"
"UmxFwHlp.exe"
"UmxPol.exe"
"UpLive.exe"
"procexp.exe"
"rfwstub.exe"
"RegTool.exe"
"rfwProxy.exe"
"RawCopy.exe"
"CCenter.exe"
"filemon.exe"
"regmon.exe"
"AntiArp.exe"
"GFUpd.exe"
"GFRing3.exe"
"taskmgr.exe"
"QQDoctorMain.exe"
"SelfUpdate.exe"
3:检查是否存在ProtectC.sys,XsMenu.exe,GuardField等还原保护软件,进行针对性的破坏。
4:释放驱动文件,获取nvata.sys,atapi.sys,fastfat.sys,ntfs.sys中的IRP处理例程,磁盘信息等,调用驱动文件,绕过还原软件,直接读写磁盘。
回复
评论病毒
