金山毒霸2009
金山清理专家
专杀工具
在线杀毒
密保
网盾
系统急救箱
ARP防火墙
本病毒所有命名:
影响系统:
Win9x,WinMe,Linux
简介:
在磁盘中释放出以下文件: C:WINDOWSsystem36Otray.exe C:autorun.inf C: tldr.exe N:autorun.inf N: tldr.exe 在注册表中创建了以下信息: "HKLMSoftwarelogogo"
行为分析:
这是一个远程控制木马。它会映像劫持许多主流安全软件的进程,令它们瘫痪,然后连接到病毒作者指定的远程地址。此毒还可利用AUTO技术进行迅速传播。
:
影响系统:
Win9x,WinMe,Linux
简介:
在磁盘中释放出以下文件: C:WINDOWSsystem36Otray.exe C:autorun.inf C: tldr.exe N:autorun.inf N: tldr.exe 在注册表中创建了以下信息: "HKLMSoftwarelogogo"
行为分析:
这是一个远程控制木马。它会映像劫持许多主流安全软件的进程,令它们瘫痪,然后连接到病毒作者指定的远程地址。此毒还可利用AUTO技术进行迅速传播。
描述:
在磁盘中释放出以下文件:
C:WINDOWSsystem36Otray.exe
C:autorun.inf
C:
tldr.exe
N:autorun.inf
N:
tldr.exe
在注册表中创建了以下信息:
"HKLMSoftwarelogogo"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsLogo_1.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNMain.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
avw32.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVFW.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSvcUI.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVwsc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVsvc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchUI.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe"
在注册表中设置了以下信息:
"HKLMSoftwarelogogo" "setup" "yes"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsLogo_1.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNMain.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
avw32.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVFW.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSvcUI.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVwsc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVsvc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchUI.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
在注册表中修改了以下信息:
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
病毒会连接作者指定的网址:
域名:"**tp.m**l.ru" 端口:25 (TCP)
在系统中创建了以下进程:
"EXPLORER"
病毒尝试使用[SeDebugPrivilege]权限枚举进程
病毒尝试枚举系统进程,可能会对一些安全进程进行关闭操作
"36Otray.exe"
在磁盘中释放出以下文件:
C:WINDOWSsystem36Otray.exe
C:autorun.inf
C:
tldr.exe
N:autorun.inf
N:
tldr.exe
在注册表中创建了以下信息:
"HKLMSoftwarelogogo"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsLogo_1.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNMain.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
avw32.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVFW.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSvcUI.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVwsc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVsvc.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchUI.EXE"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe"
在注册表中设置了以下信息:
"HKLMSoftwarelogogo" "setup" "yes"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsLogo_1.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsNMain.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
avw32.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVFW.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSvcUI.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVwsc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVsvc.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchUI.EXE" "Debugger" "C:WINDOWSsystem36Otray.exe"
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
在注册表中修改了以下信息:
"HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe" "Debugger" "C:WINDOWSsystem36Otray.exe"
病毒会连接作者指定的网址:
域名:"**tp.m**l.ru" 端口:25 (TCP)
在系统中创建了以下进程:
"EXPLORER"
病毒尝试使用[SeDebugPrivilege]权限枚举进程
病毒尝试枚举系统进程,可能会对一些安全进程进行关闭操作
"36Otray.exe"
回复
评论病毒
