金山毒霸2009
金山清理专家
专杀工具
在线杀毒
密保
网盾
系统急救箱
ARP防火墙
本病毒所有命名:
影响系统:
Win9x,WinMe,Linux
简介:
1、释放创建了以下文件 %WinDir%syscheck %SystemRoot%wow[X]_[X].dll(其中X为1000以内的随机数) 2、创建了以下服务: 服务名: "Remote TCP/IP"
行为分析:
这是一个网游盗号木马。它在进入用户系统后,就释放出自己的子文件,搜索并盗窃《魔兽世界》的帐号和密码。
:
影响系统:
Win9x,WinMe,Linux
简介:
1、释放创建了以下文件 %WinDir%syscheck %SystemRoot%wow[X]_[X].dll(其中X为1000以内的随机数) 2、创建了以下服务: 服务名: "Remote TCP/IP"
行为分析:
这是一个网游盗号木马。它在进入用户系统后,就释放出自己的子文件,搜索并盗窃《魔兽世界》的帐号和密码。
描述:
1、释放创建了以下文件
%WinDir%syscheck
%SystemRoot%wow[X]_[X].dll(其中X为1000以内的随机数)
2、创建了以下服务:
服务名: "Remote TCP/IP"
映像路径: %SystemRoot%wow227_787.dll
3、在注册表中创建并设置了以下信息:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcode]
"Type"=dword:00000120
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=%SystemRoot%System32svchost.exe -k netsvcs
"DisplayName"="Remote TCP/IP"
"ObjectName"="LocalSystem"
"Description"="NetWork TCP/IP"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeParameters]
"ServiceDll"=C:WINDOWSsystem32wow227_787.dll
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeSecurity]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeEnum]
"0"="Root\LEGACY_WOWSYSTEMCODE\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE�000]
"Service"="wowsystemcode"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote TCP/IP"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE�000Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="wowsystemcode"
1、释放创建了以下文件
%WinDir%syscheck
%SystemRoot%wow[X]_[X].dll(其中X为1000以内的随机数)
2、创建了以下服务:
服务名: "Remote TCP/IP"
映像路径: %SystemRoot%wow227_787.dll
3、在注册表中创建并设置了以下信息:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcode]
"Type"=dword:00000120
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=%SystemRoot%System32svchost.exe -k netsvcs
"DisplayName"="Remote TCP/IP"
"ObjectName"="LocalSystem"
"Description"="NetWork TCP/IP"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeParameters]
"ServiceDll"=C:WINDOWSsystem32wow227_787.dll
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeSecurity]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswowsystemcodeEnum]
"0"="Root\LEGACY_WOWSYSTEMCODE\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE�000]
"Service"="wowsystemcode"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote TCP/IP"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WOWSYSTEMCODE�000Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="wowsystemcode"
回复
评论病毒
