Win32.Hack.Agobot.ps

简介

详解

简介

一种电脑病毒。

病毒别名：W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [K

处理时间：

威胁级别：★★★

中文名称：安哥

病毒类型：黑客程序

影响系统：Win9x/WinMe/WinNT/Win2000/WinXp/Win2003

详解

系统修改:

A、在系统目录拷贝其自身为以下文件之一：

%System%soundman.exe

%System%confgldr.exe

%System%spoolsvc.exe

%System%winwork.exe

%System%winhelp.exe

%System%csrs.exe

B、在注册表主键：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

下添加如下键值之一：

"^`d}qZxu" = "~`d}qzxu3zYF"

"Configuration Loader"="confgldr.exe"

"Video Process"="sysconf.exe"

"Service Host Process"="spoolsvc.exe"

"Winmsg"="winwork.exe"

"svchost"="winhelp.exe"

"csrs"="csrs.exe"

C、以以下名称之一建立一个服务：

Configuration Loader

SoundMan

Service Host Process

D、隐藏包含字符"soun."的所有文件；

E、在%System%driversetchosts文件中添加以下行：

127.0.0.1 www.symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 symantec.com

127.0.0.1 www.sophos.com

127.0.0.1 sophos.com

127.0.0.1 sophos.com

127.0.0.1 www.mcafee.com

127.0.0.1 mcafee.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 f-secure.com

127.0.0.1 www.f-secure.com

127.0.0.1 kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 avp.com

127.0.0.1 www.networkassociates.com

127.0.0.1 networkassociates.com

127.0.0.1 www.ca.com

127.0.0.1 ca.com

127.0.0.1 mast.mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 www.my-etrust.com

127.0.0.1 download.mcafee.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 secure.nai.com

127.0.0.1 nai.com

127.0.0.1 www.nai.com

127.0.0.1 update.symantec.com

127.0.0.1 updates.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 customer.symantec.com

127.0.0.1 rads.mcafee.com

127.0.0.1 trendmicro.com

127.0.0.1 www.trendmicro.com