Win32.Hack.Agobot.ps
简介
一种电脑病毒。
病毒别名:W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [K
处理时间:
威胁级别:★★★
中文名称:安哥
病毒类型:黑客程序
影响系统:Win9x/WinMe/WinNT/Win2000/WinXp/Win2003
详解
系统修改:
A、在系统目录拷贝其自身为以下文件之一:
%System%soundman.exe
%System%confgldr.exe
%System%spoolsvc.exe
%System%winwork.exe
%System%winhelp.exe
%System%csrs.exe
B、在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
下添加如下键值之一:
"^`d}qZxu" = "~`d}qzxu3zYF"
"Configuration Loader"="confgldr.exe"
"Video Process"="sysconf.exe"
"Service Host Process"="spoolsvc.exe"
"Winmsg"="winwork.exe"
"svchost"="winhelp.exe"
"csrs"="csrs.exe"
C、以以下名称之一建立一个服务:
Configuration Loader
SoundMan
Service Host Process
D、隐藏包含字符"soun."的所有文件;
E、在%System%driversetchosts文件中添加以下行:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com