Win32.Troj.Agent.jf
病毒别名: 处理时间:2007-03-07 威胁级别:★
中文名称: 病毒类型:木马 影响系统:Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为:
这是一个木马程序,该病毒会劫持LSP,注册BHO,下载文件,注入进程,并且会监控病毒本身的文件和注册表项,创建AutoRun.inf,并且会通过U盘传播,危害比较大.
1.生成文件:
%Windows%\\java\\java.dll
%Windows%\\system32\\%MS%HCopy.dkt
%Windows%\\system32\\kernel32.sys
%Windows%\\system32\\mfc48.dll
\\RECYCLER\\RECYCLER\\autorun.exe
2.添加注册表:
HKCR\\CLSID\\{EDF0DC30-9393-49DE-9987-C1A4F080CB09} @ "Java Class"
HKCR\\CLSID\\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\\InprocServer32
HKCR\\CLSID\\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\\InprocServer32 @ "C:\\WINNT\\java\\java.dll"
HKCR\\CLSID\\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\\InprocServer32 ThreadingModel "Apartment"
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer
GUID
DC
UT
3.修改注册表:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced
ShowSuperHidden
原值:dword:00000001
dword:00000000
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows
AppInit_DLLs
原值:"userinit.dll"
"kernel32.sys"
HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries
HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\TcpIp_Protocol
4.设置互斥量:
"DKFSInitMutex"
5.创建事件:
“DKFSFileSpyIsRunEvent”
6.创建信号量:
DKFSRegDaemonSemaphore
DKFileSpySystemDaemonSemaphore
DKFSUsbFileTransferSemaphore
DKFSHDFileTransferSemaphore1
DKFSUSBFileCopySemaphore
DKFSHDFileCopySemaphore
7.结束进程
iparm.exe
8.连接网址
''61.128.197.212
9.注入进程:
explorer.exe
qq.exe
msmsgs.exe
kavstart.exe
svchost.exe
winlogon.exe
lsass.exe
smss.exe
alg.exe
inetinfo.exe
conime.exe
wuauclt.exe