Win32.Troj.LwyMum.ua.17920
2008-08-11 20:25:21 来源:WEB开发网病毒别名:
威胁级别: ★★☆☆☆
病毒类型: 木马程序
病毒长度: 28000
影响系统: Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:
这是一个远程控制木马。它会映像劫持许多主流安全软件的进程,令它们瘫痪,然后连接到病毒作者指定的远程地址。此毒还可利用AUTO技术进行迅速传播。
在磁盘中释放出以下文件:
C:\WINDOWS\system\36Otray.exe
C:\autorun.inf
C:\ntldr.exe
N:\autorun.inf
N:\ntldr.exe
在注册表中创建了以下信息:
"HKLM\Software\logogo"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Logo_1.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NMain.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\navw32.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVFW.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVSvcUI.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPFW.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVSrvXP.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVwsc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVsvc.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KWatchUI.EXE"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360rpt.exe"
在注册表中设置了以下信息:
"HKLM\Software\logogo" "setup" "yes"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Logo_1.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapw32.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\NMain.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\navw32.EXE" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVFW.EXE" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVSvcUI.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPFW.EXE" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KvXP.kxp" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVSrvXP.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVwsc.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVsvc.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KWatchUI.EXE" "Debugger" "C:\WINDOWS\system\36Otray.exe"
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360Safe.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
在注册表中修改了以下信息:
"HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAV32.exe" "Debugger" "C:\WINDOWS\system\36Otray.exe"
病毒会连接作者指定的网址:
域名:"**tp.m**l.ru"端口:25(TCP)
在系统中创建了以下进程:
"EXPLORER"
病毒尝试使用[SeDebugPRivilege]权限枚举进程
病毒尝试枚举系统进程,可能会对一些安全进程进行关闭操作
"36Otray.exe"
中查找“Win32.Troj.LwyMum.ua.17920”更多相关内容
中查找“Win32.Troj.LwyMum.ua.17920”更多相关内容更多精彩
赞助商链接
