Downloader.Ponik
警惕程度★★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
病毒执行体描述:
Downloader.Ponik是一个木马,它在受感染计算机上下载其他恶意文件,也可以从计算机上窃取密码。
该木马通过垃圾邮件附件传播到受感染计算机。
木马执行时,木马会创建以下文件:
%TEMP%\[RANDOM CHARACTERS FILE NAME].bat
%UserProfile%\Local Settings\Application Data\pny\pnd.exe
然后,木马创建以下注册表项,达到开机启动的目的:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft PnD" = "%Use
rProfile%\Local Settings\Application Data\pny\pnd.exe"
木马还创建以下注册表项:
HKEY_CURRENT_USER\Software\WinRAR\"Client Hash" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_CURRENT_USER\Software\WinRAR\"HWID" = "[RANDOM HEXADECIMAL CHARACTERS]"
木马尝试连接到以下远程地址:
91.231.156.36
[http://]2.enzofavata.com/forum/viewto[REMOVED]
[http://]2.sardiniaexport.com/forum/viewto[REMOVED]
[http://]222119966122.su/clou[REMOVED]
[http://]4.pianetapollo.com/ponyb/gate[REMOVED]
[http://]4.professionalsoft.com/ponyb/gate[REMOVED]
[http://]6.grapaimport.com/ponyb/gate[REMOVED]
[http://]6.grapainterfood.com/ponyb/gate[REMOVED]
[http://]atdsupdate.in/all/old[REMOVED]
[http://]banderbon.cz.cc/file/local/tool[REMOVED]
[http://]bestinsighttours.com/bZ6[REMOVED]
[http://]fokanal.cz.cc/gate[REMOVED]
[http://]milion8dreams.ru/clou[REMOVED]
[http://]mjorart.com/jTc[REMOVED]
[http://]powergames.com.pt/KVG[REMOVED]
[http://]quranaqiq.com/1kH[REMOVED]
[http://]rdquark.com/cAB[REMOVED]
[http://]reymontstore.com/jJW5[REMOVED]
[http://]staugustineblues.com/n8cZZ[REMOVED]
[http://]www.rcrender.com/47NK[REMOVED]
[http://]www.westquimica.com/AuNP[REMOVED]
onylkp.in
weboffice.dyndns-office.com
willowcreekcompany.mobi
该木马在受感染计算机上下载恶意文件并窃取密码。
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新
功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
Trojan.Snifula
警惕程度★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
病毒执行体描述:
Trojan.Snifula是一个木马,它从受感染计算机上窃取机密信息。
该木马执行时,会注入到以下进程:
iexplore.exe
chrome.exe
firefox.exe
然后,木马创建下面的注册表项,达到开机启动的目的:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]"
- "regsvr32.exe /s \%AllUsersProfile%\Application Data\dmahdqe.dat\"""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" - "
1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"
2500" - "3"
木马还可以连接下列主机:
auromontofont.com
auramontofont.com
wellentarel.com
paleenkos.com
hramano.com
handelbarg.com
木马可以在计算机上打开一个后门,并执行以下操作:
截屏、窃取FTP凭证、窃取outlook证书、窃取cookies、窃取存储的证书
木马将窃取的信息发送到远程服务器。
木马还会从远程站点下载恶意文件并执行。
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新
功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
Backdoor.Korplug
警惕程度★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
病毒执行体描述:
Backdoor.Tinybaron是一个木马,它在受感染计算机上打开一个后门,并可以窃取信息。
木马执行时,会修改以下文件:
%Temp% \advsec32.dll
%System%\spoolcds.dll
%System%\spoolcds.dll[RANDOM CHARACTERS]
%System%\themeuichk.dll
%System%\wlrsacert.nls
%Windir%\Tasks\Watchmon Service.job
%AllUsersProfile%\Documents\ntuser{[RANDOM DIGITS]}.pol
%Windir%\Temp\advsec32.dll
%Temp% \[RANDOM DIGITS]
%Windir%\Temp\[RANDOM FILE NAME].exe
%Temp% \[RANDOM FILE NAME].exe
%System%\[RANDOM FILE NAME].ocx
%System%\[RANDOM FILE NAME].exe
%System%\[RANDOM FILE NAME].scr
%UserProfile%\Application Data\Adobe\[RANDOM FILE NAME].exe
%UserProfile%\Application Data\AdobeARM\AdobeARMc.dll
%UserProfile%\Application Data\AdobeARM\AdobeTray.dll
%UserProfile%\Start Menu\Programs\Startup\ReaderSL.lnk
%AllUsersProfile%\Application Data\AdobeARM\AdobeARMc.dll
%AllUsersProfile%\Start Menu\Programs\Startup\ReaderSL.lnk
%SystemDrive%\Documents and Settings\NetworkService\Application Data\AdobeARM\AdobeARMc.
dll
%SystemDrive%\Documents and Settings\NetworkService\Application Data\AdobeARM\AdobeTray.
dll
%SystemDrive%\Documents and Settings\NetworkService\Start Menu\Programs\Startup\ReaderS
L.lnk
%CommonProgramFiles%\AdobeARM\AdobeARMd.dll
然后,木马创建以下注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\javatmsup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\spoolcds
HKEY_LOCAL_MACHINE\SOFTWARE\Google\SpoolCDS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rsacert
31
HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\CommonFiles
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\Data\
89c39569-6841-11d2-9f59-0000f8085266\e13059b6-3509-497a-8c18-25a7a1d021b8\IdentitiesPas
s
然后,木马创建以下注册表值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\"Order" = "LanMan P
rint Services", "Internet Print Provider", "spoolcds"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"RSACertPath" = "%Syste
m%\[RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"recovery" = "%System%\
[
RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\"AutoRun" = "%System%\[RANDOM F
ILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"rec
overy" = "%System%\[RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid\"
BitNames" = "DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_C
OMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"Migrat
eProxy" = 0x00000001
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\"Migr
ate" = 0x00000002
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\Data
2\Windows\"Value" = [RANDOM BYTES]
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Enable
BalloonTips" = 0x00000000
HKEY_USERS\.DEFAULT\Software\Microsoft\Multimedia\DrawDib\"vga.drv 1024x768x32(BGR 0)"
= "31,31,31,31"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\"SerialIID" = [RANDOM
BYTES]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBa
lloonTips" = 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\"SerialIID" = [RANDOM BYT
ES]
HKEY_CURRENT_USER\Control Panel\Desktop\"ScreenSaveUtility" = "%System%\[RANDOM FILE NA
ME].scr"
HKEY_CLASSES_ROOT\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\"(Defaul
t)" = "%System%\[RANDOM FILE NAME].ocx"
木马打开一个后门,并尝试连接到以下主机:
212.224.118.241/data/mgr.php
176.74.216.14
91.247.228.63/files/client.php
木马将窃取的信息发送到主机。
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新
功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。