| 病毒行为:
1、病毒运行后释放文件
%windir%\Windows.ext
%windir%\explorer.ext
%windir%\Sysfile.Brk
释放autorun.inf和MSDOS.bat到各盘根目录下
2、病毒尝试修改explorer.exe进程
3、感染C盘下的文件(非系统文件夹),修改最后一个节的节名为WYcao,将病毒代码插在最后一个节的尾部
4、下载文件:http://www.wg***.cn/config.txt
根据该文件下载并运行以下文件
http://17bs.com/***/mh.exe
http://17bs.com/***/chibi.exe
http://17bs.com/***/fenghuo.exe
http://17bs.com/***/huanxiang.exe
http://17bs.com/***/jianxia.exe
http://17bs.com/***/mr.exe
http://17bs.com/***/qiji.exe
http://17bs.com/***/toumingzhuang.exe
http://17bs.com/***/wanmeiguoji.exe
http://17bs.com/***/wendao.exe
http://17bs.com/***/wulin.exe
http://17bs.com/***/zhengtu.exe
http://17bs.com/***/back/jianghu.exe
http://17bs.com/***/back/moyu.exe
http://17bs.com/***/back/WOW.exe
http://17bs.com/***/qq3guo.exe
http://17bs.com/***/cqsj.exe
http://17bs.com/***/zhengtu.exe
http://17bs.com/***/qqhuaxia.exe
http://17bs.com/***/dh.exe
http://17bs.com/***/yitian2.exe
http://17bs.com/***/siluchuanshuo.exe
http://17bs.com/***/qqziyou.exe
http://17bs.com/***/zhuxian.exe
http://17bs.com/***/dahua3.exe
http://17bs.com/***/juren.exe
5、下载的病毒运行后会释放一些dll文件,添加注册表将这些dll注入到系统进程中,实现开机自启动
注册表键:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
注册表值:AppInit_DLLs
值:wfhyt.dll,kghk.dll,lfsjgf.dll,stehs.dll,sthth.dll,frntrn.dll,
drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,
serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,
serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,
xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,
vnjritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,
thurh.dll,mgmgmm.dll,oqrthc.dll,qrhhb.dll,
jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,
ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,
setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,fehom.dll,
6、病毒会将释放的dll文件注入explorer进程
|
