病毒名称:Trojan.StartPage [Symantec]
发现日期:2006年1月
其他名称:
Trojan-Proxy.Win32.Agent.iu [Kaspersky]、Generic BackDoor.w [McAfee]、
Dropped:Generic.Malware.Sdldsp.969BE097 [Bitdefender]、probably unknown NewHeur_PE virus [NOD32]、
Win32.HLLW.Imkill [DrWeb / VBA32]、destructive program named W32/Trojan.AXF [F-Prot]、Trj/Ranky.LU [Panda]
相关技术分析:
释放的病毒文件:
%System%/MSCTS.EXE
%System%/CONINE.EXE
%System%/VMST.EXE
%System%/MOUST.EXE
%System%/目录下:
最新刷Q币动画教程.zip
舞厅里的真实抓拍,令舞女喷血的超级舞男(组图).zip
爆强:抓拍最丑瞬间 明星都被糟蹋了!(组图).zip
看得让人感动的流泪的动画.zip
手机抓拍东京地铁性骚扰.zip
让美女失色的泰国人妖.zip
病毒每秒删除以下注意注册表信息:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run]
"DcomLaunch Servers"
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SafeBoot/Minimal]
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SafeBoot/Network]
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager]
"BootExecute"
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SharedAccess]
设置信息:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT]
"ReportBootOk"=dword:00000001
启动项:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run]
"MSCTS"="MSCTS.EXE"
"CONINE"="CONINE.EXE"
"VMST"="VMST.EXE"
"MOUST"="MOUST.EXE"
病毒每三秒删除以下启动项信息:
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
"KVMonXP"
"KvXP"
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run]
"KVMonXP"
"KvXP"
病毒尝试结束的进程:
agentsvr
frogagent
kvxp
kvsrvxp
kregex
trojdie
kvcenter
kvmon
uihost
KVSrvXP_1
KVSrvXP
KvXP
KVMonXP
vsmon
vptray
rtvscan
Navap
Norton
Symantec
webscanx
vsstat
vshwin32
alogserv
avsynmgr
avconsol
Iparmor
KWatch
KPfwSvc
KMailMon
KavPFW
KAVStart
KAVSvc
KULANSyn
KPopMon
KWatchUI
KAVPlus
rfwsrv
RAVMON
rfwmain
RAVTIMER
RavStub
Ravmond
CCENTER
清除方法:
结束掉%System%/MSCTS.EXE进程树,再删除文件和启动项。
特别提示:
这两个位置的内容被病毒删除了,所以安全模式进不去了
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SafeBoot/Minimal]
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SafeBoot/Network]