• 正在加载中...
  • Win32.Troj.WinShow.p.6656

    Win32.Troj.WinShow.p.6656,计算机特洛伊木马病毒一种。该木马运行后,会试图从广告挂马网址下载文件,同时浏览器如IE的收藏夹里会多出一些项目,其默认主页、默认搜索页也会被恶意修改,另外还会在添加删除程序中添加MSIESH及MSSearch两项。

    编辑摘要

    目录

    概要/Win32.Troj.WinShow.p.6656 编辑



    病毒别名:TrojanDownLoader.Win32.WinShow.p
    处理时间:
    威胁级别:★
    中文名称:
    病毒类型:木马
    影响系统:Win9X/WinNT/WinXK/WinXP/Win2003
    病毒行为:
    编写工具:
    Microsoft Visual C++ 6.0

    传染条件:


    发作条件:

    系统修改:
    A.添加如下文件:
    %SystemRoot%image.dll
    %SystemRoot%mshp.dll
    %SystemRoot%winxf <新建目录>
    %SystemRoot%winxfdict.dat
    %SystemRoot%winxfkeywords.dat
    %SystemRoot%winxfmsiesh.dll
    %SystemRoot%winxfmssearch.dll
    %SystemRoot%winxfwinxf32.dll
    B.在收藏夹中添加如下几项:
    eXtreme Sex
    Only sex website
    Search the web
    Seven days of free porn
    C.在注册表中创建子键:
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer
    D.在注册表中添加如下健值:

    HKEY_CLASSES_ROOTiefeatsl.ViewSource
    HKEY_CLASSES_ROOTiefeatsl.ViewSource @ "ViewSource Class"
    HKEY_CLASSES_ROOTiefeatsl.ViewSourceCLSID
    HKEY_CLASSES_ROOTiefeatsl.ViewSourceCLSID @ ""
    HKEY_CLASSES_ROOTiefeatsl.ViewSourceCurVer
    HKEY_CLASSES_ROOTiefeatsl.ViewSourceCurVer @ "iefeatsl.ViewSource.1"
    HKEY_CLASSES_ROOTiefeatsl.ViewSource.1
    HKEY_CLASSES_ROOTiefeatsl.ViewSource.1 @ "ViewSource Class"
    HKEY_CLASSES_ROOTiefeatsl.ViewSource.1CLSID
    HKEY_CLASSES_ROOTiefeatsl.ViewSource.1CLSID @ ""
    HKEY_CLASSES_ROOTImage.Image
    HKEY_CLASSES_ROOTImage.Image @ "Image Class"
    HKEY_CLASSES_ROOTImage.ImageCLSID
    HKEY_CLASSES_ROOTImage.ImageCLSID @ ""
    HKEY_CLASSES_ROOTImage.ImageCurVer
    HKEY_CLASSES_ROOTImage.ImageCurVer @ "Image.Image.1"
    HKEY_CLASSES_ROOTImage.Image.1
    HKEY_CLASSES_ROOTImage.Image.1 @ "Image Class"
    HKEY_CLASSES_ROOTImage.Image.1CLSID
    HKEY_CLASSES_ROOTImage.Image.1CLSID @ ""
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject @ "SearchHookObject Class"
    HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCLSID
    HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCLSID @ ""
    HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCurVer
    HKEY_CLASSES_ROOTSearchHook.SearchHookObjectCurVer @ "SearchHook.SearchHookObject.1"
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1 @ "SearchHookObject Class"
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1CLSID
    HKEY_CLASSES_ROOTSearchHook.SearchHookObject.1CLSID @ ""
    HKEY_CLASSES_ROOTShowSearch.ViewSource
    HKEY_CLASSES_ROOTShowSearch.ViewSource @ "ViewSource Class"
    HKEY_CLASSES_ROOTShowSearch.ViewSourceCLSID
    HKEY_CLASSES_ROOTShowSearch.ViewSourceCLSID @ ""
    HKEY_CLASSES_ROOTShowSearch.ViewSourceCurVer
    HKEY_CLASSES_ROOTShowSearch.ViewSourceCurVer @ "ShowSearch.ViewSource.1"
    HKEY_CLASSES_ROOTShowSearch.ViewSource.1
    HKEY_CLASSES_ROOTShowSearch.ViewSource.1 @ "ViewSource Class"
    HKEY_CLASSES_ROOTShowSearch.ViewSource.1CLSID
    HKEY_CLASSES_ROOTShowSearch.ViewSource.1CLSID @ ""
    HKEY_CLASSES_ROOTCLSID
    HKEY_CLASSES_ROOTCLSID @ "Image Class"
    HKEY_CLASSES_ROOTCLSIDInprocServer32
    HKEY_CLASSES_ROOTCLSIDInprocServer32 @ "C:WINNTimage.dll"
    HKEY_CLASSES_ROOTCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_CLASSES_ROOTCLSIDProgID
    HKEY_CLASSES_ROOTCLSIDProgID @ "Image.Image.1"
    HKEY_CLASSES_ROOTCLSIDProgrammable
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID @ "Image.Image"
    HKEY_CLASSES_ROOTCLSID
    HKEY_CLASSES_ROOTCLSID @ "ViewSource Class"
    HKEY_CLASSES_ROOTCLSIDInprocServer32
    HKEY_CLASSES_ROOTCLSIDInprocServer32 @ "C:WINNTwinxfwinxf32.dll"
    HKEY_CLASSES_ROOTCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_CLASSES_ROOTCLSIDProgID
    HKEY_CLASSES_ROOTCLSIDProgID @ "iefeatsl.ViewSource.1"
    HKEY_CLASSES_ROOTCLSIDProgrammable
    HKEY_CLASSES_ROOTCLSIDTypeLib
    HKEY_CLASSES_ROOTCLSIDTypeLib @ ""
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID @ "iefeatsl.ViewSource"
    HKEY_CLASSES_ROOTCLSID
    HKEY_CLASSES_ROOTCLSID @ "ViewSource Class"
    HKEY_CLASSES_ROOTCLSIDInprocServer32
    HKEY_CLASSES_ROOTCLSIDInprocServer32 @ "C:WINNTwinxfmssearch.dll"
    HKEY_CLASSES_ROOTCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_CLASSES_ROOTCLSIDProgID
    HKEY_CLASSES_ROOTCLSIDProgID @ "ShowSearch.ViewSource.1"
    HKEY_CLASSES_ROOTCLSIDProgrammable
    HKEY_CLASSES_ROOTCLSIDTypeLib
    HKEY_CLASSES_ROOTCLSIDTypeLib @ ""
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID @ "ShowSearch.ViewSource"
    HKEY_CLASSES_ROOTCLSID
    HKEY_CLASSES_ROOTCLSID @ "SearchHookObject Class"
    HKEY_CLASSES_ROOTCLSIDInprocServer32
    HKEY_CLASSES_ROOTCLSIDInprocServer32 @ "C:WINNTwinxfmsiesh.dll"
    HKEY_CLASSES_ROOTCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_CLASSES_ROOTCLSIDProgID
    HKEY_CLASSES_ROOTCLSIDProgID @ "SearchHook.SearchHookObject.1"
    HKEY_CLASSES_ROOTCLSIDProgrammable
    HKEY_CLASSES_ROOTCLSIDTypeLib
    HKEY_CLASSES_ROOTCLSIDTypeLib @ ""
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID
    HKEY_CLASSES_ROOTCLSIDVersionIndependentProgID @ "SearchHook.SearchHookObject"
    HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain Use Search Asst "no"
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices Image "rundll32 C:WINNTimage.dll,Install"
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer SponsorID dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer Counter dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer LastDay dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer LastUpdate dword:00003102
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer UpdateHour dword:00000017
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer ModuleVersion dword:00000013
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer DictVersion dword:0000001b
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer Dict2Version dword:0000001b
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer LastHPDay dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer InstallDay dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer SHVersion dword:0000000d
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer HPDllVersion dword:00000009
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer InstallFlag dword:0000000c
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer SSVersion dword:00000004
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer LRD dword:00000000
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer UpdaterVersion dword:00000009
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerURLSearchHooks
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerURLSearchHooks ""
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCurVer
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSourceCurVer @ "iefeatsl.ViewSource.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1 @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1CLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesiefeatsl.ViewSource.1CLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image @ "Image Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCurVer
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.ImageCurVer @ "Image.Image.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1 @ "Image Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1CLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesImage.Image.1CLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject @ "SearchHookObject Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCurVer
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObjectCurVer @ "SearchHook.SearchHookObject.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1 @ "SearchHookObject Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1CLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesSearchHook.SearchHookObject.1CLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCurVer
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSourceCurVer @ "ShowSearch.ViewSource.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1 @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1CLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesShowSearch.ViewSource.1CLSID @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID @ "Image Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 @ "C:WINNTimage.dll"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID @ "Image.Image.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgrammable
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID @ "Image.Image"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 @ "C:WINNTwinxfwinxf32.dll"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID @ "iefeatsl.ViewSource.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgrammable
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID @ "iefeatsl.ViewSource"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID @ "ViewSource Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 @ "C:WINNTwinxfmssearch.dll"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID @ "ShowSearch.ViewSource.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgrammable
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID @ "ShowSearch.ViewSource"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID @ "SearchHookObject Class"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 @ "C:WINNTwinxfmsiesh.dll"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDInprocServer32 ThreadingModel "Apartment"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgID @ "SearchHook.SearchHookObject.1"
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDProgrammable
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDTypeLib @ ""
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDVersionIndependentProgID @ "SearchHook.SearchHookObject"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURLSearchHooks
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURLSearchHooks ""
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects @ "."
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects @ "ShowSearch module"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects @ ""
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun Image "rundll32 C:WINNTimage.dll,Install"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Image "rundll32 C:WINNTimage.dll,Install"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionuninstallIEFeatSL_Uninstall
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEFeatSL_Uninstall DisplayName "IEFeatSL Uninstall"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEFeatSL_Uninstall UninstallString "rundll32.exe C:WINNTimage.dll,Uninstall"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHook
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHook DisplayName "MSIESH"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSearchHook UninstallString "rundll32.exe C:WINNTwinxfmsiesh.dll,Uninstall"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearch
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearch DisplayName "MSSearch"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallShowSearch UninstallString "rundll32.exe C:WINNTwinxfmssearch.dll,Uninstall"
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternet ExplorerMain Use Search Asst "no"
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionRunServices
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionRunServices Image "rundll32 C:WINNTimage.dll,Install"
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer SponsorID dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer Counter dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer LastDay dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer LastUpdate dword:00003102
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer UpdateHour dword:00000017
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer ModuleVersion dword:00000013
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer DictVersion dword:0000001b
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer Dict2Version dword:0000001b
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer LastHPDay dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer InstallDay dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer SHVersion dword:0000000d
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer HPDllVersion dword:00000009
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer InstallFlag dword:0000000c
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer SSVersion dword:00000004
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer LRD dword:00000000
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer UpdaterVersion dword:00000009
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorer
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerURLSearchHooks
    HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerURLSearchHooks ""

    E、修改如下注册条目:(修改默认主页及搜索页)
    主键:HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
    "Start Page" = "http://www.microsoft.com/windows/ie_intl/cn/start/"
    默认 = "res://mshp.dll/index.html#10213"

    主键:HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
    "Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&;ar=iesearch"
    默认 = "res://mshp.dll/sp.html#10213"

    主键:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistCount
    "HRZR_EHAJZPZQ" = hex:02,00,00,00,45,00,00,00,10,f0,b7,24,f6,34,c4,01,
    默认 = hex:02,00,00,00,46,00,00,00,40,7f,74,f8,f6,34,c4,01,

    主键:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistCount
    "HRZR_EHAJZPZQ:0k1,1n4" = hex:02,00,00,00,0c,00,00,00,d0,1e,5d,be,b2,31,c4,01,
    默认 = hex:02,00,00,00,0d,00,00,00,40,7f,74,f8,f6,34,c4,01,

    主键:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
    "SavedLegacySettings" = hex:3c,00,00,00,09,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    默认 = hex:3c,00,00,00,0a,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyRNG
    "Seed" = hex:14,a0,bb,55,41,89,58,7c,68,a2,35,66,df,5e,77,28,70,66,ab,d2,36,04,40,38,ad,31,dd,a0,1e,76,13,0c,68,1f,04,86,95,1d,7d,49,90,1d,e8,c4,2d,57,c5,c3,27,75,e9,84,2e,b5,96,0f,ce,08,2a,95,23,40,3b,f2,c1,c2,a6,35,59,34,cb,b8,c7,d5,59,28,91,ec,de,1b
    默认 = hex:1e,2a,0f,e8,9c,7f,8b,2f,dd,e5,e1,2e,fd,4f,1a,4d,44,f9,69,f4,0d,03,1d,d9,1b,16,28,f6,2e,91,60,a8,52,99,f2,3b,32,44,62,cf,6b,92,d3,13,8a,1e,2f,65,3b,7e,57,8a,ed,28,d2,bb,92,aa,fa,63,98,67,ce,f4,85,bd,25,30,b4,60,df,3f,da,55,7c,0f,ef,7d,74,52,

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain
    "Default_Page_URL" = "http://www.microsoft.com/windows/ie_intl/cn/start/"
    默认 = "res://mshp.dll/index.html#10213"

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain
    "Default_Search_URL" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&;ar=iesearch"
    默认 = "res://mshp.dll/sp.html#10213"

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain
    "Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&;ar=iesearch"
    默认 = "res://mshp.dll/sp.html#10213"

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain
    "Start Page" = "http://www.microsoft.com/isapi/redir.dll?prd=&;clcid=&pver=&ar=home"
    默认 = "res://mshp.dll/index.html#10213"

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternet ExplorerMain
    "Start Page" = "http://www.microsoft.com/windows/ie_intl/cn/start/"
    默认 = "res://mshp.dll/index.html#10213"

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternet ExplorerMain
    "Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&;ar=iesearch"
    "res://mshp.dll/sp.html#10213"

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistCount
    "HRZR_EHAJZPZQ" = hex:02,00,00,00,45,00,00,00,10,f0,b7,24,f6,34,c4,01
    默认 = hex:02,00,00,00,46,00,00,00,40,7f,74,f8,f6,34,c4,01,

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistCount
    "HRZR_EHAJZPZQ:0k1,1n4" = hex:02,00,00,00,0c,00,00,00,d0,1e,5d,be,b2,31,c4,01
    默认 = hex:02,00,00,00,0d,00,00,00,40,7f,74,f8,f6,34,c4,01,

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
    "SavedLegacySettings" = hex:3c,00,00,00,09,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    默认 = hex:3c,00,00,00,0a,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

    F、删除如下键值:
    主键:HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks
    "" = ""

    主键:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion智能ABC
    "双打键盘类型" = dword:00000000

    主键:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    "AppInit_DLLs "" = "

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftInternet ExplorerURLSearchHooks
    "" = ""

    主键:HKEY_USERSS-1-5-21-1715567821-152049171-839522115-1000SoftwareMicrosoftWindowsCurrentVersion智能ABC
    "双打键盘类型" = dword:00000000


    发作现象:
    A.该木马运行后,会试图从以下网址下载文件 (89600bytes)
    http://75tz.com/feat/image.dll
    http://iefeadsl.com/feat/image.dll
    B.收藏夹里会多出一些项目(参见16点)
    C、默认主页被修改为:"res://mshp.dll/index.html#10213"
    D、默认搜索页被改为:"res://mshp.dll/index.html#10213"
    E、会在添加删除程序中添加MSIESH及MSSearch两项。


    相关条目/Win32.Troj.WinShow.p.6656 编辑

    计算机 木马 病毒 网络 软件 系统

    添加视频 | 添加图册相关影像

    互动百科的词条(含所附图片)系由网友上传,如果涉嫌侵权,请与客服联系,我们将按照法律之相关规定及时进行处理。未经许可,禁止商业网站等复制、抓取本站内容;合理使用者,请注明来源于www.baike.com。

    登录后使用互动百科的服务,将会得到个性化的提示和帮助,还有机会和专业认证智愿者沟通。

    互动百科用户登录注册
    此词条还可添加  信息模块
    编辑摘要

    WIKI热度

    1. 编辑次数:4次 历史版本
    2. 参与编辑人数:4
    3. 最近更新时间:2015-01-28 07:43:11

    贡献光荣榜

    更多