中文(Chinese) 英文(English) Tel: 4006-858-981           Msn: China@Safe.sh         QQ: 7387526       Server Hosting        加入收藏
主页 >> 安全风向标 >> 病毒大百科
安全风向标
分类
win32.troj.agent.131072
病毒名称(中文):强行加载者131072
病毒别名:
威胁级别:★★☆☆☆
病毒类型:木马程序
病毒长度:131072
影响系统:Win9x WinMe WinNT Win2000 WinXP Win2003
病毒行为:

这是一个监控木马。该毒能收集用户系统的信息和帮助黑客控制用户电脑。它会利用系统进程强行加载自己的文件,使得用户无法利用任务管理器来关闭它,以保证自己能顺利作案。

释放出以下文件
%Windir%\MSWINSCK.OCX
%Windir%\setupconfig.dat
%Windir%\syskernel.dll
%Windir%\sysproc.dll

让smss.exe加载自己的sysproc.dll来执行

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\VERSION
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SysProc.Afire
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SysProc.Afire\Clsid

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\VERSION]
(Default) = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\TypeLib]
(Default) = "{2DF27952-C9DD-47CC-961E-CFF592E7A320}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\ProgID]
(Default) = "SysProc.Afire"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}\InprocServer32]
(Default) = "%Windir%\sysproc.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}]
(Default) = "SysProc.Afire"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\TypeLib]
(Default) = "{2DF27952-C9DD-47CC-961E-CFF592E7A320}"
Version = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\ProxyStubClsid32]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}\ProxyStubClsid]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A424219B-3F96-4D9A-86A3-DE5A8BB9C00C}]
(Default) = "Afire"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\0\win32]
(Default) = "%Windir%\sysproc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\HELPDIR]
(Default) = "C:\WINDOWS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0\FLAGS]
(Default) = "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF27952-C9DD-47CC-961E-CFF592E7A320}\1.0]
(Default) = "SysProc"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SysProc.Afire\Clsid]
(Default) = "{CC1356E6-C5AA-4BA6-927D-FBBEA3B11E8A}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SysProc.Afire]
(Default) = "SysProc.Afire"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
smss = "%Windir%\security\smss.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
(Default) = "%System%\MSWINSCK.OCX"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
(Default) = "%System%\MSWINSCK.OCX, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
(Default) = "%System%\MSWINSCK.OCX"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
(Default) = "Microsoft Winsock Control 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
(Default) = "%System%\MSWINSCK.OCX"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
(Default) = ""
页面工具 打印 | 电子邮件 | 评价
关于我们 | | 沪ICP备12021423号-1 | 联系我们 友情链接 | 站点地图 | 隐私 | 法律 | Copyright © 2018 Safe.Sh