广告木马 koowoo.exe的分析手动解决
文件名称: koowoo.exe
病毒名: kaspersky: N/A,rising:Trojan.DL.Win32.VB.nym
详细资料:
文件变化:
释放文件
%WINDOWS%\koowoo.exe
C:\koowoo
各分区根目录释放
X:\autorun.inf
X:\koowoo.exe
autorun.inf 内容
[Autorun]
open=e:\koowoo.exe
shellexecute=e:\koowoo.exe
shell\Auto\command=e:\koowoo.exe
修改注册表:
病毒创建启动项
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Run"="%WINDOWS%\koowoo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavMd"="%WINDOWS%\koowoo.exe"
禁用"显示所有文件和文件夹"功能
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000
修改IE主页地址
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.8koo.cn/"
其他行为:
访问网络下载恶意软件
http://wo[REMOVED].com/ad5588.exe(CPUSH)
http://toolbar.[REMOVED].com/mingyaotoolbar.exe
http://toolbar.[REMOVED].com/auto.exe(调用mingyaotoolbar.exe 强制安装)
http://wo[REMOVED].com/new.exe(病毒本体)
后台调用ie访问指定网页
http://np.[REMOVED].com/?027
http://8[REMOVED].cn/
http://www.[REMOVED].com/index.html
http://dl.[REMOVED].com/movie.html
http://dl.[REMOVED].com/soft.html
http://dl.[REMOVED].com/game.html
http://dl.[REMOVED].com/music.html
http://dl.[REMOVED].com/book.html
http://study[REMOVED].com/index.html
http://1[REMOVED].cn/
http://bhu[REMOVED].com/
http://8[REMOVED].cn/
http://hp.[REMOVED].com/index.html
http://study[REMOVED].com/redirect.asp
清除方法:
1. 结束进程
%WINDOWS%\koowoo.exe
2.删除文件
%WINDOWS%\koowoo.exe
C:\koowoo
X:\autorun.inf
X:\koowoo.exe
3.删除病毒启动项
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Run"="%WINDOWS%\koowoo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavMd"="%WINDOWS%\koowoo.exe"
4.修改注册表,恢复"显示所有文件和文件夹"功能
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
5.修改IE主页
6.下载软件清理恶意软件
文章评论
共有 0 位网友发表了评论 此处只显示部分留言 点击查看完整评论页面