隨身碟病毒--"
KAVO(TASO)" 的惡意行為重點:
目前已知中毒現象:
1.開啟顯示隱藏檔或資料夾可是還是一樣無法顯示隱藏的檔案或資料夾
2.進去我的電腦想要打開硬碟 如 c,d,e槽,卻出現「選擇程式來開啟檔案」
3.即時通登入後會自動關閉
建立檔案-
1.%systemroot%\autorun.inf
2.%systemroot%\********.com exe bat cmd pif (不定)
ntde1ect.com
ntdelect.com
nldelect.com
nndelect.com
nsdelect.com
ntdeIect.com
erdeIect.com
XAdeIect.com
copetttt.com
ek.com
f.cmd
nncu6kk.com
g2p3s.exe
8e9gmih.bat
lg.cmd
um.cmd
q83iwmgf.bat
rn.exe
h.cmd
8h3hh3m.exe
bxuup9r.bat
w0owgn.bat
2ifetri.cmd
188qsm.bat
x.com
ep9otvan.com
3wcxx91.cmd
e.bat
8ot8y86.exe
t.exe
3g08.bat
3.%System%\kavo.exe
4.%System%\kavo0.dll~kavo9.dll
taso.exe
taso0~9.dll
tavo.exe
tavo0~9.dll
avpo.exe
avpo0~9.dll
amvo.exe
amvo0~9.dll
mmvo.exe
mmvo0~9.dll
mnso.exe
mnso0~9.dll
servet.exe
_kaspersky.exe
5.%windir%\Debug\***********.dll (亂碼)
6.%windir%\help\**************.dll (亂碼)
7.%windir%\fly32.dll
8.%WIndir%\poor32.dll
9.%Temp%\moil.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\*.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\taso*
C:\WINDOWS\TEMP\taso*
C:\WINDOWS\TEMP\*.dll
註:在Win95/98/me %System% 預設值為 C:\windows\System
在WinNT/2000/XP/2003 %System% 系統預設值為 C:\WinNT\System32
載入系統服務-
explorer.exe(由kavo1.dll執行)
新增登錄檔-
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run\kava
HKEY_LOCAL_
MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kava
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tasa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tasa
tava
avpa
amva
mmva
mnsa
kava = "%System%\kavo.exe" (開機後啟動)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x00000000 (隱藏於系統當中)
從網路上下載-
hxxp://www.1a123.com/jj/cc.rar (%Temp%\cc.rar)
www.1a123.com - 61.162.230.89
1a123.com
456kill.com
www.om7890.com - 60.169.1.92
Microsofthg.com
Microsoftmg.com
Microsoftrb.com
Om7890.com
Tw7890.com
[
本帖最後由 upside 於 2008-3-5 17:19 編輯 ]
