Win32.Hack.NetDoor.s

  病毒名稱(中文):
  
  病毒別名:
  
  
  威脅級別:
  ★☆☆☆☆
  病毒類型:
  黑客程序
  病毒長度:
  743669
  影響系統:
  Win9xWinMeWinNTWin2000WinXPWin2003
  
  病毒行爲:
  這是一個黑客後門病毒。該病毒的主要危害是在用戶主機留下後門,供黑客的遠程連接控制,並下載其它病毒感染計算機。該病毒爲圖片圖標,發作時會真的打開一個圖片來迷惑用戶,而在後台進行感染用戶主機。該病毒還會結束大量殺軟進程,降低系統的安全等級。
  1,生成文件
  %widndows%\SYN.exe
  %system%\drivers\npf.sys
  %system%\MyPic.jpg
  %system%\Packet.dll
  %system%\WanPacket.dll
  %system%\wpcap.dll
  %widndows%\HLP.exe
  C:\ProgramFiles\WindowsNT\svchost.exe
  C:\ProgramFiles\WindowsNT\lsass.exe
  C:\ProgramFiles\WindowsNT\ICWUT.DLL
  2,添加啓動項
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet
  "ImagePath"=""C:\ProgramFiles\WindowsNT\lsass.exe"ServiceStart"
  3,設置下列項的注冊表值
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{EF6205C1-3F17-4829-BCB5-1336ED89E356}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E689D735-1487-420D-9049-16ED198FE411}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4F500BF-C1A3-11D6-9697-0090961B771E}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DA984A6D-508E-11D6-AA49-0050FF3C628D}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{BA52B914-B692-46C4-B683-905236F6F655}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{B5A34A93-D538-43A7-8371-864CB6148D12}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9BDBC41E-C335-4263-83C0-ECE78EE28A33}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{644E432F-49D3-41A1-8DD5-E099162EEEC5}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6414512B-B978-451D-A0D8-FCFDF33E833C}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2359626E-7524-4F87-B04E-22CD38A0C88C}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{17492023-C23A-453E-A040-C7C580BBF700}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0C568603-D79D-11D2-87A7-00C04FF158BB}
  "CompatibilityFlags"=0x400
  4,刪除下列殺軟啓動項
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  SKYNETPersonalFireWall
  RavTask
  RavMon
  RavTimer
  RfwMain
  URLLSTCK.exe
  ccApp
  KAVPersonal50
  Kavrun
  KavPFW
  KavStart
  iDubaPersonalFireWall
  KVFW
  KvXP
  KvMonXP
  5,刪除下列服務
  SYSTEM\CurrentControlSet\Services\RsCCenter
  SYSTEM\CurrentControlSet\Services\RsRavMon
  SYSTEM\CurrentControlSet\Services\RfwProxySrv
  SYSTEM\CurrentControlSet\Services\RfwService
  SYSTEM\CurrentControlSet\Services\SymantecCoreLC
  SYSTEM\CurrentControlSet\Services\SPBBCSvc
  SYSTEM\CurrentControlSet\Services\SNDSrvc
  SYSTEM\CurrentControlSet\Services\SAVScan
  SYSTEM\CurrentControlSet\Services\NSCService
  SYSTEM\CurrentControlSet\Services\navapsvc
  SYSTEM\CurrentControlSet\Services\comHost
  SYSTEM\CurrentControlSet\Services\ccSetMgr
  SYSTEM\CurrentControlSet\Services\ccProxy
  SYSTEM\CurrentControlSet\Services\ccISPwdSvc
  SYSTEM\CurrentControlSet\Services\ccEvtMgr
  SYSTEM\CurrentControlSet\Services\kavsvc
  SYSTEM\CurrentControlSet\Services\KWatchSvc
  SYSTEM\CurrentControlSet\Services\KPfwSvc
  SYSTEM\CurrentControlSet\Services\IDriverT
  SYSTEM\CurrentControlSet\Services\KVWSC
  SYSTEM\CurrentControlSet\Services\KVSrvXP
  SYSTEM\CurrentControlSet\Services\srservice
  SYSTEM\CurrentControlSet\Services\BITS
  SYSTEM\CurrentControlSet\Services\wuauserv
  SYSTEM\CurrentControlSet\Services\SharedAccess
  SYSTEM\CurrentControlSet\Services\wscsvc
  6,結束下列進程
  UpdateAssist.exe
  PFWLiveUpdate.exe
  PFW.exe
  RavQuick.exe
  RavCopy.exe
  RavUSB.exe
  rfwcfg.exe
  RavHDBak.exe
  ScanBD.exe
  MakeBoot.exe
  RegClean.exe
  RavStore.exe
  SmartUp.exe
  RsConfig.exe
  RsAgent.exe
  Rav.exe
  RegGuide.exe
  RavTask.exe
  RavTimer.exe
  RavStub.exe
  rfwmain.exe
  RavMon.exe
  rfwproxy.exe
  CCenter.exe
  RavMonD.exe
  rfwsrv.exe
  LUCOMS~1.EXE
  LUALL.EXE
  NMain.exe
  ccApp.exe
  SPBBCSvc.exe
  ccSetMgr.exe
  ccProxy.exe
  SNDSrvc.exe
  ccEvtMgr.exe
  symlcsvc.exe
  navapsvc.exe
  ccPwdSvc.exe
  SAVScan.exe
  NSCSRVCE.EXE
  comHost.exe
  kav.exe
  kavsvc.exe
  KAVLog2.EXE
  Rescue.EXE
  KRecycle.EXE
  Update.EXE
  KSAMain.EXE
  KATMain.EXE
  KASMain.EXE
  KAVPFW.EXE
  KAV32.EXE
  KMailMon.EXE
  KPFW32.EXE
  KAVStart.EXE
  KWatch.EXE
  KPFWSvc.EXE
  VirusBox.kxp
  kvupload.exe
  KVStub.kxp
  KVScan.kxp
  KvReport.kxp
  KVLSUI.kxp
  KVHiStory.kxp
  kvdisk.kxp
  KvDetect.exe
  KVOL.exe
  KVCenter.kxp
  KRegEx.exe
  kvinit.exe
  kvfw.exe
  KvXP.kxp
  TrojDie.kxp
  KvMailMag.kxp
  KVMonXP.kxp
  UIHost.exe
  IDriverT.exe
  kvwsc.exe
  KVSrvXP.exe
  agentsvr.exe
  SymantecCoreLC
  SPBBCSvc
  SNDSrvc
  SAVScan
  NSCService
  navapsvc
  comHost
  ccSetMgr
  ccProxy
  ccISPwdSvc
  ccEvtMgr
  kavsvc
  KWatchSvc
  KPfwSvc
  IDriverT
  KVWSC
  KVSrvXP
  srservice
  BITS
  wuauserv
  SharedAccess
  wscsvc
  8,其它
  %system%\drivers\npf.sys、%system%\Packet.dll、%system%\WanPacket.dll、%system%\wpcap.dll爲一組網絡工具程序,非病毒,用戶可以自己刪除。