Win32.Hack.NetDoor.s

  病毒名称(中文):
  
  病毒别名:
  
  
  威胁级别:
  ★☆☆☆☆
  病毒类型:
  黑客程序
  病毒长度:
  743669
  影响系统:
  Win9xWinMeWinNTWin2000WinXPWin2003
  
  病毒行为:
  这是一个黑客后门病毒。该病毒的主要危害是在用户主机留下后门,供黑客的远程连接控制,并下载其它病毒感染计算机。该病毒为图片图标,发作时会真的打开一个图片来迷惑用户,而在后台进行感染用户主机。该病毒还会结束大量杀软进程,降低系统的安全等级。
  1,生成文件
  %widndows%\SYN.exe
  %system%\drivers\npf.sys
  %system%\MyPic.jpg
  %system%\Packet.dll
  %system%\WanPacket.dll
  %system%\wpcap.dll
  %widndows%\HLP.exe
  C:\ProgramFiles\WindowsNT\svchost.exe
  C:\ProgramFiles\WindowsNT\lsass.exe
  C:\ProgramFiles\WindowsNT\ICWUT.DLL
  2,添加启动项
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet
  "ImagePath"=""C:\ProgramFiles\WindowsNT\lsass.exe"ServiceStart"
  3,设置下列项的注册表值
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{EF6205C1-3F17-4829-BCB5-1336ED89E356}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E689D735-1487-420D-9049-16ED198FE411}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4F500BF-C1A3-11D6-9697-0090961B771E}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{DA984A6D-508E-11D6-AA49-0050FF3C628D}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{BA52B914-B692-46C4-B683-905236F6F655}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{B5A34A93-D538-43A7-8371-864CB6148D12}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9BDBC41E-C335-4263-83C0-ECE78EE28A33}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E5A37BF-FD42-463A-877C-4EB7002E68AE}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{644E432F-49D3-41A1-8DD5-E099162EEEC5}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{6414512B-B978-451D-A0D8-FCFDF33E833C}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{5DD731E6-D4F0-11D3-BE3F-00105A6FDA50}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{2359626E-7524-4F87-B04E-22CD38A0C88C}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{17492023-C23A-453E-A040-C7C580BBF700}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
  HKLM\SOFTWARE\Microsoft\InternetExplorer\ActiveXCompatibility\{0C568603-D79D-11D2-87A7-00C04FF158BB}
  "CompatibilityFlags"=0x400
  4,删除下列杀软启动项
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  SKYNETPersonalFireWall
  RavTask
  RavMon
  RavTimer
  RfwMain
  URLLSTCK.exe
  ccApp
  KAVPersonal50
  Kavrun
  KavPFW
  KavStart
  iDubaPersonalFireWall
  KVFW
  KvXP
  KvMonXP
  5,删除下列服务
  SYSTEM\CurrentControlSet\Services\RsCCenter
  SYSTEM\CurrentControlSet\Services\RsRavMon
  SYSTEM\CurrentControlSet\Services\RfwProxySrv
  SYSTEM\CurrentControlSet\Services\RfwService
  SYSTEM\CurrentControlSet\Services\SymantecCoreLC
  SYSTEM\CurrentControlSet\Services\SPBBCSvc
  SYSTEM\CurrentControlSet\Services\SNDSrvc
  SYSTEM\CurrentControlSet\Services\SAVScan
  SYSTEM\CurrentControlSet\Services\NSCService
  SYSTEM\CurrentControlSet\Services\navapsvc
  SYSTEM\CurrentControlSet\Services\comHost
  SYSTEM\CurrentControlSet\Services\ccSetMgr
  SYSTEM\CurrentControlSet\Services\ccProxy
  SYSTEM\CurrentControlSet\Services\ccISPwdSvc
  SYSTEM\CurrentControlSet\Services\ccEvtMgr
  SYSTEM\CurrentControlSet\Services\kavsvc
  SYSTEM\CurrentControlSet\Services\KWatchSvc
  SYSTEM\CurrentControlSet\Services\KPfwSvc
  SYSTEM\CurrentControlSet\Services\IDriverT
  SYSTEM\CurrentControlSet\Services\KVWSC
  SYSTEM\CurrentControlSet\Services\KVSrvXP
  SYSTEM\CurrentControlSet\Services\srservice
  SYSTEM\CurrentControlSet\Services\BITS
  SYSTEM\CurrentControlSet\Services\wuauserv
  SYSTEM\CurrentControlSet\Services\SharedAccess
  SYSTEM\CurrentControlSet\Services\wscsvc
  6,结束下列进程
  UpdateAssist.exe
  PFWLiveUpdate.exe
  PFW.exe
  RavQuick.exe
  RavCopy.exe
  RavUSB.exe
  rfwcfg.exe
  RavHDBak.exe
  ScanBD.exe
  MakeBoot.exe
  RegClean.exe
  RavStore.exe
  SmartUp.exe
  RsConfig.exe
  RsAgent.exe
  Rav.exe
  RegGuide.exe
  RavTask.exe
  RavTimer.exe
  RavStub.exe
  rfwmain.exe
  RavMon.exe
  rfwproxy.exe
  CCenter.exe
  RavMonD.exe
  rfwsrv.exe
  LUCOMS~1.EXE
  LUALL.EXE
  NMain.exe
  ccApp.exe
  SPBBCSvc.exe
  ccSetMgr.exe
  ccProxy.exe
  SNDSrvc.exe
  ccEvtMgr.exe
  symlcsvc.exe
  navapsvc.exe
  ccPwdSvc.exe
  SAVScan.exe
  NSCSRVCE.EXE
  comHost.exe
  kav.exe
  kavsvc.exe
  KAVLog2.EXE
  Rescue.EXE
  KRecycle.EXE
  Update.EXE
  KSAMain.EXE
  KATMain.EXE
  KASMain.EXE
  KAVPFW.EXE
  KAV32.EXE
  KMailMon.EXE
  KPFW32.EXE
  KAVStart.EXE
  KWatch.EXE
  KPFWSvc.EXE
  VirusBox.kxp
  kvupload.exe
  KVStub.kxp
  KVScan.kxp
  KvReport.kxp
  KVLSUI.kxp
  KVHiStory.kxp
  kvdisk.kxp
  KvDetect.exe
  KVOL.exe
  KVCenter.kxp
  KRegEx.exe
  kvinit.exe
  kvfw.exe
  KvXP.kxp
  TrojDie.kxp
  KvMailMag.kxp
  KVMonXP.kxp
  UIHost.exe
  IDriverT.exe
  kvwsc.exe
  KVSrvXP.exe
  agentsvr.exe
  SymantecCoreLC
  SPBBCSvc
  SNDSrvc
  SAVScan
  NSCService
  navapsvc
  comHost
  ccSetMgr
  ccProxy
  ccISPwdSvc
  ccEvtMgr
  kavsvc
  KWatchSvc
  KPfwSvc
  IDriverT
  KVWSC
  KVSrvXP
  srservice
  BITS
  wuauserv
  SharedAccess
  wscsvc
  8,其它
  %system%\drivers\npf.sys、%system%\Packet.dll、%system%\WanPacket.dll、%system%\wpcap.dll为一组网络工具程序,非病毒,用户可以自己删除。