该病毒运行后,衍生病毒档案到多个目录下,添加注册表多处启动项,并修改档案执行映射 以启动病毒体。病毒体连线网路下载其它病毒体到本机运行,下载的病毒病毒体多为网路游戏盗 号程式。由于该病毒修改了多处程式执行映射,可能会造成用户应用程式不能运行。此病毒可通 过移动存储体传播。
基本介绍
- 中文名盗窃者
- 外文名Trojan-PSW.Win32.OnLineGames.uw
- 病毒类型木马型
- 档案 MD548dfe0f0633d321670dfdecb144673e7
- 公开範围完全公开
- 危害等级4
- 档案长度脱壳前 41343 位元组,脱壳后200704 位元组
- 感染系统Win9X以上系统
- 开发工具Microsoft Visual C++ 6.0
- 加壳工具NsPacK V3.7 -> LiuXingPing [Overlay]
行为分析
1 、衍生下列副本与档案
%Program Files%\bxiedby.inf
%Program Files%\meex.exe
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\mppds.exe
%WinDir%\upxdnd.exe
%System32%\5E15.dll
%System32%\10J20.dll
%System32%\cmdbcs.dll
%System32%\Kvsc3.dll
%System32%\mppds.dll
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\nwizwmgjs.dll
%System32%\nwizwmgjs.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%Program Files%\Common Files\Microsoft Shared\irijjmn.exe
%Program Files%\Common Files\System\ccqwyxt.exe
2 、新建下列应用程式注册表执行映射键值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AgentSvr.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AppSvc32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ArSwp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AST.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\autoruns.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avconsol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgrssvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccSvcHst.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\EGHOST.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FileDsty.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FTCleanerShell.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FYFireWall.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\isPwdSvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KaScrScn.SCR\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASMain.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASTask.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAV32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVDX.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPF.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVSetup.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVStart.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KISLnchr.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMailMon.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMFilter.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32X.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPfwSvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRepair\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KsLoader.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvfwMcl.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP_1.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvReport.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVScan.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVStub.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvupload.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP_1.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Opions\KWatch9x.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatchX.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\loaddll.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcconsol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Executin Options\mmqczj.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Navapsvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Navapw32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32kui.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\NPFMntor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QHSET.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QQDoctor.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QQKav.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RegClean.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwcfg.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwmain.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safelive.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\scan32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\shcfg32.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SmartUp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.EXE\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\symlcsvc.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SysSafe.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UIHost.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAgent.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAttachment.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxCfg.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxFwHlp.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxPol.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\upiea.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpLive.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\USBCleaner.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\vsstat.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\webscanx.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe\Debugger
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
3 、新建下列注册表自动运行键值
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\Description
Value: String: " 允许 Administrators 组的成员进行远程调试。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%System32\rundll32.exe RemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxiedby
Value: String: "%Program Files%\Common Files\System\ccqwyxt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmdbcs
Value: String: "%WinDir%\cmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvsc3
Value: String: "%WinDir%\Kvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mppds
Value: String: "%WinDir%\mppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oatrfhf
Value: String: "%Program Files%\Common Files\Microsoft Shared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upxdnd
Value: String: "%WinDir%upxdnd.exe"
4 、修改下列注册表键值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\LastTraceFailure
New: DWORD: 4 (0x4)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\TracesProcessed
New: DWORD: 50 (0x32)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Prefetcher\TracesSuccessful
New: DWORD: 49 (0x31)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
5 、删除下列注册表键值
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
Value: String: "DiskDrive"
6、访问下列伺服器地址,下载病毒体到本机运行
(5.5.5.9)qq.50f/81/11.exe
qq.50f/j/yj69.txt( 读取此档案,以获得病毒更新地址 )
www.560.cn/xzz/xxxxxxxx.exe
注 % System% 是一个可变路径。病毒通过查询作业系统来决定当前 System 资料夹的位置。 Windows2000/NT 中默认的安装路径是 C:\Winnt\System32 , windows95/98/me 中默认的安装路径是 C:\Windows\System , windowsXP 中默认的安装路径是 C:\Windows\System32 。
清除方案
1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )
2 、 手工清除请按照行为分析删除对应档案,恢复相关係统设定。
(1)使用安天木马防线断开网路,结束病毒进程
ccqwyxt.exe
irijjmn.exe
(2)删除病毒衍生档案
%Program Files%\bxiedby.inf
%Program Files%\meex.exe
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\mppds.exe
%WinDir%\upxdnd.exe
%System32%\5E15.dll
%System32%\10J20.dll
%System32%\cmdbcs.dll
%System32%\Kvsc3.dll
%System32%\mppds.dll
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\nwizwmgjs.dll
%System32%\nwizwmgjs.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%Program Files%\Common Files\Microsoft Shared\irijjmn.exe
%Program Files%\Common Files\System\ccqwyxt.exe
(3)删除下列注册表键值
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\Description
Value: String: " 允许 Administrators 组的成员进行远程调试。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%System32\rundll32.exe RemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\bxiedby
Value: String: "%Program Files%\Common
Files\System\ccqwyxt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\cmdbcs
Value: String: "%WinDir%\cmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Kvsc3
Value: String: "%WinDir%\Kvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\mppds
Value: String: "%WinDir%\mppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\oatrfhf
Value: String: "%Program Files%\Common Files\
MicrosoftShared\irijjmn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\upxdnd
Value: String: "%WinDir%upxdnd.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Image File Execution Options\.
( 为列出的新建的键值 )\Debugger
(4)恢复注册表修改项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\LastTraceFailure
New: DWORD: 4 (0x4)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\TracesProcessed
New: DWORD: 50 (0x32)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Prefetcher\TracesSuccessful
New: DWORD: 49 (0x31)
Old: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\
Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Start
New: DWORD: 4 (0x4)
Old: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Start
New: DWORD: 4 (0x4)
Old: DWORD: 2 (0x2)