木馬下載器Win32.TrojDownloader.Delf.114688病毒行為:
該病毒是一個(gè)木馬下載者,會(huì)從網(wǎng)上下載其他病毒至客戶的機(jī)器上并運(yùn)行.病毒運(yùn)行后生衍生一個(gè)DLL文件至系統(tǒng)目錄中.

1.生成文件
%WinDir%\System32\Downdll.dll

2.修改注冊表
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings = hex:3c,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,20,94,af,51,08,a1,c7,01,01,00,00,00,c0,a8,1c,f4,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
Count = dword:00000005
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
Time = hex:d7,07,08,00,04,00,10,00,06,00,19,00,38,00,9b,00,

3.病毒運(yùn)行后創(chuàng)建一個(gè)IEXPLORE.EXE進(jìn)程.

4.從http://www.*****.cn/images/js/az.exe下載病毒文件保存到c:盤根目錄下.

5.在C:\Windows\system32下生成一個(gè)Delme.bat文件用于刪除源文件.

最新評論