Common destructive virus

xiaoxiao2021-03-06 41

1.TrojanProxy.Webber.20 Destruction Method: Trojan virus written by LCC, will establish a hidden proxy server after running, you can steal users such as buffer password, user IP address, user network access information

Once the virus is run, the operation is as follows:

1. First create a mutex name: Neher_12, to ensure that only one virus is running

2. Copy to the system catalog with a random file name and release a dynamic link library file:% sysdir% filename1.exe% sysdir% filename2.dll where FileName1 and FileName2 are random

3. Increase the following key value to start with the system: hkcrclsid {79fb9088-19ce-715d-d85a-216290c5b738} InprocServer32 = "c: windowssystemeefgikb.dll" HKLMsoftware MicrosoftWindowsCurrentVersion

ShellServiceObjectdeLayload Web Event Logger = "{79fb9088-19ce-715d-D85A-216290C5B738}" where Eefgikkb.dll is the dynamic link library file released by the virus, the file name is variable.

4. After the virus is running, it will be divided into two parts, listen to two ports: 1010 and 1234, one is used to build a hidden agent, and another is used to download file

5. The virus can spread through the mail: containing mail information as follows: from: "Account Manager"

title:

Re: Your Credit Application

text:

Dear sir!

Thank you for your online application for a Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which did not satisfy our minimum needs. Consequently, we regret to say that we can not approve you For Home Equity Loan At this Time.

* Attached Are Copy Of Your Credit Profile and your Application That You Submitted with US. Please, you will receive few days.

annex:

Www.citybankhomeloan.htm.pif

6. This Trojan includes the following information: Neher (Hexep) CodeD by Hangup Team (Commercial Version).

Greetz to: hunk, ares, z0mbie, freehunt, sbvc, tsrh, vecna ';)

A zdes Mogla Bi Bit Vasha Reklama;) Note:% sysdir% is a variable Windows system folder, default is: C: WindowsSystem (Windows 95/98 / ME), C: WinntSystem32 (Windows NT / 2000), or

C: WindowsSystem32 (Windows XP)

2.BackDoor.goldfish destruction method: latter

After the virus is running, copy itself to the% sysdir% directory, the file name is "taskcfg.exe" and newly built a folder "IME" in the System directory and copy itself to the directory.

Modify Registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunService HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunonce HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRun HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWS

CurrentVersionRunOnce to achieve its own purpose;

And modify the registry HKEY_CURRENT_USERSERSOFTWAREMICROSOFTWINDOWS

CurrentVersionPoliciessystem Settings the Data item "DisableRegistryTools" value is 1 to prohibit the user from using the registry editing tool.

Search for the following software from the registry CD KEY: Tiberian Sun Red Alert 2 IGI 2 Retail Command & Conquer Generals FIFA 2003 NFSHP2 The Gladiators Soldier of Fortune II Neverwinter Rainbow Six III RavenShield Battlefield 1942 Road To Rome Battlefield 1942 IGI 2 Retail Counter-Strike Unreal Tournament 2003 Half-Life

By guess $ IPC password propagation.

'Steven' 'Steve' 'Stevan' 'Stetson' 'Sterling' 'Stephon' 'Rudy' 'Rudolph' 'Rudolf' 'Rubin' 'Ruben' 'Royce' 'Rocco' 'Roberto' 'Robert' 'Robby' 'Robbie '' Robb '......

Since the virus has a very large password dictionary, it is recommended that users have complex their own system administrator passwords.

Provide download files, send messages, and obtain local information for its control end, which allows the control terminal to remotely control the server through IRC software.

3.BACKDOOR.GOLDFISH.ENC Destruction Method: Back door Program

After the virus is running, copy itself to the% sysdir% directory, the file name is "taskcfg.exe" and newly built a folder "IME" in the System directory and copy itself to the directory. Modify Registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunService HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunonce HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRun HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWS

CurrentVersionRunOnce to achieve its own purpose;

And modify the registry HKEY_CURRENT_USERSERSOFTWAREMICROSOFTWINDOWS

CurrentVersionPoliciessystem Settings the Data item "DisableRegistryTools" value is 1 to prohibit the user from using the registry editing tool.

By guess $ IPC password propagation.

'Steven' 'Steve' 'Stevan' 'Stetson' 'Sterling' 'Stephon' 'Rudy' 'Rudolph' 'Rudolf' 'Rubin' 'Ruben' 'Royce' 'Rocco' 'Roberto' 'Robert' 'Robby' 'Robbie '' Robb '......

Since the virus has a very large password dictionary, it is recommended that users have complex their own system administrator passwords.

Provide download files, send messages, and obtain local information for its control end, which allows the control terminal to remotely control the server through IRC software.

4.trojan.psw.legenDmir.17.b Destruction Method: Trojan who steals the legendary password.

This is a Trojan who wrote a legendary password written by Delphi. Composed of four files: "expl0Rer.exe", "mfcd3o.dll", "sysmodule64.dll", "sysmodule32.dll"

If the user is infected with this virus, it is recommended to restart immediately after anti-virus so that the virus module in the system can be completely released.

First, the virus main program performs the following: 1. Copy itself for the "expl0Rer.exe" of the system directory (middle circle is zero)

Also release "MFCD3O.DLL" (own copy) to the Windows directory "sysmodule64.dll" to the system directory.

2 Call "Regsvr32.exe" to register "sysmodule64.dll" as system COM components.

Regsvr32.exe / s% system% sysmodule64.dll3. "EXPL0RER.EXE" running system directory

4. Create a BAT file and delete itself.

Second, SYSMODULE64.DLL, modify the registry, register the explorer.exe extension module. Loaded into the Explorer.exe process.

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentversionExplorersHellexecutehooks

The virus uses "LegendHook 20030324" as a resident mark. If "sysmodule64.dll" found not this window, instantly copy "EXPL0RER.EXE" of the system directory immediately and run it now.

When the user performs file operation, "sysmodule64.dll" will be activated, and the virus is using this way to ensure the virus operation.

Third, the "expl0Rer.exe" of the system directory releases "sysmodule32.dll".

Using the DLL "EnableMousehook", "EnableKeyboardHook" hooks the keyboard, the mouse hook.

If the window title of the current input box is "Legend Client", "Legend of Mir 3", "Legend of Mir2", virus gets account, password, role, gender, etc., save to the specified file, sent to the specified mailbox.

5.trojan.psw.legenDmir.17.b.enc Destruction method: This is a Trojan who wrote a legendary password written by Delphi. Composed of four files: "expl0Rer.exe", "mfcd3o.dll", "sysmodule64.dll", "sysmodule32.dll"

If the user is infected with this virus, it is recommended to restart immediately after anti-virus so that the virus module in the system can be completely released.

First, the virus main program performs the following: 1. Copy itself for the "expl0Rer.exe" of the system directory (middle circle is zero)

Also release "MFCD3O.DLL" (own copy) to the Windows directory "sysmodule64.dll" to the system directory.

2 Call "Regsvr32.exe" to register "sysmodule64.dll" as system COM components.

Regsvr32.exe / s% system% sysmodule64.dll

3. "EXPL0RER.EXE" running system catalog

4. Create a BAT file and delete itself.

Second, SYSMODULE64.DLL, modify the registry, register the explorer.exe extension module. Loaded into the Explorer.exe process.

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentversionExplorersHellexecutehooks

The virus uses "LegendHook 20030324" as a resident mark. If "sysmodule64.dll" found not this window, instantly copy "EXPL0RER.EXE" of the system directory immediately and run it now.

When the user performs file operation, "sysmodule64.dll" will be activated, and the virus is using this way to ensure the virus operation.

Third, the "expl0Rer.exe" of the system directory releases "sysmodule32.dll".

Using the DLL "EnableMousehook", "EnableKeyboardHook" hooks the keyboard, the mouse hook.

6.trojan.qqpass7001.b Destruction Method: Variety of "Trojan.qqpass7001". Stealing the user QQ password, sent to the Trojan of the specified mailbox.

First, traverse the folder of the system catalog, release a number of own copies. If the system is Win2K or XP, create a service process.

At the same time, the association of several files that destroy the registry is as follows.

1 hkey_classes_rootexefileshellopencommand (default): c: system volume informationummjnls.exe "% 1"% *

2 HKEY_CLASSES_ROTSCRFILESHELLOPENCOMMAND (default): C:! Wnmgiz.exe "% 1"

3 hkey_classes_rootchm.fileshellopenCommand (default): c: ravbincndvpy.exe% 1

4 HKEY_CLASS_ROOT XTFILESHELLOPENCOMMAND (default): c: ravbinjwxbca.exe% 1

5 HKEY_CLASS_ROOT EGFILESHELLOPENCOMMAND (Default): C: Program FileSnxtnj.exe "% 1"

6 HKEY_CLASS_ROOTINIFILESHELLOpenCommand (default): c: hkyle.exe% 1

7 HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRun "ozrhjai.exe": c: Documents and settingscxej.exe

8 HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICES

CiHVJSM.EXE -> Random (Service Name) CiHVJSM.EXE: (Program Path) C: System Volume InformationciHVJSM.EXE

Second, traverse the memory, terminate the following processes, and delete the corresponding file.

Kav9x.exe kavsvc9x.exe kavsvcui.exe kav32.exe Smenu.exe ravmon.exe passwordguard.exe vpc32.exe watcher.exe

7.Worm.Sober.c Destruction method: a worm with VB written

Virus behavior: The virus will be said to be a fake system error frame after the virus is running. The content is: "% FileName% HAS Caused An Unknown Error. STOP: 00000010x18". (% Filename% represents the current file name of the virus)

The following example extension in the virus search disk. . HTT,. RTF,. DOC,. XLS,. INI,. MDB,. TXT ,. HTM,. HTML,. WAB,. PST,. FDB,. CFG,. LDB. EML,. ABC,. LDIF,. NAB,. ADP,. MDW,. MDA,. MDE,. ADE,. SLN,. DSW,. DSP,. VAP,. PHP. NSF ... extracts the Email address from it. Mail spread: Virus sends a poison email to all extracted Email addresses.

Email Title: Ermittle Eleleitet IHRE IP WURDE GELOGGT SIE SIND EIN RAUBKOPIER ICH ZEIGE SIE A!

DU Wirst AusSpioniert Ein Trojaneer IST AUF IHREM Rechner!

Thank you very much much you are an iDIOT why me?

I Hate You Preliminary Investigation Were Started Your IP Was Logged You Use Illegal File Sharing ......

A Trojan Horse Is on Your PC A Trojan Is on Your Computer!

Anime, Pokemon, Manga ...

Attachment name: www.iq4you-german-test.com www.freewantiv.com www.free4share4you.com www.onlinegamerspro-worm.com www.freegames4you-gzone.com www.anime4allfree.com www.animepage43252.com ......

8.Worm.Sober.c.enc destruction method: a worm with VB written

Mail spread: Virus sends a poison email to all extracted Email addresses.

Email Title: Ermittle Eleleitet IHRE IP WURDE GELOGGT SIE SIND EIN RAUBKOPIER ICH ZEIGE SIE A! DU Wirst AusSpioniert Ein Trojaneer IST AUF IHREM Rechner!

Thank you very much much you are an iDIOT why me?

I Hate You Preliminary Investigation Were Started Your IP Was Logged You Use Illegal File Sharing ......

A Trojan Horse Is on Your PC A Trojan Is on Your Computer!

Anime, Pokemon, Manga ...

Attachment name: www.iq4you-german-test.com www.freewantiv.com www.free4share4you.com www.onlinegamerspro-worm.com www.freegames4you-gzone.com www.anime4allfree.com www.animepage43252.com ......

9.Worm.Sober.c.a damage method: a worm with VB written

Mail spread: Virus sends a poison email to all extracted Email addresses.

Email Title: Ermittle Eleleitet IHRE IP WURDE GELOGGT SIE SIND EIN RAUBKOPIER ICH ZEIGE SIE A!

DU Wirst AusSpioniert Ein Trojaneer IST AUF IHREM Rechner!

Thank you very much much you are an iDIOT why me?

I Hate You Preliminary Investigation Were Started Your IP Was Logged You Use Illegal File Sharing ......

A Trojan Horse Is on Your PC A Trojan Is on Your Computer!

Anime, Pokemon, Manga ...

Attachment Name: www.iq4you-german-test.com www.freewantiv.com www.free4Share4you.com www.onlinegamerspro-worm.com www.freegames4you-gzone.com www.anime4allfree.com www.animepage43252.com ... 10. Worm.Freity Destruction Method: A worm-based worm based on VB.NET.

The virus shape is: When the virus is running, it is found that the virus will appear a message box in the file where the V: WindowsFr8i.exe will appear. You Have Been Infected by XPCombo Worm Created By Lotti and C: Documents and Settingsall Usersstart Menu Offset A Script This script will be run when the next system is started. The script's function is to reply to all Outlook reciprockellers as an attachment to the C: WindowsFr8i.exe file.

After that, the virus will copy themselves to C: WindowsFr8i.exe and C: Program Filesbearsharemy Shared Foldeelina Jolie.SCR

Mail spread: virus will traverse the letters of the Outlook token, and automatically add viral attachments for reply.

Email content from the following random selection:

Heres the file you ask for I think you ask me for this if not just delete it try i Cant Believe I Had this do you want this file i got this from a friend i Didnt Have Much Time To Look At It But Hert Much Time But Here It Is this Is The Best i Have Seen Yet Do You Want It Or Not Here It Is I Think Yeah Here It Is I Found It Last Nite Whats The Story Hi How Are You Look at this ......

11.Worm.anap.c Destruction Method: A worm worm written in a 29A organization.

The virus shape is: the virus can determine if the current operating system is Win9x if the current operating system is the Win9x that the current operating system is required. If the virus discovery is not Win9X, an Integrity Check Faled Due To: Bad Data Transmission or Bad Disk Access. Information box. And exit after the user point is determined.

Feel: The virus gets the current system time, and the current number is 5 when the virus will display a title I-Worm.anaphylaxis coded by bumblebee / 29a content: this is an i-worm. Don't worry, this is not a Virus But MAY OCCUR THE WORH HAS BEEN INFECTED by a Virus During ITS Travel. The virus exits after the Way of The Bee.

Mail spread: Virus gets the directory path by the key value Personal in the Registry Software MicrosoftWindowsCurrentVersionExplorershell Folders.

The virus traverses the directory and the * .ht * file in the TEMP directory and try to search from these files such as: Mailto: The email address after the MAILTO: And send a poison email to this address. Email Title: Patch Mail Content: this is the patch you ask FOR Accessories Name: setup.exe

12.trojan.qqpsw.d Destruction Method: Visual Basic Writing Virus, Pirate QQ Password Trojan, once executed, the virus will self-copy it into many folders in the system:

% WINDIR% QQXP.EXE% WINDIR% ALL USERSDESKTOPQQXP.EXE% WINDIR% ALL USERSSTART MENUPROGRAMS start QQXP.EXE% WINDIR% DESKTOPQQXP.EXE% WINDIR% START MENUPROGRAMS start QQXP.EXE C: QQXP.EXE C: PROGRAM FILESQQXP.EXE

Simultaneous generation file: c: autorun.inf content is: [Autorun] open = C: QQXP.exe

C: WindowsPass.yy Save the stealing password C: Windowsput.Yyz Save the stealing password

It creates the following registry keys to make your own with the Windows system from the start: HKLM / SoftwareMicrosoftWindowsCurrentVersionRun default = "% CURFILE%" HKLM / SoftwareMicrosoftWindowsCurrentVersionRun rundll32Q = "% WINDIR% qqxp.exe" HKLM / SoftwareMicrosoftWindowsCurrentVersionRunServices rundll32Q = "% CURFILE%" and many more

It disguised into the main interface of QQ, stealing QQ username passwords save in the local file.

At the same time, it also sends theft information to the configurable specified mailbox.

Note:% WINDIR% is variable and is Windows installation directory (default: C: Windows or C: Winnt).

13.Worm.Kelino.n Destruction Method: A worm virus posing as a MSN patch

After the virus is: After the virus is run, copy itself to the% Windows% directory, the file name is: msn.exe When the successful replication, the virus displays a title MSN Messenger, the content is: MSN Patch!

Information box.

And add your own key values in the registry SoftwareMicrosoftWindowsCurrentVersionRun: NAV32

Mail spread: The virus first tries to get the SMTP server address through the registry. If the failed virus will use the SMTP server address saved in your body, use the virus's own SMTP engine for mail propagation.

Email address get: Virus gets the path of the address book file by the registry, the file name ... Search ... Search the email address inside and use your own mail sending engine to discourse.

The message is sent in the name of MSN Support.

Mail title: Support Message

Email content: new! ! Update your msn with new patch 6.0.0538 What new on this version: Now you can phone free around the world.include usa, canada, france. From your pc to phone free, Run Attached File Now! Msn@microsoft.com

Accessories name: msnupdate.exe

14. Harm.vb.b Destruction Method: Visual Basic 6.00 Write virus 32AUTHOR.EXE "% 1"% *

HKEY_CLASS_ROTCOMFILESHELLOPENCOMMAND (default):% system% 32author.exe "% 1"% *

HKEY_CLASSES_ROOT XTFILESHELLOpenCommand (default):% system% 32author.exe "% 1"% *

HKEY_CLASS_ROOT EGFILESHELLOPENCOMMAND (default):% system% 32author.exe "% 1"% *

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN "Author":% system% 32author.exe

The virus is a malignant program, the author is extremely boring, once poisoning, will cause the user to operate normally, the virion contains the following information:

"If you can't close this software, you can send me email. You may reply to the time waiting for a few days. You can call the help call: 05325995197 24 hours to serve you, please visit Nangong Lingyun"

"Please click 50! The program is automatically turned off!"

15.trojan.huiGezi.fd Destruction Method: Variety of "Gray Pigeon".

After running, "the file is not compatible with the current system, whether to continue". Whether you choose "OK" or "cancel",

They will perform the following destruction.

First, copy itself for the "Gserve.exe" of the system directory, modify the file properties as "system" and "hide".

And delete the original file, start a new process, plus the parameters "/ HuifSetup".

Second, modify the registry to start. Users can handle it.

1 HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRun "huigezi":% system% Gserve.exe

2 HKEY_CURRENT_USERSEFTWAREMICROSOFTWINDOWS

CurrentVersionRun "huigezi":% system% Gserve.exe

3 HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunServices "huigezi":% system% Gserve.exe

Modify the "Run" item of Win.ini's "Windows" to point to the virus. Third, resident memory, every 1 minute, try to connect "dizgil.yeah.net" and "202.200.234.183",

Notify the remote control end to control the locally.

16.trojandownloadloader.purity.b.enc Destruction Method: Download Trojan of the Specify URL.

First, copy itself for the "WinServn.exe" of the system directory, modify the registry to start from self-start, and the user can handle it.

HKEY_CURRENT_USERSFTWAREMICROFTWINDOWSCURRENTVERSIONRUN "ContentService":% system% WINSERVN.EXE II, create "purityscan" in the current directory, copy itself, named "purityscan.exe", tempting the user to run.

Third, the virus is downloaded from the following URLs every other second to the local operation.

http://*** www.clickspring.net/install/notify.php? PID = PS & MODULE = INSTALL & V = 100 & b = 1015 & result = 1 & Message =% CF% B5% CD% B3% CE% DE% B7% A8% D4% DA% CF% FB% CF% A2% CE% C4% BC% FE% D6 % D0% CE% AA % 252 % D5% D2% B5% BD% CF% FB% CF% A2% BA% C5% CE% AA 0X% 251 % B5% C4% CF% FB% CF% A2 % CE% C4% B1% be% a1% A3 & refrer = meadint

17.trojandownloadloader.purity.b Destruction Method: Download Trojans of the Specify URL.

First, copy itself for the "WinServn.exe" of the system directory, modify the registry to start from self-start, and the user can handle it.

HKEY_CURRENT_USERSFTWAREMICROFTWINDOWSCURRENTVERSIONRUN "ContentService":% system% WinServn.exe 2, create "purityscan" in the current directory, copy itself, tempting the user to run.

Third, the virus is downloaded from the following URLs every other second to the local operation.

18.trojandownloader.purity.A Destruction Method: Download the specified URL program to the local running virus.

First, the copy itself is "snoa.exe" for the current user "Application Data" path.

Second, modify the registry with self-start. Users can recover manually.

HKEY_CURRENT_USERSFTWAREMICROFTWINDOWSCURRENTVERSIONRUN "AHMS": C: Documents and settings "User Name" Application Datasnoa.exe Third, the virus resides in memory, every two hours, attempt to the following URL files.

Http://***66.150.193.111/install/notify.php? pid = remupd & module = warning & v = 100 & b = 1019 & result = 0 & message = check% 5Fversions% 28% 29% 3A could not load package definitions page% 2E http: //***66.150.193.111/updates/query. PHP? v = 100 & b = 1019 & vt = & c =

19.trojandownloadloader.purity.a.enc Destruction Method: Download the specified URL program to the local running virus.

First, the copy itself is "snoa.exe" for the current user "Application Data" path.

Second, modify the registry with self-start. Users can recover manually.

HKEY_CURRENT_USERSFTWAREMICROFTWINDOWSCURRENTVERSIONRUN "AHMS": c: Documents and settings "User Name" Application DataSnoa.exe

Third, the virus resides in memory, every two hours, try to follow the following URL files.

20.trojan.psw.newsuper.a Destruction method: Trojan virus that steals the game "Legend 2" password

After the virus is running, copy itself to the% windir% directory, release its own dynamic library (virus: Trojan.psw.newsuper.a.dll).

Modify the registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN to achieve its own purpose.

Traverse all modules in the current system process, compare the module name with the following keywords: PFW iParmor Eghost PasswordGuard DFVSNET KVFW KVAPFW If the module name contains these keywords, the virus will end the process.

Mount the keyboard hook, steal the game "Legend 2" password, account number, area code and other information, and send this information to the specified mailbox via email.

21.trojan.psw.tfinalpassword.ua damage method: stealing a legendary password. Self-proclaimed "legendary killer"

First, copy itself for the "cnsmln.exe" of the system catalog,

Second, modify the registry with self-start.

HKEY_LOCAL_MACHINESOFTWAREMICROFTWINDOWSCURRENTVERSIONRunServices "cnsmln": cnsmln.exe

Third, the following anti-virus software and firewall are terminated.

Ravmon.exe LockDownmain ZoneAlarm Eghost.exe Mailmon.exe Kavpfw.exe NetBargp.exe

Tianwang firewall personal version of Tianwang firewall enterprise version Mark Mark star phage

Fourth, search for the following information, sent to the specified mailbox.

User Name Server Role Name Modify Password Current Password New Password New User

22.trojan.psw.tfinalpassword.ub Destruction Method: Steals the legendary password. Self-proclaimed "legendary killer"

First, copy itself for the "QQINFO.EXE" of the system catalog,

Second, modify the registry with self-start.

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunServices "QQINFO": Qqinfo.exe

Third, the following anti-virus software and firewall are terminated.

Ravmon.exe LockDownmain ZoneAlarm Eghost.exe Mailmon.exe Kavpfw.exe NetBargp.exe

Tianwang firewall personal version of Tianwang firewall enterprise version Mark Mark star phage

Fourth, search for the following information, sent to the specified mailbox.

User Name Server Role Name Modify Password Current Password New Password New User

23.trojan.psw.newsuper.a.enc Destruction method: Trojan virus that steals the game "Legend 2" password

After the virus is running, copy itself to the% windir% directory, release its own dynamic library (virus: Trojan.psw.newsuper.a.dll).

Modify the registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN to achieve its own purpose.

Mount the keyboard hook, steal the game "Legend 2" password, account number, area code and other information, and send this information to the specified mailbox via email.

24.BACKDOOR.SDBOT.GEN.I Destruction Method: Back door

After the virus is running, copy itself to the% sysdir% directory.

Modify Registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunServices to achieve its own purpose.

Find the following software CD key battlefield 1942 The Road to Rome Battlefield 1942 Battlefield 1942 Secret Weapons of WWII HALF-LIFE

Guess the $ IPC password of other systems for network propagation.

Provides a service for its remote control, enabling the control terminal to remotely control the local host remotely through the IRC software.

25. backdoor.sdbot.gen.i.enc damage method: back door

After the virus is running, copy itself to the% sysdir% directory.

Modify Registry: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS

CurrentVersionRunServices to achieve its own purpose.

Find the CD Key Battlefield 1942 The Road to Rome Battlefield 1942 The Road to Rome Battlefield 1942 Battlefield 1942 Secret Weapons Of WWII HALF-LIFE Guess the $ IPC password of other systems for network propagation.

Provides a service for its remote control, enabling the control terminal to remotely control the local host remotely through the IRC software.

26.Worm.NARIT destruction method: a worm virus

Virus Behavior: The virus is copied to the% system% directory, the file name is: DjfguCxr.exe virus modified System.ini file, joining [boot] shell = djfgucxr.exe. Virus will also traverse all hard drives, Copy yourself to the root directory, the file name:? ? ? ? . COM (? Represents a random character)

LAN propagation: The virus traverses the local area network sharing resource, and copies yourself in the past.

Mail spread: Virus gets the current SMTP server address currently used by the registry and uses its own SMTP engine. Communication.

27.BackDoor.zombie Understanding: Back door

After the virus is running, copy itself to the% sysdir% directory.

Modify the registry: HKEY_CURRENT_USERSERSEFTWAREMICROFTWINDOWSCURRENTVERSIONRUN to achieve its own purpose.

Hidden in the background, open and listen to a UDP port waiting for its control, providing remote control services such as file operations, registry operation, process management for its control.

28.BACKDOOR.Zombie.enc Destruction Method: Back Tunnel

After the virus is running, copy itself to the% sysdir% directory.

Modify the registry: HKEY_CURRENT_USERSERSEFTWAREMICROFTWINDOWSCURRENTVERSIONRUN to achieve its own purpose.

Hidden in the background, open and listen to a UDP port waiting for its control, providing remote control services such as file operations, registry operation, process management for its control.

29.trojanproxy.win32.small.h Destruction Method: Trojanovirus

After the virus is running, modify the registry: hkey_local_machinesoftwaremicrosoftwindows

CurrentVersionRun to achieve its own purpose.

Run listening to a port waiting for a link on the background.

30.trojanproxy.win32.small.h.enc destruction method: Trojan virus

After the virus is running, modify the registry: hkey_local_machinesoftwaremicrosoftwindows

CurrentVersionRun to achieve its own purpose.

Run listening to a port waiting for a link on the background.

31.trojanclicker.win32.vb.x Destruction Method: Secrets the following URLs

Http://***www.ideepthroat.com http: //*** www.69.com http://***www.pussy.com http: //** wwww.clubseventeenlive.com http: //*** www.jizzi4.com

32.trojan.psw.qqdragon.z Destruction Method: Trojan.psw.qqdragon Virus New Variety

The virus comes with the previous multiple versions, and it will be released with the previous version of the Trojan.psw.qqdragon virus.

33.trojan.psw.newsuper.a.dll Destruction Method: Trojan.psw.newsuper.A virus used dynamic library files, including Trojan.psw.newsuper.A virus-mounted keyboard hook stealing game "Legend 2" password Function 34.BackDoor.leetBot Destruction Method: Back Time Program

After the virus is running, copy itself to the% windir% directory, the file is "svchost.exe". Run in the background, serve its control.

35.BACKDOOR.LETBOT.ENC Destruction method: latter

After the virus is running, copy itself to the% windir% directory, the file is "svchost.exe". Run in the background, serve its control.

36.BACKDOOR.DELF.II Destruction method: Back door virus

TrojanProxy.Agent.a and TrojanProxy.Delf.a virus will be released after the virus is running and the two viruses are running.

37.BACKDOOR.SPYBOT.GEN.A Destruction Method: A back door program, copy itself to the Window directory after running. And add your key value in the registry RUN item.

38.BACKDOOR.SPYBOT.GEN.A.Enc Destroy method: A latter program, copy itself to the Window directory after running. And add your key value in the registry RUN item.

39.trojan.dropper.delf.be Destruction Method: A file that is bound to Trojans, the virus will release 3 files to the System directory and launch these files.

40.trojan.dropper.delf.be.enc Destruction method: A file that is bound to Trojan, the virus will release 3 files to the System directory and launch these files.

41.trojan.dropperdjoiner13.Set.Enc Destroy method: A binding, the tool can compress the file specified by the user and define the path and operational mode after decompression.

42.trojan.dropperdjoiner13.SET destroying method: A binding, the tool can compress the file specified by the user and define the path and operational mode after decompression.

43.trojan.droppergpbinder Destruction Method: A file binding can bundle two EXE files in one and specify the binding icon.

44.trojan.droppergpbinder.enc Destruction method: A file binding can bundle two EXE files in one and specify the binding icon.

45.BACKDOOR.DELF.EB Destroying Method: The latter program is hidden after starting in the background, receives and executes the commands from their clients.

46.trojanProxy.Agent.b Destruction Method: A hidden proxy server in the system after the virus is running, TCP port is: 13451

47.TrojanProxy.Agent.b.enc Destroying method: Building a hidden proxy server after the virus is running, TCP port is: 13451

48.trojanproxy.small.b Destruction Method: A hidden proxy server in the system after the virus is running, TCP port is: 9259

49.TrojanProxy.small.b.enc Destruction method: A hidden proxy server is established after the virus is running, and the TCP port is: 9259

50.TrojanProxy.Agent.a Destruction method: After the virus is running, a hidden proxy server is established in the system, and the TCP port is: 1025

51.Constructor.batchgen destruction method: a script virus generator. You can set some parameters to generate a specific script virus. 52.constructor.batchgen.en.Enc Destruction method: A script virus generator. You can set some parameters to generate a specific script virus.

53.constructor.smwg.b damage method: A script virus generator. You can set some parameters to generate a specific script virus.

54.trojan.dropper.xBinder.10 Destruction method: An EXE file bindier. You can bundle the specified two files together.

55.trojan.dropper.xbinder.20 Destruction method: An EXE file bindier. You can bundle the specified two files together.

56.BACKDOOR.MIRC.Runa Destruction Method: The component of the hacker kit, the task is to run a.bat (PE latable program)

57.trojan.download.BLACKCOBRA Destruction method: An automatic downloader, download a file from the specified website and execute.

58.trojan.downloader.SSD.05 Destruction method: An automatic downloader, download a file from a specific website and execute.

59.trojan.downloader.ssd.05.enc Destruction method: An automatic downloader, download a file from a specific website and execute.

60.trojan.downloader.SSD.04B Destruction Method: An automatic downloader, download a file from a specific website and execute.

61.trojan.downloader.SSD.04B.Enc damage method: An automatic downloader, download a file from a specific website and execute.

62.trojan.downloader.IstBar.p Destruction Method: An Auto Deltler, download a file from a specific website and execute.

63.trojan.downloader.Istbar.p.enc Destruction method: An automatic downloader, download a file from a specific website and execute.

64.trojan.downloader.Istbar.m Destroy method: An automatic downloader, download a file from a specific website and execute.

65.trojan.downloadloader.Istbar.m.enc Destruction method: An automatic downloader, download a file from a specific website and execute.

66.trojan.downloader.skoob damage method: an automatic downloader, download a file from a specific website and execute.

67.trojan.downloader.lan damage method: An automatic downloader, download a file from a specific website and execute.

68.trojan.downloader.illmob.b damage method: An automatic downloader, download a file from a specific website and execute.

69.trojan.downloader.illmob.a Destruction Method: An automatic downloader, download a file from a specific website and execute.

70.trojandownloadloader.win32.deepgal Destruction Method: Download Http://***DeepskyGalaxy.com/ The virus is running

71.trojandownloader.win32.deepgal.enc Destruction Method: Download Http://*** DeepskyGalaxy.com/ 's virus to the local operation

72.Trojan.qq3344.al Destruction Method: Virus: "Trojan.qq3344" variant, will suddenly turn off the machine.

73.trojanclicker.win32.vb.y Destruction Method: Call IE Sneaken HTTP: //*** www.cav.ru every other minute.

74.Worm.win32.delinf damage method: Spreaded worm virus via the network sharing directory

75.BACKDOOR.DELF.IH Destruction Method: A back door program server 76.BACKDOOR.CABROTOR.10.D.Client destroy method: Backdoor.cabrotor.10.d virus client program

77.trojan.psw.capwin.a.set destroying method: a server-connected server configuration generator with a user account password

78.TrojanProxy.webber.20.dll Destruction Method: Virus uses this dynamic link library file to perform viruses

79.trojan.msnkeylog.a Destruction Method: Record the keyboard operation record tool for MSN login information

80.trojanclicker.win32.vb.z Destruction Method: Secret connection http://*** www.armbender.com

81.trojan.psw.puppy.a Destruction method: a Trojan virus that steals the user account password.

82.trojan.psw.puppy.b damage method: a Trojan virus that steals the user account password.

83.trojan.psw.ldpinch.i Destruction method: Trojan virus that steals the user account password.

84.trojan.psw.ldpinch.i.b damage method: a Trojan virus that steals the user account password.

85.trojan.psw.puppy.a.dll destroys: Trojan.psw.puppy program components.

86.trojan.psw.capwin.b Destruction method: Trojan.psw.capwin.b program components.

87.trojan.psw.capwin.a.dll Destruction Method: Trojan.psw.capwin.a program components.

88.trojan.psw.puppy.b.dll Destruction Method: Trojan.psw.puppy.b program components.

89.trojanclicker.win32.vb.w damage method: secret connection http://*** www.outwar.com

90.trojanclicker.win32.vb.w.enc damage method: secret connection http://*** www.outwar.com

转载请注明原文地址:https://www.9cbs.com/read-52515.html

9cbs

New Post(0)