Win32.Troj.QQRobber.lh是什么病毒 - shashadu.com 杀杀毒病毒库

Win32.Troj.QQRobber.lh 病毒信息
- 病毒别名：N/A
  中文名称：N/A
  威胁级别：★
- 处理时间：N/A
  病毒类型：木马
  影响系统：Win 9x/ME,Win 2000/NT,Win XP,Win 2003
病毒行为：
这是一个盗取QQ号码的木马，病毒伪装成jpg图片欺骗用户点击运行。病毒会记录用户的QQ号码和密码，并发送给种马者。

1、病毒运行后会复制自身到%system%\ntdhcp.exe，并运行。

2、添加如下注册表项，以便开机自启：
[HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run]
"NTdhcp"="C:\WINDOWS\system32\NTdhcp.exe"

3、修改注册表，禁用反病毒软件服务，即将以下键的start值改为0x04,：
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
HKLM\SYSTEM\CurrentControlSet\Services\MskService
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
HKLM\SYSTEM\CurrentControlSet\Services\McShield
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKLM\SYSTEM\CurrentControlSet\Services\RfwService
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC

4、删除如下注册表项，使杀毒进程无法开机自动运行。
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart

5、病毒运行过程中会搜寻杀毒软件窗口，若找到则发送WM_QUIT消息，令其退出。

6、病毒搜索QQ、TM登录窗口，记录键盘，并连接网络发送给种马者。

点击数：