資料來源:賽門鐵克
這支病毒會把在 Porgram Files\Internet Explorer 下的 Iexplorer.exe 刪除掉,並會用病毒檔改名成 iexplorer.exe.並多了很多病毒檔
原始來源文章如下:
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2010-040208-1901-99&tabid=2
When the virus executes, it drops the following file, which is an executable .rar file:
%System%\reinstall.exe
Next, it deletes the following file:
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
The virus then replaces the above file with its own copy of iexplore.exe:
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
It also drops the following files:
- %ProgramFiles%\Internet Explorer\bootloader.dll
- %ProgramFiles%\Internet Explorer\detoured.dll
- %ProgramFiles%\Internet Explorer\funcition.dll
- %ProgramFiles%\Internet Explorer\funcition.ini
- %ProgramFiles%\Internet Explorer\install.exe
- %ProgramFiles%\Internet Explorer\pserver.exe
- %ProgramFiles%\Internet Explorer\pserver.ini
- %System%\Internet Explorer\bootloader.dll
- %System%\Internet Explorer\detoured.dll
- %System%\Internet Explorer\funcition.dll
- %System%\Internet Explorer\funcition.ini
- %System%\Internet Explorer\iexplore.exe
- %System%\Internet Explorer\install.exe
- %System%\Internet Explorer\pserver.exe
- %System%\Internet Explorer\pserver.ini
Next, it creates the following registry entries so that it executes whenever Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"DllName" = "bootloader.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Logon" = "OnEventShutDown"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Shutdown" = "OnEventShutDown"
When the computer restarts, bootloader.dll loads the following files in memory:
- %System%/funcition.dll
- %System%/pserver.exe
The virus creates the following mutex so that only one instance of it exists on the compromised computer:
PSERVER_MY1236363
It may download additional files and updates from the following locations:
- [http://]www.tdbbw.com/getpass/funcit[REMOVED]
- [http://]www.tdbbw.com/getpass/live[REMOVED]
- [http://]www.tdbbw.com/getpass/updat[REMOVED]
留言列表