文件名称: S168.exe
病毒名: kaspersky: N/Aw rising: N/A
详细资料:
文件名称: S168.exe
病毒名: kaspersky: N/Aw rising: N/A
详细资料:
文件变化:
释放文件
%ProgramFiles%/Common Files/Relive.dll
%ProgramFiles%/Internet Explorer/msvcrt.bak
%ProgramFiles%/Internet Explorer/msvcrt.dll
修改注册表:
病毒创建启动项
[HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
[HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
"{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}"
[HKCR/CLSID/{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}/InProcServer32]
"(默认)"="C%ProgramFiles%/Internet Explorer/msvcrt.dll"
[HKCR/CLSID/{D3626E66-B13B-C628-ACDF-BDABCFA265E1}/InProcServer32]
"(默认)"="%ProgramFiles%/Common Files/Relive.dll"
其他行为:
删除 hosts 文件
%System%/drivers/etc/hosts
调用 Explorer.exe 访
问网络下载病毒,存放到 %Temp% 临时文件夹
清除方法:
1. 删除病毒启动项(详细步骤:打开SREng-启动项目-注册表)
[HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
[HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
"{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}"
[HKCR/CLSID/{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}/InProcServer32]
"(默认)"="%ProgramFiles%/Internet Explorer/msvcrt.dll"
[HKCR/CLSID/{D3626E66-B13B-C628-ACDF-BDABCFA265E1}/InProcServer32]
"(默认)"="%ProgramFiles%/Common Files/Relive.dll"
2. 重新启动计算机
3. 删除文件(如遇提示无法删除文件,下载费尔木马强制删除器工具进行强制删除)
%ProgramFiles%/Common Files/Relive.dll
%ProgramFiles%/Internet Explorer/msvcrt.bak
%ProgramFiles%/Internet Explorer/msvcrt.dll
4. 在安全模式使用反病毒软件全盘扫描清除病毒
京公网安备 11010802021500号