这是一个黑客程序,它实际上是一个木马文件,会获取用户系统的操作权限,然后连接到黑客的远程服务器,以便黑客盗窃电脑中的信息或对电脑进行非法控制。
在磁盘中释放出以下文件:
C:WINDOWSservices.exe
C:WINDOWS
driv.sys
在磁盘中删除了以下文件:
c:sample.exe
rdriv.sys
在注册表中创建了以下信息:
"HKLMSoftwareMicrosoftWindowsCurrentVersionShell Extensions"
"HKLMSystemCurrentControlSetServiceswindows update"
"HKLMSoftwareMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update"
"HKLMSystemCurrentControlSetServiceswscsvc"
"HKLMSystemCurrentControlSetServicesTlntSvr"
"HKLMSystemCurrentControlSetServicesRemoteRegistry"
"HKLMSystemCurrentControlSetServicesMessenger"
"HKLMSystemCurrentControlSetServiceslanmanserverparameters"
"HKLMSystemCurrentControlSetServiceslanmanworkstationparameters"
"HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate"
"HKLMSoftwareMicrosoftOLE"
"HKLMSystemCurrentControlSetServices
driv"
在注册表中设置了以下信息:
"HKLMSoftwareMicrosoftWindowsCurrentVersionShell Extensions" "MeltMe" "c:sample.exe"
"HKLMSystemCurrentControlSetServiceswindows update" "ImagePath" ""C:WINDOWSservices.exe""
"HKLMSystemCurrentControlSetServiceswindows update" "DisplayName" "windows update"
"HKLMSoftwareMicrosoftWindowsCurrentVersionShell Extensions" "Installed Time" "4/17/2006, 8:21 PM"
"HKLMSoftwareMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" "AUOptions" ""
"HKLMSystemCurrentControlSetServiceswscsvc" "Start" ""
"HKLMSystemCurrentControlSetServicesTlntSvr" "Start" ""
"HKLMSystemCurrentControlSetServicesRemoteRegistry" "Start" ""
"HKLMSystemCurrentControlSetServicesMessenger" "Start" ""
"HKLMSystemCurrentControlSetControlLsa" "restrictanonymous" ""
"HKLMSystemCurrentControlSetServiceslanmanserverparameters" "AutoShareWks" ""
"HKLMSystemCurrentControlSetServiceslanmanserverparameters" "AutoShareServer" ""
"HKLMSystemCurrentControlSetServiceslanmanworkstationparameters" "AutoShareWks" ""
"HKLMSystemCurrentControlSetServiceslanmanworkstationparameters" "AutoShareServer" ""
"HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate" "DoNotAllowXPSP2" ""
"HKLMSoftwareMicrosoftOLE" "EnableDCOM" "N"
"HKLMSoftwareMicrosoftWindowsCurrentVersionShell Extensions" "Record" "b"
"HKLMSystemCurrentControlSetServices
driv" "ImagePath" "C:WINDOWS
driv.sys"
"HKLMSystemCurrentControlSetServices
driv" "DisplayName" "rdriv"
在注册表中修改了以下信息:
"HKLMSoftwareMicrosoftSecurity Center" "UpdatesDisableNotify" ""
"HKLMSoftwareMicrosoftSecurity Center" "AntiVirusDisableNotify" ""
"HKLMSoftwareMicrosoftSecurity Center" "FirewallDisableNotify" ""
"HKLMSoftwareMicrosoftSecurity Center" "AntiVirusOverride" ""
"HKLMSoftwareMicrosoftSecurity Center" "FirewallOverride" ""
会从以下注册表中读取信息:
"HKLMSOFTWAREVMware, Inc.VMware Tools"
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell Extensions"
病毒会连接作者指定的网址:
http://windowsupdate.microsoft.com/
域名:"windowsupdate.microsoft.com" 端口:80 (TCP)
windowsupdate.microsoft.com/
在系统中创建了以下进程:
"services.exe""
病毒会创建了一个互斥体 0xFFFFFFFF ,防止重复运行
在系统中创建了以下服务:
服务名: "windows update (windows update)"
映像路径: ""C:WINDOWSservices.exe""
服务名: "rdriv (rdriv)"
映像路径: "C:WINDOWS
driv.sys"