Win32.Troj.XSey.a.466944输入法病毒查杀

Win32.Troj.XSey.a.466944是一个木马下载器程序。它会随着系统中的输入法程序一起启动，然后从远程服务器下载指定的恶意程序。该毒只针对安装了微软拼音输入法的电脑。

在磁盘中释放出以下文件:
C:\WINDOWS\IME
C:\WINDOWS\IME\PINTLGNT
C:\WINDOWS\IME\Shared
C:\WINDOWS\IME\Shared\Res
C:\WINDOWS\IME\CHSIME
C:\WINDOWS\IME\CHSIME\APPLETS

在注册表中创建了以下信息:
"HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E00E0804"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}\LanguageProfile\0x00000804\{F3BA9077-6C7E-11D4-97FA-0080C882687E}"
"HKLM\Software\Microsoft\TIP Shared\1.1\IMEPad\2052\AppletCLSIDList\{454E7CD0-2B69-11D2-B004-00805F0C8B6D}"
"HKLM\Software\Microsoft\TIP Shared\1.1\IMEPad\2052\AppletCLSIDList\{6D0FD33B-0F59-4861-858C-17FCC56C7E50}"
"HKLM\Software\Microsoft\TIP Shared\1.1\IMEPad\2052\AppletIIDList"
"HKLM\Software\Microsoft\Windows\CurrentVersion\IME\China\IMEPY\Directories"
"HKCR\.exe\MSIME.China"
"HKCR\.exe\MSIME.China\CLSID"
"HKCR\.exe\MSIME.China\CurVer"
"HKCR\.exe\MSIME.China.1"
"HKCR\.exe\MSIME.China.1\CLSID"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\InprocServer32"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\ProgID"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\VersionIndependentProgID"
"HKCR\.exe\MSPY3.ImeBbo"
"HKCR\.exe\MSPY3.ImeBbo\CLSID"

在注册表中设置了以下信息:
"HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E00E0804" "Layout File" "kbdus.dll"
"HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E00E0804" "ME File" "pintlgnt.ime"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}" "Enable" "1"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}\LanguageProfile\0x00000804\{F3BA9077-6C7E-11D4-97FA-0080C882687E}" "Description" "Chinese (Simplified) - Microsoft Pinyin IME 3.0"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}\LanguageProfile\0x00000804\{F3BA9077-6C7E-11D4-97FA-0080C882687E}" "Display Description" "@PINTLGNT.IME,-61697"
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}\LanguageProfile\0x00000804\{F3BA9077-6C7E-11D4-97FA-0080C882687E}" "IconFile" ""
"HKLM\Software\Microsoft\CTF\TIP\{F3BA9074-6C7E-11D4-97FA-0080C882687E}\LanguageProfile\0x00000804\{F3BA9077-6C7E-11D4-97FA-0080C882687E}" "IconIndex" ""
"HKLM\Software\Microsoft\TIP Shared\1.1\IMEPad\2052\AppletIIDList" "0" "{454E7CD1-2B69-11D2-B004-00805F0C8B6D}"
"HKLM\Software\Microsoft\TIP Shared\1.1\IMEPad\2052\AppletIIDList" "1" "{81DA5C72-C8B4-11D3-8E0C-000000000000}"
"HKLM\Software\Microsoft\Windows\CurrentVersion\IME\China\IMEPY\Directories" "MEFileNameNew" "PINTLGNT.IME"
"HKCR\.exe\MSIME.China" "" "PINTLGNT"
"HKCR\.exe\MSIME.China\CLSID" "" "{E4288337-873B-11D1-BAA0-00AA00BBB8C0}"
"HKCR\.exe\MSIME.China\CurVer" "" "MSIME.China.1"
"HKCR\.exe\MSIME.China.1" "" "PINTLGNT"
"HKCR\.exe\MSIME.China.1\CLSID" "" "{E4288337-873B-11D1-BAA0-00AA00BBB8C0}"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}" "" "PINTLGNT"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\InprocServer32" "" ""
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\ProgID" "" "MSIME.China.1"
"HKCR\CLSID\{E4288337-873B-11D1-BAA0-00AA00BBB8C0}\VersionIndependentProgID" "" "MSIME.China"
"HKCR\.exe\MSPY3.ImeBbo" "" "MSPY 3.0 ImeBbo Language Model"

会从以下注册表中读取信息:
"HKLM\System\CurrentControlSet\Control\Keyboard Layouts"
"HKCR\CLSID\{15DFF3B1-27D9-11D4-8472-00C04F7A06E5}\Implemented Categories"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

病毒会连接作者指定的网址:
病毒会从 http://zz.a***av.com/avp.exe 下载文件至本地计算机 c:\avp.exe