Trojan.Win32.KillFiles.ae
2017-11-30 来源:
病毒名称:
Trojan.Win32.KillFiles.ae
类别:木马病毒
病毒资料:
破坏方法:
此病毒是一个用Visual Basic 5.0 编写的,此病毒的图标为一个系统INI文件的图标,因此很容易将此病毒文件误认为是文本文件并将其启错误的启动。此病毒启动后会删除系统文件,然后强行关闭计算机,造成计算机无法正常启动。
1.修改注册表:
此病毒还会修改注册表的下列键值:
HKEY_CURRENT_USER\Software\Microsoft\Internet EXPlorer\Main
"window title" : FCKR EXPLORER :)
这样的话就会使IE启动的后在左上角显示
“FCKR EXPLORER :)”
另外此病毒还会修改下列的注册表键值以破坏系统的设置
HKLM\Software\Microsoft\Windows\CurrentVersion
\SystemRoot = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\WallPaperDir = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegistrationExtDLL = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ProgramFilesDir = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOwner = "fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\OtherDevicePath =
"C:\This Computer FUCked by me !(fckR)"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ProductKey = "ASDFG- QWERT-ZXCVB-ADMIN-12345"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ConfigPath = "C:\fckR"
HKLM\Software\Microsoft\Internet Explorer
\CompanyName = "fckR
Corporation"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot = "C:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SourcePath = "E:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareType
= "SiSTEM"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\PathName = "C:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Spooler = "no"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit\TemplateUsed
= "C:\fckR\fck.inf"
HKLM\Software\Microsoft\Windows Scripting Host\Locations\CScript = "%fckR%\System32\cscript.exe"
HKLM\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER = "0"
HKLM\Software\Microsoft\Windows Script Host\Settings\DisplayLogo = "0"
2.此病毒启动后会试图删除系统中的下列文件
%OSDriver%\system32\system.ini
%OSDriver%\system32\win.ini
%OSDriver%\system32\win.com
%OSDriver%\system\system.ini
%OSDriver%\system\win.ini
%OSDriver%\system\win.com
%OSDriver%\system32\wmadmod.dll
%OSDriver%\system32\wmp.ocx
%OSDriver%\system32\winsrv.dll
%OSDriver%\system32\winstrm.dll
%OSDriver%\system32\browser.dll
%OSDriver%\system32\dataclen.dll
%OSDriver%\system32\ifmon.dll
%OSDriver%\system32\lmhsvc.dll
%OSDriver%\system32\msr2c.dll
%OSDriver%\system32\qmgr.dll
c:\msdos.sys
c:\io.sys
c:\command.com
其中%OSDriver% 为操作系统所在的驱动器号。
病毒的清除法: 使用光华反病毒软件,彻底删除。 病毒演示: 病毒FAQ: Windows下的PE病毒。
发现日期: 2004-9-14
此病毒是一个用Visual Basic 5.0 编写的,此病毒的图标为一个系统INI文件的图标,因此很容易将此病毒文件误认为是文本文件并将其启错误的启动。此病毒启动后会删除系统文件,然后强行关闭计算机,造成计算机无法正常启动。
1.修改注册表:
此病毒还会修改注册表的下列键值:
HKEY_CURRENT_USER\Software\Microsoft\Internet EXPlorer\Main
"window title" : FCKR EXPLORER :)
这样的话就会使IE启动的后在左上角显示
“FCKR EXPLORER :)”
另外此病毒还会修改下列的注册表键值以破坏系统的设置
HKLM\Software\Microsoft\Windows\CurrentVersion
\SystemRoot = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\WallPaperDir = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegistrationExtDLL = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ProgramFilesDir = "C:\fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOwner = "fckR"
HKLM\Software\Microsoft\Windows\CurrentVersion
\OtherDevicePath =
"C:\This Computer FUCked by me !(fckR)"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ProductKey = "ASDFG- QWERT-ZXCVB-ADMIN-12345"
HKLM\Software\Microsoft\Windows\CurrentVersion
\ConfigPath = "C:\fckR"
HKLM\Software\Microsoft\Internet Explorer
\CompanyName = "fckR
Corporation"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot = "C:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SourcePath = "E:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareType
= "SiSTEM"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\PathName = "C:\fckR"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Spooler = "no"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit\TemplateUsed
= "C:\fckR\fck.inf"
HKLM\Software\Microsoft\Windows Scripting Host\Locations\CScript = "%fckR%\System32\cscript.exe"
HKLM\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER = "0"
HKLM\Software\Microsoft\Windows Script Host\Settings\DisplayLogo = "0"
2.此病毒启动后会试图删除系统中的下列文件
%OSDriver%\system32\system.ini
%OSDriver%\system32\win.ini
%OSDriver%\system32\win.com
%OSDriver%\system\system.ini
%OSDriver%\system\win.ini
%OSDriver%\system\win.com
%OSDriver%\system32\wmadmod.dll
%OSDriver%\system32\wmp.ocx
%OSDriver%\system32\winsrv.dll
%OSDriver%\system32\winstrm.dll
%OSDriver%\system32\browser.dll
%OSDriver%\system32\dataclen.dll
%OSDriver%\system32\ifmon.dll
%OSDriver%\system32\lmhsvc.dll
%OSDriver%\system32\msr2c.dll
%OSDriver%\system32\qmgr.dll
c:\msdos.sys
c:\io.sys
c:\command.com
其中%OSDriver% 为操作系统所在的驱动器号。
病毒的清除法: 使用光华反病毒软件,彻底删除。 病毒演示: 病毒FAQ: Windows下的PE病毒。
发现日期: 2004-9-14
标签: isp
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点!
本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。
上一篇:DOS.Abbas
最新资讯
热门推荐