2個網站~
賽門鐵克:
http://www.syman...m.tw/趨勢:
http://www.trendmicro.com/...erprise.htm去賽門鐵克找了一下.只有最接近的"PWSteal.Lineage"有關說明.(有的是英文,有的是日文.沒中文慘念)
會有以下動作:
1.病毒本身會copy到以下的程式上...
%ProgramFiles%\rundll32.exe
%ProgramFiles%\explorer.exe
%ProgramFiles%\Internat.exe
%Windir%\rundll32.exe
%Windir%\Internat.exe
針對不同版本會有不同表示...
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or
C:\Winnt (Windows NT/2000).
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
The genuine Microsoft "rundll32.exe" exists in %system%.
The genuine Microsoft "Internat.exe" exists in %system%.
The genuine Microsoft "explorer.exe" exists in %windir%.
2.Adds one of the following values:
"[Random Name]" = "%ProgramFiles%\rundll32.exe"
"[Random Name]" = "%ProgramFiles%\explorer.exe"
"[Random Name]" = "%ProgramFiles%\Internat.exe"
"[Random Name]" = "%windir%\rundll32.exe"
"[Random Name]" = "%windir%\Internat.exe"
最好把機碼也清一清..
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3.生成檔案%system%\htdll.dll
4.把收集來的Lineage密碼寄出
pchome.com.tw
tom.com
163.com
驅除方法:
1.把系統復原機能關掉
(因為系統會自動修復刪除的檔案,但這刪除的檔案裏面有可能含有病毒,暫時關掉吧)
2.更新最新防毒程式病毒碼
3.進入安全模式
4.全系統scan,把檢出的病毒全部砍掉
5.Reverse the changes made to the registry.(我不會翻><"sorry)
希望有幫到你...
