2个网站~
赛门铁克:
http://www.syman...m.tw/趋势:
http://www.trendmicro.com/...erprise.htm去赛门铁克找了一下.只有最接近的"PWSteal.Lineage"有关说明.(有的是英文,有的是日文.没中文惨念)
会有以下动作:
1.病毒本身会copy到以下的程式上...
%ProgramFiles%\rundll32.exe
%ProgramFiles%\explorer.exe
%ProgramFiles%\Internat.exe
%Windir%\rundll32.exe
%Windir%\Internat.exe
针对不同版本会有不同表示...
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or
C:\Winnt (Windows NT/2000).
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
The genuine Microsoft "rundll32.exe" exists in %system%.
The genuine Microsoft "Internat.exe" exists in %system%.
The genuine Microsoft "explorer.exe" exists in %windir%.
2.Adds one of the following values:
"[Random Name]" = "%ProgramFiles%\rundll32.exe"
"[Random Name]" = "%ProgramFiles%\explorer.exe"
"[Random Name]" = "%ProgramFiles%\Internat.exe"
"[Random Name]" = "%windir%\rundll32.exe"
"[Random Name]" = "%windir%\Internat.exe"
最好把机码也清一清..
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3.生成档案%system%\htdll.dll
4.把收集来的Lineage密码寄出
pchome.com.tw
tom.com
163.com
驱除方法:
1.把系统复原机能关掉
(因为系统会自动修复删除的档案,但这删除的档案里面有可能含有病毒,暂时关掉吧)
2.更新最新防毒程式病毒码
3.进入安全模式
4.全系统scan,把检出的病毒全部砍掉
5.Reverse the changes made to the registry.(我不会翻><"sorry)
希望有帮到你...
