加强对恶意程序的查杀力度
文件名:7.exe
运行后,会修改注册表:
注册表键: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
注册表值: CPushSetup
类型: REG_SZ
值: "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\PushWare\cpush.dll"
使用瑞星最新版本的无法检测到,运行未拦截。
360有提示。
文件名:9[1].exe
该程序创建注册表:
| HKLM\SOFTWARE\IETimber |
| HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess |
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\IETimber
|
修改注册表:
| HKLM\SOFTWARE\IETimber | AgentID | -33554342 |
| HKLM\SOFTWARE\IETimber | Install_Dir | C:\Program Files\Internet Explorer\IETimber |
| HKLM\SOFTWARE\IETimber | TM | 0 |
| HKLM\SOFTWARE\IETimber | ToolBarVer | 2.0.0.9 |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess | BrowseNewProcess | yes |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\IETimber | ie | |
| HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess | BrowseNewProcess | yes |
| HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ | BaseClass | Drive |
| HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ | BaseClass | Drive |
多引擎分析结果:
http://www.virscan.org/report/56d945c61fa75233a08fa0c6269c7ba6.html用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
