TV.EXE
样本名称:tv.exe
来源:卡卡论坛
创建开机自启动项:
C:\Program Files\Common Files\%SESSIONNAME%\cfmon.exe
映像劫持:
360rp.EXE
360rpt.EXE
360safe.EXE
360safebox.EXE
360sd.EXE
360sdrun.EXE
360tray.EXE
ANTIARP.EXE
arpfw.EXE
ArSwp.EXE
Ast.EXE
AutoRun.EXE
AvMonitor.EXE
ccEvtMgr.EXE
dep360.EXE
egui.EXE
ekrn.EXE
Frameworkservice.EXE
GFUpd.EXE
GuardField.EXE
HijackThis.EXE
IceSword.EXE
Iparmor.EXE
KASARP.EXE
kav32.EXE
KAVPFW.EXE
kavstart.EXE
kissvc.EXE
KpfwSvc.EXE
KRegEx.EXE
krnl360svc.EXE
KSWebShield.EXE
KVMonxp.KXP
KVSrvXP.EXE
KVWSC.EXE
kwatch.EXE
mcshield.EXE
Mmsk.EXE
naPrdMgr.EXE
Navapsvc.EXE
Nod32kui.EXE
PFW.EXE
RAV.EXE
RavMon.EXE
RavMonD.EXE
Ravservice.EXE
RavStub.EXE
RavTask.EXE
RAVTRAY.EXE
Regedit.EXE
rfwmain.EXE
rfwProxy.EXE
rfwsrv.EXE
Rfwstub.EXE
RsAgent.EXE
Rsaupd.EXE
RsMain.EXE
RSTray.EXE
Runiep.EXE
safeboxTray.EXE
ScanFrm.EXE
SREngLdr.EXE
SuperKiller.EXE
TrojanDetector.EXE
Trojanwall.EXE
TrojDie.KXP
VPC32.EXE
VPTRAY.EXE
VsTskMgr.EXE
WOPTILITIES.EXE
创建驱动:
[npf / npf][Running/Manual Start]
<\??\C:\WINDOWS\system32\drivers\npf.sys><CACE Technologies>
创建浏览器加载项
C:\Program Files\Common Files\PushWare\cpush.dll
C:\WINDOWS\UoDo\game.dll
创建进程
C:\WINDOWS\system32\360traw.exe
DLL文件注入进程C:\WINDOWS\system32\360traw.exe中
C:\WINDOWS\system32\WPCAP.DLL
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\INDOWS\Wsystem32\NPPTools.dll
C:\WINDOWS\system32\*.LOG注入Explorer.EXE进程中(生成随机数字的LOG文件)
然后调用cmd /c sc delete 360rp、cmd /c sc delete ekrn删除杀毒软件相关服务。
相关截图见图一、图二
附件:
您所在的用户组无法下载或查看附件 附件:
您所在的用户组无法下载或查看附件用户系统信息:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
