|
“鸽子监视器297573”,这是一个类似于灰鸽子的远程木马。它能帮助黑客获取用户桌面显示的实况图像,帮助黑客控制中毒电脑,它还具备自动升级的功能。
“对抗型问道盗号器98494”这是一个对抗型的盗号木马。它的目标是网络游戏《问道》。该毒会尝试用一些类似AV终结者技术的手段来对抗常见杀毒软件。
一.“鸽子监视器297573” 威胁级别:★
此远程木马的原理比较简单,与大多数常见的远程木马无异。
病毒母体进入电脑后,释放自己的子文件Mole.dll.Mole.ini.Mole.Mol到系统盘的%WINDOWS%目录下,其中Mole.Mol是病毒自身的备份。同时,还有一个名为system.exe的病毒副本被释放到%Program Files%\Outlook Express\目录中。病毒会将它写入注册表启动项,实现开机自启动,其显示名称为Windows Luck,提示信息为“提供网络访问服务”。
当顺利运行起来,病毒就在后台静静调用IE浏览器的进程,将自己之前释放出的Mole.dll加载进去,实现隐蔽运行。随后,它获取当前计算机的名称,读取Mole.ini配置文件,得到端口号,尝试创建线程与病毒作者指定的远程控制端dai**bin.3**2.org联系。
假如成功建立联系,那么病毒就会等待黑客指令,借助此毒的帮助,黑客可以执行查看被控制端的桌面.对桌面进行鼠标和键盘操作,以及修改病毒配置文件内容等操作。
关于该病毒的具体分析报告,可在金山病毒大百科中查阅 http://vi.duba.net/virus/win32-troj-huigezi-297573-50885.html
二.“对抗型问道盗号器98494” 威胁级别:★
这个盗号木马具有对抗杀软的能力。通过对病毒代码的分析,毒霸反病毒工程师认为病毒作者可能有借鉴AV终结者的部分对抗技术。主要做法是进入用户系统后,监视杀毒软件的行为,假如它发现自己被杀毒软件扫描到,就会尝试将杀毒软件的扫描窗口强行关闭——这其实是种水平不咋样的对抗方式。
当解决掉杀毒软件后,该毒就开始盗号,它这部分的行为不复杂。首先是释放自己的dll文件到%Windows%\system32\目录下,名称采取“原始文件名+dw.Dll”的形式,例如原病毒名为张三.exe,则生成dll为“张三dw.Dll”。
随后,它会检查进程,发现《问道》的进程,则结束掉,等待用户再次登录时,就趁机记录用户输入的账号和密码。此外,病毒会获取用户的游戏配置文件中的角色等级.虚拟金币.银币等信息,将它们与帐号密码一起发送到病毒作者指定的远程地址。
关于该病毒的具体分析报告,可在金山病毒大百科中查阅 http://vi.duba.net/virus/win32-troj-killav-c-98494-50886.html
金山反病毒工程师建议
1.最好安装专业的杀毒软件进行全面监控,防范日益增多的病毒。用户在安装反病毒软件之后,应将一些主要监控经常打开<如邮件监控.内存监控等>.经常进行升级.碰到问题要上报,这样才能真正保障计算机的安全。
2.由于玩网络游戏.利用QQ等即时聊天工具交流的用户数量逐渐增加,所以各类盗号木马必将随之增多,建议用户一定要养成良好的网络使用习惯,如不要登录不良网站.不要进行非法下载等,切断病毒传播的途径,不给病毒以可乘之机。
金山毒霸反病毒应急中心及时进行了病毒库更新,升级毒霸到2008年8月22的病毒库即可查杀以上病毒;如未安装金山毒霸,可以登录http://www.5kdj.com免费下载最新版金山毒霸2008或使用金山毒霸在线杀毒来防止病毒入侵。拨打金山毒霸反病毒急救电话010—82331816,反病毒专家将为您提供帮助。
英文介绍:
"Dove monitor 297573 " (Win32.Troj.huigezi.297573) , this is a long-range trojan that is similar to grey dove. It can help a hacker get the picture of what is actually happening that user desktop shows, help hacker controls toxic computer, it still has the function that upgrades automatically.
"Antagonism ask pilfer date implement 98494 " (Win32.Troj.KillAV.c.98494) this is an antagonism model pilfer date trojan. Its target is network game " ask " . The step that this poison can try to use technology of terminator of a few similar AV will defy the common software that reduce toxin.
One, " dove monitor 297573 " (Win32.Troj.huigezi.297573) ? Minatory level: ★
This principle of long-range trojan is simpler, with the long-range trojan as good as with common great majority.
After virus matrix enters computer, release oneself child file Mole.dll, Mole.ini, Mole.Mol arrives system dish below %WINDOWS% catalog, among them the backup that Mole.Mol is virus oneself. In the meantime, still a virus carbon that the name is System.exe is released in catalog of %Program Files%\Outlook Express\ . Virus can write it register a watch to start, implementation switchs on the mobile phone to be started oneself, its show the name is Windows Luck, clew information is " offer a network to visit a service " .
Should move smoothly rise, virus calls the progress of IE browser stealthily with respect to backstage, go in the Mole.dll to load that releases before oneself, implementation concealments move. Subsequently, it gets the name of current computer, read take Mole.ini to configure a file, receive port order, the long-range control that tries to found line Cheng and virus author to appoint carries Dai**bin.3**2.org to contact.
If establish connection successfully, so virus can await hacker instruction, this helps have the aid of poisonously, the hacker can be carried out examine controlled the desktop of end, right the desktop undertakes mouse and clavier are operated, and the operation such as content of file of modification virus configuration.
About the labor report of this virus, can be in golden hill virus consults in 100 divisions greatly Http://vi.duba.net/virus/win32-troj-huigezi-297573-50885.html
2, " antagonism ask pilfer date implement 98494 " (Win32.Troj.KillAV.c.98494) ? Minatory level: ★
Trojan of this pilfer date has antagonism to reduce soft capacit |
