W32.Pasobir(WORM_QQPASS.ADH) winscok.dll SVOHOST.exe sxs.exe专杀工具 by Symantec
病毒名称:W32.Pasobir(Symantec)
病毒别名:WORM_QQPASS.ADH [Trend Micro]
W32.Pasobir是一个盗取密码并通过移动存储设备和不安全设置传播的蠕虫病毒。
病毒技术分析:
Discovered: September 25, 2006
Updated: October 17, 2006 05:14:56 PM GDT
Also Known As: WORM_QQPASS.ADH [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Pasobir is executed, it performs the following actions:
- Creates the following files, setting the attributes of the above files to System and Hidden to avoid easy detection:
- %System%\SVOHOST.exe - copy of the worm
- %System%\winscok.dll
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"SoundMam" = "%System%\SVOHOST.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.Attempts to disable antivirus products by ending predetermined processes, removing predetermined registry keys, and stopping predetermined services.Periodically checks for both fixed and removable drives starting with drive D: that are attached to the system and copies itself as the following file:
[DRIVE LETTER]:\sxs.exeCreates the following file containing instructions to start the worm when the drive is attached to the system:
[DRIVE LETTER]:\autorun.infAttempts to record logins and passwords used in QQ messenger and send them to a preconfigured Web site or by email using its own SMTP engine.May download and execute the following files:
- http://update.cd321.net/si
- http://update.cd321.net/hi
- http://update.cd321.net/dow
- 朋友提示追加:http://www.cd321.net/ads.htm
请不要进入以上网址
专杀工具下载地址:
http://securityresponse.symantec.com/avcenter/FixPasbr.exe
使用专杀前进行以下操作:
1.下载完成后断开网络连接。
2.关闭所有正在运行的程序。
3、关闭系统还原。
然后运行专杀,查杀完毕后重启系统再次运行专杀复查,最后打开系统还原。
如果专杀运行异常,请重启系统进入安全模式下运行
