文件名称: koowoo.exe 病毒名: kaspersky: N/A,rising:Trojan.DL.Win32.VB.nym 详细资料: 文件变化: 释放文件 %WINDOWS%\koowoo.exe C:\koowoo 各分区根目录释放 X:\autorun.inf X:\koowoo.exe autorun.inf 内容
[Autorun] open=e:\koowoo.exe shellexecute=e:\koowoo.exe shell\Auto\command=e:\koowoo.exe | 修改注册表: 病毒创建启动项
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "Run"="%WINDOWS%\koowoo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RavMd"="%WINDOWS%\koowoo.exe" | 禁用"显示所有文件和文件夹"功能
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000000 | 修改IE主页地址
[HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.8koo.cn/" | 其他行为: 访问网络下载恶意软件
http://wo[REMOVED].com/ad5588.exe(CPUSH) http://toolbar.[REMOVED].com/mingyaotoolbar.exe http://toolbar.[REMOVED].com/auto.exe(调用mingyaotoolbar.exe 强制安装) http://wo[REMOVED].com/new.exe(病毒本体) | 后台调用ie访问指定网页
http://np.[REMOVED].com/?027 http://8[REMOVED].cn/ http://www.[REMOVED].com/index.html http://dl.[REMOVED].com/movie.html http://dl.[REMOVED].com/soft.html http://dl.[REMOVED].com/game.html http://dl.[REMOVED].com/music.html http://dl.[REMOVED].com/book.html http://study[REMOVED].com/index.html http://1[REMOVED].cn/ http://bhu[REMOVED].com/ http://8[REMOVED].cn/ http://hp.[REMOVED].com/index.html http://study[REMOVED].com/redirect.asp |
清除方法:
1. 结束进程 %WINDOWS%\koowoo.exe
2.删除文件 %WINDOWS%\koowoo.exe C:\koowoo X:\autorun.inf X:\koowoo.exe
3.删除病毒启动项
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "Run"="%WINDOWS%\koowoo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RavMd"="%WINDOWS%\koowoo.exe" |
4.修改注册表,恢复"显示所有文件和文件夹"功能
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000001 | 5.修改IE主页 6.下载软件清理恶意软件
|