［轉貼］隨身碟病毒--"KAVO(TASO)" 的惡意行為重點

QsTyLe

隨身碟病毒--"KAVO(TASO)" 的惡意行為重點: 目前已知中毒現象： 1.開啟顯示隱藏檔或資料夾可是還是一樣無法顯示隱藏的檔案或資料夾 2.進去我的電腦想要打開硬碟 如 c,d,e槽，卻出現「選擇程式來開啟檔案」 3.即時通登入後會自動關閉 建立檔案- 1.systemrootautorun.inf 2.systemroot********.com exe bat cmd pif (不定) ntde1ect.com ntdelect.com nldelect.com nndelect.com nsdelect.com ntdeIect.com erdeIect.com XAdeIect.com copetttt.com ek.com f.cmd nncu6kk.com g2p3s.exe 8e9gmih.bat lg.cmd um.cmd q83iwmgf.bat rn.exe h.cmd 8h3hh3m.exe bxuup9r.bat w0owgn.bat 2ifetri.cmd 188qsm.bat x.com ep9otvan.com 3wcxx91.cmd e.bat 8ot8y86.exe t.exe 3g08.bat 3.Systemkavo.exe 4.Systemkavo0.dll~kavo9.dll taso.exe taso0~9.dll tavo.exe tavo0~9.dll avpo.exe avpo0~9.dll amvo.exe amvo0~9.dll mmvo.exe mmvo0~9.dll mnso.exe mnso0~9.dll 5.windirDebug***********.dll (亂碼) 6.windirhelp**************.dll (亂碼) 7.windirfly32.dll 8.WIndirpoor32.dll 9.Tempmoil.dll C:\Documents and Settings\Administrator\Local Settings\Temp\*.dll C:\Documents and Settings\Administrator\Local Settings\Temp\taso* C:\WINDOWS\TEMP\taso* C:\WINDOWS\TEMP\*.dll 註：在Win95/98/me System 預設值為 C:\windows\System 在WinNT/2000/XP/2003 System 系統預設值為 C:\WinNT\System32 載入系統服務- explorer.exe(由kavo1.dll執行) 新增登錄檔- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kava HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kava HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tasa HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tasa tava avpa amva mmva mnsa kava = "System\kavo.exe" (開機後啟動) [HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\FolderHidden\SHOWALL] CheckedValue = 0x00000000 (隱藏於系統當中) 從網路上下載- hxxp://www.1a123.com/jj/cc.rar (Tempcc.rar) www.1a123.com - 61.162.230.89 1a123.com 456kill.com www.om7890.com - 60.169.1.92 Microsofthg.com Microsoftmg.com Microsoftrb.com Om7890.com Tw7890.com

盜：以後記得要加斜線2次阿

※台灣論壇！