- 注册时间
- 2006-9-21
- 最后登录
- 1970-1-1
|
发表于 2006-9-21 15:08:10
|
显示全部楼层
Discovered: May 4, 2006
Updated: May 8, 2006 11:13:02 AM ZE9
Type: Trojan Horse
Infection Length: 55,769 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Trojan.Lootseek.AV is a Trojan horse that disables several security services and opens a back door on the compromised computer.
When Trojan.Lootseek.AV is executed, it performs the following actions:
Creates an svchost.exe process and copies itself to the address space of this newly created process.
Copies an embedded executable to the following location:
%UserProfile%\Local Settings\Temp\tmp1.tmp
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
Copies itself to the following location:
%Windir%\system\smss.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Copies the tmp1.tmp file to the following location:
%System%\nvsvcd.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log
which creates the following service:
Display name: Windows Log
Startup: Automatic
Adds the value:
".nvsvc" = "%WinDir%\System\smss.exe /w"
to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds svchost.exe to the Windows Firewall's list of authorized processes.
Disables several security services, including the following:
wscsvc
kavsvc
SAVScan
Symantec Core LC
navapsvc
wuauserv
Opens a back door on a random TCP port.
Queries a number of predetermined servers.
-----------------------------------------------------------------------
-----------------------------------------------------------------------
/////////////////////////////////////////////////////////
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
".nvsvc" = "%WinDir%\System\smss.exe /w"
Navigate to and delete the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log
Exit the Registry Editor. |
|