¡¡¡¡¸Ãרɱ¹¤¾ß¿ÉÍêÈ«Çå³ý3448¡¢4199¡¢7939µÈÁ÷Ã¥Èí¼þ£¬¸ÃÀàÁ÷Ã¥Èí¼þÊÇһЩ¸ü¸ÄIEä¯ÀÀÆ÷Ê×Ò³µØÖ·µÄ²¡¶¾£¬ËüÃǻ᲻¶ÏµÄÐÞ¸ÄÓû§IEä¯ÀÀÆ÷µÄÖ÷Ò³£¬¸øÓû§´øÀ´¼«´óµÄ²»±ã£¬²¢Í¨¹ýHOOK¼¼ÊõÒþ²Ø×Ô¼º¡£Ö÷ÒªÓÐÒÔÏÂÌص㣺

1.Îļþ×¢²á

²¡¶¾ÊÇÒ»¸öDLL¸ñʽµÄÎļþ£¬ËüÀûÓÃDLLµÄÒ»¸öº¯ÊýÃûΪRundll32µÄº¯Êý°Ñ×Ô¼º×¢²áµ½ÏµÍ³ÖС£

²¢ÇÒ°ÑϵͳÖеÄRundll32.exe¸´ÖÆÒ»·Ý¸±±¾£¬¸ÄÃûΪ8yo.exe(Ëæ»úÎļþÃû)

Ö®ºó²¡¶¾°Ñ×Ô¼º¸´ÖƵ½ÒÔϵĵط½:

%system%j9zpf.dll(Ëæ»úÎļþÃû)

²¢ÊÍ·ÅÁíÍâÒ»·Ý²¡¶¾Îļþ

%system%driversd3t.sys (Ëæ»úÎļþÃû)

2.¸ü¸Ä×¢²á±í

²¡¶¾»á¸ü¸ÄÒÔÏÂÁ½´¦×¢²á±í£¬Ê¹×Ô¼ºÄÜÒÀ¿¿Rundll32ËæWindowsÆô¶¯¡£

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVerionRun

5v(Ëæ»ú) -> C:WINDOWSsystem32

undll32.exe j9zpf.dll Rundll32

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVerionRun

8yo.exe(Ëæ»ú) -> C:WINDOWSsystem328yo.exe C:WINDOWSsystem32driversd3t.sys Rundll32

3.ÔÚQQµÄ°²×ªÄ¿Â¼¿½±´²¡¶¾ÎļþµÄÒ»¸ö¸±±¾£¬²¢Ìæ»»µôQQĿ¼ÏµÄÎļþTIMProxy.dll£¬´ïµ½Æô¶¯²¡¶¾µÄÄ¿µÄ¡£

4.ÖÐÖ¹Ö¸¶¨½ø³Ì

²¡¶¾»á²»¶ÏµÄ¼ì²âϵͳÖеĴ°¿Ú£¬Ò»µ«·¢ÏÖ´°¿Ú±êÌâÀ¸ÉÏ°üº¬ÒÔÏÂ×Ö·ûµÄ£¬

»òϵͳÖнø³ÌÃû°üº¬ÒÔÏÂ×Ö·û´®µÄ½ø³Ìʱ£¬Ç¿ÐйرռÆËã»ú¡£

×Ö·û°üÀ¨:

kill

3448

7939

4199

360save

רɱ

yaass

filemon

regmon

wopticlean

4199_9505

4199 9505

41999505

9505רɱ

icesword

3448רɱ

unlocker

killbox

hijack

ollydbg

ewido anti-spyware

taskmgr

5.×¢ÈëHOOK

Á½¸ö²¡¶¾Îļþ(j9zpf.dllÓëd3t.sys)»á×¢È뵽ϵͳÖÐÿһ¸ö½ø³ÌµÄ¿Õ¼ä£¬

²¢Ê¹ÓÃÁËHOOK¼¼Êõ£¬Òþ²ØÁ˲¡¶¾Ìí¼ÓµÄ×¢²á±íÏîÄ¿¡£

ʹÓû§ÔÚ×¢²á±í±à¼­Æ÷»òһЩÓû§¼¶µÄϵͳÈí¼þÖÐÎÞ·¨¿´µ½²¡¶¾Ìí¼ÓµÄÏîÄ¿¡£

6.¸ü¸ÄIEÖ÷Ò³

²¡¶¾»á²»¶ÏµÄ¸ü¸ÄIEµÄÖ÷ҳΪhttp://www.3448.com »òhttp://www.4199.com»òhttp://www.7939.com

ÑÏÖØÓ°ÏìÁËÓû§µÄ¹¤×÷¡£