卡巴斯基中国地区每周病毒报告

主页→网络威胁→ 卡巴斯基中国地区每周病毒报告

卡巴斯基中国地区每周病毒报告

2009年12月28日至2010年01月03日

排名	病毒名称	病毒类型	周爆发率(%)
1.	not-a-virus:AdWare.Win32.BHO.gtq	广告软件	12.40
2.	HEUR:Trojan.Win32.Generic	木马	7.93
3.	Trojan-Dropper.Win32.Agent.bkao	木马	7.85
4.	Trojan-Dropper.Win32.Small.edx	木马	6.09
5.	Trojan-Dropper.Win32.Agent.bjzk	木马	5.33
6.	HEUR:Trojan.Win32.StartPage	木马	4.66
7.	Trojan.Win32.Pakes.lmb	木马	4.17
8.	Trojan-Dropper.Win32.Agent.bjck	木马	2.38
9.	HEUR:Trojan-Downloader.Win32.Generic	木马	2.13
10.	Trojan-Downloader.Win32.Agent.cuap	木马	1.81

关注恶意软件：

名称：“杀毒软件”克星木马（Trojan-Dropper.Win32.Agent）
大小：25088字节
是否加壳：否
影响的平台：WIN9X/ME/NT/2000/XP/2003/Vista/Win7

具体表现：

感染计算机后，木马会释放以下文件到系统：

%systemroot%\TEMP\Sermon.sys %temp%\Random.bat

还会下载文件：

http://pc1.114central.com/ooo/0.exe http://pc2.114central.com/ooo/0.exe http://pc3.114central.com/ooo/0.exe http://pc4.114central.com/ooo/0.exe http://pc5.114central.com/ooo/0.exe http://pc6.114central.com/ooo/0.exe http://pc7.114central.com/ooo/0.exe http://pc8.114central.com/ooo/0.exe http://pc9.114central.com/ooo/0.exe http://pc10.114central.com/ooo/0.exe http://pc11.dy2004.com/ooo/0.exe

修改注册表:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = 3(次) "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = 3(次) "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = 2(次) "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = 2(次) "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\修复工具.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\修复工具.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe\Debugger = "ntsd -d" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray. = 新建子键 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.\Debugger = "ntsd -d"

进入系统后，木马会首先释放一个驱动文件Sermon.sys，并将其加载为服务运行。此服务会映像劫持系统上安装的所有常见杀毒软件，强制将这些软件关闭。同时，木马还会在计算机临时目录下释放一个批处理文件random.bat，运行并删除驱动文件、木马以及批处理文件自身，不留下任何感染痕迹。获取计算机的控制权限后，已启动的服务程序会连接远程服务器，下载恶意程序到计算机本地，给计算机用户造成更为严重的损失。

专家预防建议:

1.建立良好的安全习惯，不打开可疑邮件和可疑网站。
2.不要随意接收聊天工具上传送的文件以及打开发过来的网站链接。
3.使用移动介质时最好使用鼠标右键打开使用，必要时先要进行扫描。
4.现在有很多利用系统漏洞传播的病毒，所以给系统打全补丁也很关键。
5.安装专业的防毒软件升级到最新版本，并开启实时监控功能。
6.为本机管理员帐号设置较为复杂的密码，预防病毒通过密码猜测进行传播，最好是数字与字母组合的密码。
7.不要从不可靠的渠道下载软件，因为这些软件很可能是带有病毒的。

美洲:

西欧:

东欧:

中东 & 非洲

亚洲 & 太平洋地区