English Deutsch Français Italiano Español Português 繁體中文 Bahasa Indonesia Tiếng Việt ภาษาไทย
所有分類

我昨天在 執行輸入regedit 按編輯,在尋找這欄輸入microsoftie412.dll時,發現一個名稱為:000 類型:REG_SZ 資料:microsoftie412.dll

剛剛爬文時,microsoftie412.dll好像是隻木馬

請問一下,我找到的microsoftie412.dll是不是木馬@@

20點..

2007-02-22 17:03:52 · 1 個解答 · 發問者 1 in 電腦與網際網路 軟體

1 個解答

版大:microsoftie412.dll不是木馬,這是個附加的檔案,毒檔名稱為:Infostealer.Gashlio
1.當Infostealer.Gashlio 被執行, 它進行以下行動 :
複製了以下文件 : %System%\Kerne1412.exe

注意 : %System% 是提到系統文件夾的可變物。
這是C:\Windows\System (視窗95/98/Me), C:\Winnt\System32 (窗口NT/2000), 或C:\Windows\System32 (Windows XP) 。

2.附加以下文件, 是Infostealer.Lineage 的拷貝 : %System%\microsoftie412.dll

3.增加價值 :裝載=%System%\Kerne1412.exe
對登記subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows 以便它每次被執行當前的用戶註冊。
4.Hooks keyboard and mouse events to monitor the active window.

5.Logs keystrokes if the active window has the following characteristics:
Window title: Lineage Windows Client
Window class: Lineage

6.May steal the [item]password, which is related to items, such as weapons, used in the online role-playing game.

7.如果Internet Explorer 窗口被打開, 它檢查URL 如果它是一個的下列:
[ https://]gash.gamania.com/gash_logi[REMOVED ]
[ http://]www.gamania.com/gash_logi[REMOVED ]
[ http://]gash.gamania.com/gash_logi[REMOVED ]
[ https://]gash.gamania.com/joinwi[REMOVED ]
[ https://]gash.gamania.com/gashin[REMOVED ]
[ https://]goodlock.gamania.com/index[REMOVED ]
[ http://]www.gamania.com/ghome/home_ce[REMOVED ]
[ http://]www.gamania.com
[ http://]www.gamania.com
[ http://]www.gamania.com/defau[REMOVED ]
[ https://]gash.gamania.com/gashinclude/top[REMOVED ]
[ https://]gash.gamania.com/joinwi[REMOVED ]
[ https://]gash.gamania.com/querya[REMOVED ]
[ https://]goodlock.gamania.com
[ https://]gash.gamania.com/openmai[REMOVED ]
[ https://]goodlock.gamania.com/changeserv[REMOVED ]

8.竊取用戶帳號和密碼對[GASH 點] , 一种真正貨幣, 被使用在gamania.com 。
9.日誌被存放在文件C:\log.txt, 也許被送到攻擊者通過電子郵件。

建議您馬上關閉系統還原,並把防毒軟體的病毒碼更新到最新,然後進行全機掃瞄看有沒有辦法將其隔離、修復與刪除後再進行手動刪除附加文件夾。
假如無法於正常模式下進行刪除動作的話,並須於安全模式下進行掃描、隔離、修復與刪除動作後關機30秒鐘後再正常開機完成以下的手動刪除。

左下角的開始>執行>輸入regedit >Enter
Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the right pane, delete the value : [load] =[%System%\Kerne1412.exe]
Exit the Registry Editor.

2007-02-22 17:43:28 · answer #1 · answered by 自在 7 · 0 0

fedest.com, questions and answers