Trojan.Win32.A.Qhost.724992
바이로봇 버전정보 :
2012-11-12.01 활동 OS 플랫폼 :
MS Windows 감염시 위험도 :
- 등록일 :
- 2019-07-01 18:01:26
■ Trojan.Win32.A.Qhost.724992
A. 감염 경로
해킹 당한 사이트에서 다운로드 되거나 다른 악성코드(스파이웨어, 애드웨어, 드로퍼 등)에 의해 설치 혹은 USB를
통해 전파된다.
B. 감염 증상
1) 정상폴더 아이콘으로 위장하여 사용자의 실행을 유도한다.
2) 레지스트리 조작을 통해 UAC 알림을 끈다.
키: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
이름: EnableLUA
값: 0
3) 다음과 같은 경로에 자가복제를 시도한다.
C:\WINDOWS\System32\smss.exe
4) 다음과 같은 레지스트리에 등록되어 재부팅시 자동 실행되도록 한다.
키: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
이름: smss
값: C:\WINDOWS\System32\smss.exe
5) 드라이버 파일을 서비스에 등록시킨다.
키: HKLM\System\CurrentControlSet\services\Sr
이름: ImagePath
값: \SystemRoot\system32\DRIVERS\sr.sys
6) 레지스트리 조작을 통해 서비스 시작을 중지시킨다.
키: HKLM\System\CurrentControlSet\services\usnjsvc
키: HKLM\System\CurrentControlSet\services\wuauserv
키: HKLM\System\CurrentControlSet\services\srservice
키: HKLM\System\CurrentControlSet\services\SharedAccess
키: HKLM\System\CurrentControlSet\services\ekrn
키: HKLM\System\CurrentControlSet\services\EhttpSrv
키: HKLM\System\CurrentControlSet\services\Sr
이름: Start
값: 4
7) 안전모드 부팅이 불가하도록 관련 레지스트리 값을 삭제한다.
8) E:\, L:\, F:\, G:\, H:\, I:\, J:\, K:\ 드라이브 루트에 자가복제 후 autorun.inf 파일을 생성한다.
Ozel Dosyalar.exe
smss.exe (숨김속성)
[AutoRun]
Open=smss.exe
Shell\Open=Ac
Shell\Open\Command=smss.exe
9) hosts 파일을 변조하여 보안관련 사이트 접속을 차단한다.
127.0.0.1 threatsense.net
127.0.0.1 www.threatsense.net
127.0.0.1 www.zma.com.ar
127.0.0.1 zma.com.ar
127.0.0.1 store.ca.com
127.0.0.1 avira.com
127.0.0.1 www.antivir.com
127.0.0.1 antivir.com
127.0.0.1 www.antivir.com.tr
127.0.0.1 www.avg.com
127.0.0.1 avg.com
127.0.0.1 www.scanwith.com
127.0.0.1 scanwith.com
127.0.0.1 www.avast.gen.tr
127.0.0.1 avast.gen.tr
127.0.0.1 www.avast.com
127.0.0.1 avast.com
127.0.0.1 forum.avast.com
127.0.0.1 www.nod32.com
127.0.0.1 nod32.com
127.0.0.1 novirusthanks.org
127.0.0.1 novirusthanks.org
127.0.0.1 vscan.novirusthanks.org
127.0.0.1 virustotal-uploader.en.softonic.com
127.0.0.1 virscan.org
127.0.0.1 pandasecurity.com
127.0.0.1 www.arcabit.com
127.0.0.1 arcabit.com
127.0.0.1 www.arcabit.pl
127.0.0.1 arcabit.pl
127.0.0.1 www.freedrweb.com
127.0.0.1 freedrweb.com
127.0.0.1 www.drweb.com
127.0.0.1 drweb.com
127.0.0.1 www.drweb-online.com
127.0.0.1 drweb-online.com
127.0.0.1 www.eset.es
127.0.0.1 eset.es
127.0.0.1 www.nod32.com.tr
127.0.0.1 nod32.com.tr
127.0.0.1 nod32.gen.tr
127.0.0.1 www.nod32.gen.tr
127.0.0.1 www.eset.eu
127.0.0.1 eset.eu
127.0.0.1 89.202.157.226
127.0.0.1 www.eset.co.uk
127.0.0.1 eset.co.uk
127.0.0.1 93.184.71.27
127.0.0.1 188.240.47.45
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.nod32-es.com
127.0.0.1 nod32-es.com
127.0.0.1 www.eset.com
127.0.0.1 eset.com
127.0.0.1 www.nod32-a.com
127.0.0.1 nod32-a.com
127.0.0.1 89.202.157.135
127.0.0.1 89.202.157.136
127.0.0.1 89.202.157.137
127.0.0.1 89.202.157.138
127.0.0.1 89.202.157.139
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.com.mx
127.0.0.1 latam.kaspersky.com
127.0.0.1 usa.kaspersky.com
127.0.0.1 kaspersky.com
127.0.0.1 support.kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.bitdefender.es
127.0.0.1 bitdefender.es
127.0.0.1 www.bitdefender.com
127.0.0.1 bitdefender.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 vil.nai.com
127.0.0.1 pctools.com
127.0.0.1 www.pctools.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 security.symantec.com
127.0.0.1 shop.symantecstore.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 liveupdate.symantec.comliveupdate.com
127.0.0.1 service1.symantec.com
127.0.0.1 ftp.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 home.mcafee.com
127.0.0.1 es.mcafee.com
127.0.0.1 la.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 dlpro.avira.com
127.0.0.1 dl1.pro.antivir.de
127.0.0.1 dl2.pro.antivir.de
127.0.0.1 dl3.pro.antivir.de
127.0.0.1 dl1.antivir.net
127.0.0.1 dl2.antivir.net
127.0.0.1 dl3.antivir.net
127.0.0.1 dl2.antivir-pe.com
127.0.0.1 freeav.net
127.0.0.1 avgate.net
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 es.trendmicro.com
127.0.0.1 la.trendmicro.com
127.0.0.1 www.trendsecure.com
127.0.0.1 trendsecure.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.pandasecurity.com
127.0.0.1 avg.com
127.0.0.1 guru.avg.com
127.0.0.1 free.avg.com
127.0.0.1 update.avg.com
127.0.0.1 free.grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 update.grisoft.cz
127.0.0.1 backup.grisoft.cz
127.0.0.1 akamai.grisoft.cz
127.0.0.1 clamav.net
127.0.0.1 www.clamav.net
127.0.0.1 w32.clamav.net
127.0.0.1 free-av.com
127.0.0.1 www.free-av.com
127.0.0.1 www.avast.com
127.0.0.1 avast.com
127.0.0.1 cert.org
127.0.0.1 www.cert.org
127.0.0.1 update.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 sarc.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-prot.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 scanner.virustotal.com
127.0.0.1 virusscan.jotti.org
127.0.0.1 jotti.org
127.0.0.1 novirusthanks.org
127.0.0.1 www.novirusthanks.org
127.0.0.1 scanner.novirusthanks.org
C. 치료 방법
바이로봇 2012-11-12.01 이상 버전으로 치료된다.
D. 위험도
보통