病毒文件是个帮助文件oqtxde.chm,杀毒软件的命名为:Trojan-Clicker.Win32.Costrat.es
1、Trojan-Clicker.Win32.Costrat.es释放文件:
c:\Windows\Help\oqtxde.chm 58,368 bytes
2、注册系统服务,开机启动:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqtxde\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqtxde]
Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000000
ImagePath = "%Windir%\Help\oqtxde.chm"
ExtParamD = 55 FB A9 96 99 32 11 3E 00 00
3、修政Services.exe内存,并把自己代码注入
4、连