查杀木马病毒Netthrot.exe
今天突然不能上网了。铁通的adsl宽带,可以 拨号,可以解析域名,就是打不开网页,但是发现网络图标在一直发包,就感觉有问题。查看了下进程,多了一个netthrot.exe程序,用icesword看了下,在windows/system32下面,看了进程的信息,还显示是Microsoft出品的,估计是个假冒的。看了下日期,是6月3日凌晨才到我电脑上的,很新,估计是个木马。
用icesword结束了这个进程,赶快到system32下删除该程序,然后用autorun工具删除该项服务,网络也好了!
这个是该木马的技术细节:
W32/Tilebot-JO is a worm for the Windows platform.
W32/Tilebot-JO spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007).
When first run W32/Tilebot-JO copies itself to\netthrot.exe and creates the file \sysremove.bat.
The file netthrot.exe is registered as a new system driver service named "NetThrottle", with a display name of "TCP/IP Network Throttle" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetThrottle
用icesword结束了这个进程,赶快到system32下删除该程序,然后用autorun工具删除该项服务,网络也好了!
这个是该木马的技术细节:
W32/Tilebot-JO is a worm for the Windows platform.
W32/Tilebot-JO spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007).
When first run W32/Tilebot-JO copies itself to
The file netthrot.exe is registered as a new system driver service named "NetThrottle", with a display name of "TCP/IP Network Throttle" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetThrottle
标签: windows
发贴者:xiaoyong | 11:56 上午
0 条评论:
发表评论
订阅 博文评论 [Atom]
<< 主页