木马下载器Win32.TrojDownloader.Delf.114688病毒行为: 该病毒是一个木马下载者,会从网上下载其他病毒至客户的机器上并运行.病毒运行后生衍生一个DLL文件至系统目录中. 1.生成文件 %WinDir%\System32\Downdll.dll 2.修改注册表 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings = hex:3c,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,20,94,af,51,08,a1,c7,01,01,00,00,00,c0,a8,1c,f4,00,00,00,00,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore Count = dword:00000005 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore Time = hex:d7,07,08,00,04,00,10,00,06,00,19,00,38,00,9b,00, 3.病毒运行后创建一个IEXPLORE.EXE进程. 4.从http://www.*****.cn/images/js/az.exe下载病毒文件保存到c:盘根目录下. 5.在C:\Windows\system32下生成一个Delme.bat文件用于删除源文件.