Kavo病毒
Kavo病毒
文件名称=kavo.exe
文件大小=116464 bytes
AV命名=
Trojan-PSW.Win32.OnLineGames.pcm(Kaspersky)
Trojan.PSW.Win32.GameOL.lor(Rising)
Worm/AutoRun.Y(AVG)
编写语言=delphi
文件MD5=3b08963e3b2cae9e3b4dc38b21b2a69d
病毒类型=盗号木马
kavo.exe病毒行为分析
1、释放病毒文件
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
2、添加注册表,开机启动
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runkava = REG_SZ, "C:\windows\system32\kavo.exe"
3、修改注册表,记录下载地址的版本
HKEY_CLASSES_ROOT\CLSID\MADOWN
当前为"cdfty1.7"
4、启动IE进程,连接网络下载木马,释放
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
5、tavo0.dll和kavo1.dll则注入系统进程,监视鼠标、键盘操作,盗取木马。
6、释放驱动,随机命名的,然后删除自身。
7、修改注册表,破坏显示隐藏文件功能。
8、遍历磁盘,生成病毒文件和autorun.inf
kavo.exe病毒解决方法
1、下载SREng,然后断开网络连接。
2、打开SREng,删除注册表键(注册表值) kava和(注册表值) tava
3、重启计算机,删除文件
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
还有每个磁盘下的autorun.inf和病毒文件,也删除,建议用winrar
4、其他
修改注册表修复显示隐藏文件功能
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced
(*)(注册表值) Hidden
REG_DWORD, 2 修改为 REG_DWORD, 1
(*)(注册表值) ShowSuperHidden
REG_DWORD, 0 修改为 REG_DWORD, 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL
(*)(注册表值) CheckedValue
REG_DWORD, 0修改为 REG_DWORD, 1
SREng下载地址=http://www.fileden.com/files/2007/12/31/1671475/sreng.rar
Kavo病毒殺手1.杀掉硬碟或隨身碟里的autorun.inf跟ntdelect.com的病毒档案,所以中了其他隨身碟型的病毒,也是可以杀得掉。
2.恢復不能显示隐藏档,有的病毒会让系统无法显示隱藏檔
3.这次的kavo病毒会利用隨身碟,记忆卡,手机传输,MP3感染
下载网址(不支援flashget)=http://game76420.myweb.hinet.net/kavo_killer.exe
另外,用cmd也是可以解决这个问题
Step1: Use Windows File Search Tool to Find kavo.exe Path
1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in "kavo.exe" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of "kavo.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete kavo.exe in the following manual removal steps.
Step2: Use Windows Task Manager to Remove kavo.exe Processes
1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the "Image Name" button to search for "kavo.exe" process by name.
3. Select the "kavo.exe" process and click on the "End Process" button to kill it.
Step3: Detect and Delete Other kavo.exe Files
1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in del "name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir/S name_of_the_folder".
7. Select the "kavo.exe" process and click on the "End Process" button to kill it.
没有评论: