![](http://deco.daum-img.net/contents/emoticon/per_05.gif)
'하이재커'란 사용자의 동의 없이 설치된 스파이웨어로써 사용자의 개인정보및 컴퓨터의 정보를 빼내어 가는 아주 질 나쁜 스파이웨어다.
![](http://deco.daum-img.net/contents/emoticon/per_05.gif)
하이재커 : webrebate/btv 2종류는 하이재커로써 Ad-aware 나 다간다고 제거한다.
Backdoor.Berbew.G attempts to steal cached passwords and may display fake windows to gather confidential information.
Variants: Backdoor.Berbew.F
Type: Trojan Horse
Infection Length: 46,080 bytes (exe), 6,657 bytes (dll)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
=====
When Backdoor.Berbew.G is executed is performs the following actions:
It creates a mutex "QueenKarton_12", which ensures only one instance of the trojan is running at one time.
It creates the following copy of itself:
%System%\<8 random characters>.exe
It drops a DLL file called <8 random characters>.dll in the %System% directory.
It creates several files in the %Temp% directory named <8 random characters>.htm. It opens Internet Explorer with the names of these .htm files as parameters, when the file opens it may access a predetermined URL.
It sets the following values in the registry:
HKEY_CLASSES_ROOT\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\(Default) = <8 random characters>.dll
HKEY_CLASSES_ROOT\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = Apartment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = {79FEACFF-FFCE-815E-A900-316290B5B738}
HKEY_CURRENT_USER\Software\Microsoft\QueenKarton = 0xC
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\5\1601 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = "yes"
The Trojan collects passwords from the compromised system and intercepts data entered into forms through Internet Explorer. It may create the following files in the %System% folder for saving this password information, and any downloaded configuration data for the trojan:
dnkkq.dll
kkq32.vxd
kkq32.dll
Rtdx1<number>.dat
The stolen information is passed to the attacker by sending query strings; additionally, configuration data may also be uploaded through the web to a predetermined URL..
출처:해커대학(해커뉴스)
http://hackersnews.org/hn/read.cgi?board=hn_virus&y_number=218
![](http://deco.daum-img.net/contents/emoticon/per_05.gif)
앤티 소프트웨어
★ PC Tools's Spyware Doctor
★ Sunbelt Software's Counterspy
★ Trend Micro's HijackThis
★ Webroot Software's Spy Sweeper
★ ParetoLogic's Anti-Spyware and XoftSpy SE
★ Steve Gibson's Optout
★ Lavasoft's Ad-aware-추천 (Ad-aware 관련포스팅)
검색엔진에서 검색하시면 앤티 소프트웨어가 나오니 그것을 다운 받아 쓰시면 되실것 같습니다. 일일이 치기 힘드실까봐 검색어 첨부하도록 하겠습니다
![](http://deco.daum-img.net/contents/emoticon/per_05.gif)
가짜 앤티 소프트웨어
여기서 잠깐!! 가짜 앤티 소프트웨어는 조심하셔야 합니다. 요즘 ActiveX 가 많이 활성화 되어있습니다... 한국에서요 ㅠ
그래서 그 ActiveX 를 통해 감염되지도 않은 하이재커를 감염되었다고 알려주는 백신이 자동으로 깔리게 됩니다. 이 가짜 앤티 소프트웨어는 조심하도록 합시다.
'컴퓨터 > 바이러스정보' 카테고리의 다른 글
좀비 PC 확인법 및 치료법!! (4) | 2012.05.26 |
---|---|
파리떼바이러스 증상과 치료법 (0) | 2012.02.01 |
트로이 목마의 원인과 치료법 (4) | 2012.01.25 |