11.11-11.17流行病毒排行榜NO.8：Win32.Troj.Renos.a Renos, 排行榜

铁军

病毒名称(中文):Win32.Troj.Renos.a% ?  Y# Z2 N  _4 W" Y% n
威胁级别:★☆☆☆☆- q/ \. i( ^$ H7 d7 [5 [
病毒类型:广告流氓程序
- g3 \* Q: E9 Y9 X病毒长度:29596+ K1 I: |5 R) c: k
影响系统:Win9x WinMe WinNTWin2000 WinXP Win2003
6 [8 b* a* J6 c/ W$ f! R* U2 o
7 A2 a7 N6 ]# R病毒行为:
" ]* o$ e7 _: H% v$ K' f( m这是一个恶意广告软件，病毒采用进程互锁，并定时弹出虚假警告，诱惑用户点击安装其它软件，显然是开发这些软件的无良商人购买了这种流氓软件的服务。, R# i( G  U5 O" A' A8 O9 [7 r) M

) k$ i# i* b, X) t2 _5 M1. 病毒将自身拷贝两份到%WinDir%目录下，分别命名为wupdmgr.exe和osaupd.exe。（文件名和系统文件名很相似，以迷惑用户）
4 ?% H$ n, e: |" ~2. 病毒的进程一旦运行，通过检查互斥体，互相启动进程，形成进程互锁，普通方法很难将其终止。简单的结束进程会无效的，可使用金山清理专家的文件粉碎器，将这两个文件同时添加到彻底删除的列表，一次将两个恶意软件彻底删除。( _$ q: }, R/ c% D- U1 u6 l
3. 病毒在注册表中添加如下键值，作为感染标志，并以此实现开机自启：; L* F) X' `, @, o" v* [
[HKEY_CLASSES_ROOT\Balloon.Application]0 L) ~! k( H; ?  ^8 a
默认 ="Balloon.Application"
1 O: o4 u3 a$ t' _  S8 D/ \[CLSID]3 A) f  I( j2 f
默认 ="1CA7DBAF-B066-4554-977E-5CEBB7FA59C8"- r) u) ?/ @" o* Z2 P! q
[HKEY_CLASSES_ROOT\CLSID\{1CA7DBAF-B066-4554-977E-5CEBB7FA59C8}]
2 P; [) ^+ x; ?9 p; _$ F9 O0 X默认 ="Balloon.Application"
3 T8 K+ b& k9 m+ z[InproHandler32]; h" E+ k# v; F. o$ Z6 V4 b9 }
默认 ="ole32.dll"  a+ n  {- \- z; g8 v1 `* O
[LocalServer32]# @+ R7 \7 `0 M# @2 B4 ^# K3 r- u
默认 ="%WinDir%\wudpmgr.exe"
6 C7 d% n. u- `6 o2 t9 j[ProgramId]/ p  o% G+ V8 l6 _; Y
默认 ="Balloon.Application"
: b; z1 {! y9 V" z( F4. 病毒会定时弹出下面的虚假警告，诱惑用户点击以安装其它广告软件：) q: k8 s8 y, Y; ]' d
"Yourcomputer is infected with malicious ware, what can cause serious riskfor your system security!"7 |) R) Q: \: c' t! U
"Malicious programscan change, damage and delete important system components, what can cause slower performance, valuable data loss,unstable system operation, irritating pop-ups rushing out and yourpasswords and credit card information may be stolen!"2 e0 O6 R$ T! y
"Click"OK" to get software and special offers on antivirus software.
. t% S8 _+ I- E) O0 \7 H; u2 vSecurity systemdetected that your PC is seriously infected with spyware.Spyware typically refers to virus-like software which performs hiddentasks on your PC without your consent, bringing annoyingpopups, collecting personal information or causing sluggish performance. Itis highly advised that you use anti-spyware tools to
/ J( Q2 ~# ]. W/ Z! b) Sprevent dataloss and system crashes."5 p) b8 Y/ S) S8 y! U( y
"Protect your PC now?download anti-spyware tools that will scan your system forinfections and remove them."7 ]4 f- ~, k- @# H
"Click"OK" to get special offers and download links on anti-spyware tools. Spywareinfection detected! Windows has detected spyware in your system. Itis strongly recommended that you stop working with valuable dataand proceed to using special antispyware programs to to prevent data loss."8 Q3 r$ Z& ^3 j/ N$ Z2 u

' C: a4 _% J; _. z5 E2 J解决方案：* O& y, z7 W4 S
前面已经提到了解决办法，使用金山清理专家2.1，启动安全百宝箱，将%WinDir%目录（缺省为c:\windows目录），下的wupdmgr.exe和osaupd.exe，添加到彻底删除的列表。有关清理专家2.1百宝箱的用法，可参考：《金山清理专家简易手册》的9楼。) @5 F. ~# h6 B6 I/ y

: ]% U3 M% K9 c4 ]7 t/ }流氓软件修改的注册键值，可以在彻底删除流氓软件后重启，再手动运行regedit，打开注册表编辑器，将病毒添加的如下键删除。% M9 ]; h& y4 a2 F4 v1 H

" l' O5 E4 v( M0 S: ][HKEY_CLASSES_ROOT\Balloon.Application]9 m- H5 M- x2 \. d! R: B- _
默认 ="Balloon.Application", `# M& C* j# u$ H8 E$ v! E) M0 W
[CLSID]
1 [+ ^6 V1 p, y5 ~- v0 Q- i6 G6 x默认 ="1CA7DBAF-B066-4554-977E-5CEBB7FA59C8") T% C+ E$ N; B  {$ m$ h
[HKEY_CLASSES_ROOT\CLSID\{1CA7DBAF-B066-4554-977E-5CEBB7FA59C8}]
, |. p, i; d! H1 [) R默认 ="Balloon.Application"; E9 r4 C1 m1 r, I! B
[InproHandler32]
' z$ O: ]) m+ ^默认 ="ole32.dll"
+ k' d: F: I) W[LocalServer32]
/ P4 ?; R9 H) X" i) p0 V默认 ="%WinDir%\wudpmgr.exe"6 e( A" Z; Q9 x' k9 o3 H0 d
[ProgramId]0 [$ \3 v1 e# Q( R: g7 q, K/ t5 W3 H
默认 ="Balloon.Application"
; C( A! X  `" ?$ D3 ^( J

5 J5 K+ F, O) Z" z
, l3 Z. G, M1 k. d- ?/ H! r5 a( J. g
防范措施：
, h% }' C% f  N! Y9 ]# c0 L8 @! x流氓软件往往是随着不少免费的共享软件捆绑安装的，在安装这些软件的时候，不要随意点“下一步”按钮，最好注意看清楚安装过程中的对话框。推荐去大的下载站点下载软件，不要在小站下载软件。