静寂之声

中毒后的症状：
msconfig和regedit无法打开，进程里面多了bryato、conime、severe三个进程。每个盘符都有隐藏的文件oso.exe和autorun文件。host锁定，杀毒网站全被屏蔽，QQ、MSN、卡巴等软件无法使用。

病毒行为:
这是个盗取用户QQ帐号的蠕虫，可以通过可移动磁盘传播，并对抗安全软件。

1、释放以下文件并设置为隐藏和系统属性。
%WINDIR%\system32\bryato.dll
%WINDIR%\system32\bryato.exe
%WINDIR%\system32\severe.exe
%WINDIR%\system32\drivers\conime.exe
%WINDIR%\system32\drivers\fubcwj.exe

2、在每个分区的根目录下生成文件：Autorun.inf 和病毒复制体：OSO.exe ，并修改相关注册表项以使用户双击打开该分区时运行病毒体：
修改的注册表项：HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\NoDriveTypeAutoRun 0xB5
Autorun.inf内容如下：
[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe

3、添加或修改注册表项以隐藏病毒文件：
HKLM\software\microsoft\windows\currentversion\
explorer\advanced\folder\hidden\showall\CheckedValue "0"

4、添加以下注册表项以达到自启动的目的。
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\fubcwj "%WINDIR%\System32\bryato.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\bryato "%WINDIR%\System32\severe.exe"

5、修改以下注册表项以达到随Explorer进程启动的目的：
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Shell "Explorer.exe %WINDIR%\System32\drivers\conime.exe"

6、添加以下注册表项来重定向相关安全软件到病毒文件以达到阻止其运行的目的：
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QQDoctor.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.EXE\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\msconfig.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\regedit.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\regedit.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\msconfig.com\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe\Debugger "%WINDIR%\System32\drivers\fubcwj.exe"

7、修改hosts文件以达到阻止用户访问安全网站的目的：
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

8、查找含有以下字符串的窗口，找到则将其关闭：
杀毒、专杀、病毒、木马、注册表

9、停止并禁用以下安全服务：
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
RsRavMon

10、终止以下安全软件相关进程：
PFW.exe, Kav.exe, KVOL.exe, KVFW.exe, adam.exe, qqav.exe, qqkav.exe, TBMon.exe, kav32.exe, kvwsc.exe, CCAPP.exe, KRegEx.exe, kavsvc.exe, VPTray.exe,
RAVMON.exe, EGHOST.exe, KavPFW.exe, SHSTAT.exe, RavTask.exe, TrojDie.kxp, Iparmor.exe, MAILMON.exe, MCAGENT.exe, KAVPLUS.exe, RavMonD.exe, Rtvscan.exe,
Nvsvc32.exe, KVMonXP.exe, Kvsrvxp.exe, CCenter.exe, KpopMon.exe, RfwMain.exe, KWATCHUI.exe, MCVSESCN.exe, MSKAGENT.exe, kvolself.exe, KVCenter.kxp,
kavstart.exe, RAVTIMER.exe, RRfwMain.exe, FireTray.exe, UpdaterUI.exe, KVSrvXp_1.exe, RavService.exe

11、删除QQ的以下文件：
QLiveUpdate.exe、BDLiveUpdate.exe、QUpdateCenter.exe

12、创建键盘和鼠标消息钩子，寻找QQ登陆窗口，记录键盘，获得用户密码后通过自身的邮件引擎发送到指定邮箱。

清除方法：
由于bryato.exe、conime.exe、severe.exe、ose.exe不管是正常模式，还是安全模式，根本无法删除，在任务管理器中进行强制关闭时，就会出现如bryato.exe、conime.exe、severe.exe等进程，并且快速出现如net1,net进程，马上bryato.exe、conime.exe、severe.exe这三个进程又会自动运行。因此删除病毒的有效方法是在DOS下面将上面几个隐藏的文件一一删除才行。步骤如下：

1、从光盘或启动盘进入DOS。或者安装MAXDOS工具箱，重启时直接进入DOS。
2、执行如下命令：
attrib c:\windows\system32\severe.exe -s -h -r
attrib c:\windows\system32\bryato.exe -s -h -r
attrib c:\windows\system32\drivers\conime.exe -s -h -r
attrib c:\windows\system32\bryato.dll -s -h -r
attrib c:\windows\system32\drivers\fubcwj.exe -s -h -r
我的操作系统装在C盘上的

attrib c:\oso.exe -s -h -r
attrib d:\oso.exe -s -h -r
attrib e:\oso.exe -s -h -r
attrib f:\oso.exe -s -h -r
其它的依次类推，有几个盘就写几个。

del c:\windows\system32\severe.exe
del c:\windows\system32\bryato.exe
del c:\windows\system32\drivers\conime.exe
del c:\windows\system32\bryato.dll
del c:\windows\system32\drivers\fubcwj.exe

del c:\oso.exe
del d:\oso.exe
del e:\oso.exe
del f:\oso.exe
del c:\Autorun.inf
del d:\Autorun.inf
del e:\Autorun.inf
del f:\Autorun.inf
删除后重启就OK了。

如果觉悟得上面的命令不好记的话，在正常的模式下，用记事本将上面的命令另存为KILL.BAT批处理文件。将它放在C盘的根目录下。进入DOS后，直接运行KILL.BAT文件就行了。