Look For Disabled Services
Below are some services the worm disables, if any of these are disabled that you did not disable yourself – you could be infected:
wscsvc – Security Center
WinDefend Windows Defender (available in Vista)
wuauserv – Automatic Updates
BITS – Background Intelligent Transfer Service
ERSvc – Error Reporting Service
WerSvc – Windows Error Reporting Service (available in Vista)
Removed Restore Points
The worm removes all system restore points. If you have no system restore points, you may be infected.
Removal of Windows Security Center
If the following registry entry is missing, you could be infected: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
conficker 분석하다가.
'유용한 지식 자료들 > 악성코드 기법' 카테고리의 다른 글
| User-mode Inline Patch를 위한 함수 주소 찾는 방법 (0) | 2012.08.20 |
|---|---|
| ntdll.bsearch (2) | 2012.08.01 |
| keylogging 기법 (0) | 2011.05.24 |
| 악성코드 기법 (2) | 2011.04.27 |
| 고급 사용자를 위한 Internet Explorer 보안 영역 레지스트리 항목 (0) | 2010.11.15 |
