瑞星卡卡安全论坛

以下提供4个病毒,感兴趣的可以玩一下,

如下:(4个都是打包的的.RAR文件,放心点)

http://xunway.com/VivianGwen/jason/szsvc.rar
http://xunway.com/VivianGwen/jason/U.rar
http://xunway.com/VivianGwen/jason/crsss.rar
http://xunway.com/VivianGwen/jason/crsrs.rar

病毒指向 : W32.Rbot.mx蠕虫病毒


szsvc.rar(207.64K) 下载附件 - 保存到网易网盘
U.rar(210.20K) 下载附件 - 保存到网易网盘
crsss.rar(211.76K) 下载附件 - 保存到网易网盘
crsrs.rar(210.21K) 下载附件 - 保存到网易网盘


系统进程不断的增加，直到死机。
付图：



操作系统：WIN NT 4.0 繁体版

急求各位帮助~~谢谢啦


日志如下:
Logfile of HijackThis v1.99.1
Scan saved at PM 04:55:48, on 2007/3/3
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINNT\System32\crsss.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\explorer.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\ddhelp.exe
C:\WINNT\System32\Atiptaab.exe
C:\PROGRA~1\NAV\vptray.exe
C:\PROGRA~1\NAV\DefWatch.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINNT\System32\esserver.exe
C:\WINNT\System32\szsvc.exe
C:\WINNT\System32\crsss.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINNT\system32\cba\pds.exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\CCProxy\CCProxy.exe
C:\WINNT\System32\llssrv.exe
d:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
c:\winnt\system32\pstores.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\Program Files\Rising\Rav\RavAgent.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Rising\Rav\RavAlert.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\Program Files\Rising\Rav\RavUpdate.exe
C:\Program Files\Rising\Rav\RNReport.exe
C:\WINNT\System32\LOCATOR.EXE
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SENS.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\cba\xfr.exe
d:\MSSQL7\binn\sqlagent.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
F:\tool\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\System32\xunleibho_v8.dll
O3 - Toolbar: Μ诀(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cnned
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cnned
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 202.96.128.166 202.96.128.143 202.96.128.68
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cnned
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 202.96.128.166 202.96.128.143 202.96.128.68
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 202.96.128.166 202.96.128.143 202.96.128.68
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NAV\DefWatch.exe
O23 - Service: Symantec Quarantine Agent (IcePack) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
O23 - Service: Intel Alert Handler - IntelR Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - IntelR Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - IntelR Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus 狝竟 (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NAV\Rtvscan.exe
O23 - Service: Symantec System Center 穓碝狝叭 (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: 辽臟いァ筳瞒┮ (qserver) - Symantec Corporation - C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
O23 - Service: RavAgent - 风琍 - C:\Program Files\Rising\Rav\RavAgent.exe
O23 - Service: Rav Net Alert (RavAlert) - 风琍м祇甶Τそ - C:\Program Files\Rising\Rav\RavAlert.exe
O23 - Service: RavService - Unknown owner - C:\Program Files\Rising\Rav\RavService.exe" /service (file missing)
O23 - Service: RavUpdate - Unknown owner - C:\Program Files\Rising\Rav\RavUpdate.exe" (file missing)
O23 - Service: RNReport - 风琍м祇甶Τそ - C:\Program Files\Rising\Rav\RNReport.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Symantec Quarantine Scanner (ScanExplicit) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
O23 - Service: WmDmPsp - Unknown owner - C:\WINNT\system32\sysdtc32.exe (file missing)



附件: 850703200733145817.jpg

那么厉害！但是我也帮不了你，顶一下！

扫描个日志。

请各位帮忙分析一下,劳驾

没有人可以搞定么?

上SREng的日志上来吧！

"上SREng的日志上来吧！"



帅哥,win nt 用不了SRENG!!!!

自己先顶一下,别沉没了，

点你给的链接

出来这样的页面

<?xml version="1.0" encoding="UTF-8" ?>
- <result>
  <code>FA_SECURITY</code>
- <messages>
  <message severity="ERROR">Cookie not matched!</message>
  </messages>
  </result>



其他什么也没有

引用:

【孤狼野豹的贴子】点你给的链接 出来这样的页面 <?xml version="1.0" encoding="UTF-8" ?> - <result>   <code>FA_SECURITY</code> - <messages>   <message severity="ERROR">Cookie not matched!</message>   </messages>   </result> 其他什么也没有 ………………

SORRY,
机器没装FLASHFXP 所以就想偷点懒,结果不成

马上传上,OK

病毒指向 : W32.Rbot.mx蠕虫病毒
用rising最新病毒数据库无法 查;杀.
要用最新的诺顿Symantec AntiVirus 10.0管用.

第一个包：Backdoor.Win32.Vanbot.bf
第三个包：Backdoor.Win32.Vanbot.ay
第二个包和第四个包目前未发现异常。(-.-!)
Backdoor.Win32.Vanbot.bf
Backdoor.Win32.Vanbot.ay
均属于同一类。
Name :  Rizo
Alias（别名）: W32/IRCBot.XO, Backdoor.Win32.Rizo.c, Backdoor.Win32.VanBot.ad, Backdoor.Win32.Rbot.bmj
Type: Backdoor, Network Worm
Category: Trojan
Platform: Win32
Date of Discovery: October 18, 2006
Summary 
Rizo is a family of IRC bot-based backdoors with network worm capabilities. Rizo can spread itself to remote computers with the help of an exploit. Unlike many other exploits that download a copy of malware from an already infected computer, Rizo's exploit downloads and runs a file from a website. Every time this website is accessed, a repacked variant is offered for download.
Disinfection 

Disinfection of Network Worms

A network worm uses local network (LAN) to spread itsself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if F-Secure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such action will allow to protect already cleaned workstations connected to an infected network from further re-infection by a network worm.
Detailed Description 
Rizo is a backdoor-worm that spreads within local networks and via the Internet. When it arrives on an infected computer it copies itself to the Windows System folder with the name of winlogin32.exe and creates several startup strings in the Registry:


[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
cpanel=%winsysdir%\winlogin32.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
cpanel=%winsysdir%\winlogin32.exe


Being active, the backdoor connects to the following IRC servers:


ircc.debelizombi.com
xv21.debelizombi.com


Then the malware joins an IRC channel named #!v21! using the password 'tn10a4' without quotes. The port for connection is 8008.

The Rizo backdoor-worm can do any of the following:


Download and run files
Scan for vulnerable computers and spread to them
List and terminate processes
Join and part IRC channels, change nicks, change server
Send current IP address to a hacker
Report bot uptime to a hacker
Create remote command shell
Delete files
'Call home' by accessing the dl1.debelizombi.com website

The URL above can be also used to upgrade the copy of the backdoor. At the moment the page contains only the text string 'EMPTY'.


The exploit in the backdoor's body is partially encrypted. When sent over to a target computer, the exploit decrypts itself (simple XOR 0x99 operation), resolves several APIs, downloads a file to the Windows System folder from the dl1.debelizombi.com website and runs it. The name of the downloaded file is a.exe.

这种病毒非常少见的，你怎么会遇上呢？╭∩╮（︶︿︶）╭∩╮

真的就被我遇到了,而且不是一个,是一大群，
主机感染了N台 ,局域网内的2000机器了大部分被感染了.

情况非常严重,

我可以肯定的是第四个包也是同一类.,应该是最新的变种,因为我到目前为止,只在两台上有看到.

都查不多搞定了,又可以闲下来了.

提醒各位,这个病毒要发现的早,发现的越早越好搞定.

没装虚拟机，还是压缩个PM版主吧！

玩病毒，有趣。