1、启动项:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<wuacult><C:\windows\wuacult.exe> [N/A]
2、病毒文件:
C:\windows\wuacult.exe
C:\WINDOWS\inf\Insert.dll
3、被病毒插入的正常进程(注意:连瑞星监控和Tiny防火墙监控进程也被插了):
[PID: 252][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 992][C:\Program Files\Rising\Rav\RavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 2036][C:\windows\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 1400][C:\Program Files\Rising\Rav\Ravmon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 1376][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 3336][C:\Program Files\Opera\Opera.exe] [Opera Software, 7561]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 2088][C:\WINDOWS\system32\shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 3196][C:\Program Files\Tiny Firewall Pro\tralogan.exe] [Computer Associates International, Inc., 6.0.0.17]
[C:\windows\inf\Insert.dll] [N/A, N/A]
[PID: 3512][C:\SREng\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\windows\inf\Insert.dll] [N/A, N/A]
4、运行病毒样本后的病毒进程:
[PID: 3508][C:\DOCUME~1\baohelin\LOCALS~1\Temp\Rar$EX00.684\tcsafe.exe] [N/A, N/A]
[C:\windows\inf\Insert.dll] [N/A, N/A]
被动染毒后的进程(如果没隐藏的话)应该是:
C:\windows\wuacult.exe
特点:Insert.dll插入所有已经运行的程序进程。此后,用户运行什么程序,它就插入什么进程(如:SREng)
5、借助SSM的手杀流程(图1-图5)
图1
