瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 【原创】一个变态的病毒—杀软终结者

123   2  /  3  页   跳转

【原创】一个变态的病毒—杀软终结者

收藏
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 16:13 | 只看楼主 短消息 资料
字号: 11楼

中午因为要忙其他事情,就分析出一部分

其实很有很多"功能"未展示

编病毒的目的很明确

只要挂杀软和安全工具为主

在汇编里还发现拦截瑞星修改注册表监控的函数

发送"允许"命令

最后最狠的一招是,挂防火墙的方法

修改rwf.ini修改日期,然后瑞星防火墙跳出序列号过期

然后自动退出

清除方法我试过了很多,包括P处理和Unlocker等

最后弄个简单的处理方法就OK了
gototop
 
桃子CiCi
头像
飘泊而立狮
  • 帖子:547
  • 注册: 2007-01-30
  • 来自:
发表于: 2007-04-27 16:19 | 短消息 资料
字号: 12楼

楼主辛苦半天发个帖子
应该置顶的
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 16:33 | 只看楼主 短消息 资料
字号: 13楼

别...
置顶..

无聊弄的玩的

还有,我分析的是SSM,不是Tiny

呵呵
gototop
 
天月来了
头像
版主
  • 帖子:76904
  • 注册: 2007-02-06
  • 来自:
发表于: 2007-04-27 16:37 | 短消息 资料
字号: 14楼

我就说那图标怎看都是SSM

那阿月


不会SSM都没玩过吧????????
gototop
 
桃子CiCi
头像
飘泊而立狮
  • 帖子:547
  • 注册: 2007-01-30
  • 来自:
发表于: 2007-04-27 16:47 | 短消息 资料
字号: 15楼

我学校的机子上就是SSM
所以你用那个软件进行分析
看起来相当亲切
TINY现在只有英文版并且需要注册码
网上用得应该不是蛮多
SSM进行分析的相反更能受益大众
再顶一下,好帖子不能沉
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-05-02 12:50 | 只看楼主 短消息 资料
字号: 16楼

作者又更新了

增加了遍历分区生成autorun.inf和随机组成的8位数字的病毒

跟上次差不多,带了2次UPX壳

脱壳后瑞星仍无法杀...  - -


尝试关闭相当多的安全软件,使用IFEO重定向劫持

破坏安全模式\修改隐藏文件

注入Eplorer反弹连接等等


几乎所有安全杀软都无法打开


解决方法:

1\修复被破坏的安全模式,也可以找注册表导入

2\进入安全模式DOS模式

输入:

Del C:\Program Files\Common Files\Microsoft Shared\MSINFO\????????.dll

还有dat  chm  ==
....

然后重启下,再清理下剩下的....


尝试关闭窗口字体如下:

00406228  ascii  "Anti",0
00406238  ascii  "Virus",0
00406248  ascii  "Trojan",0
00406258  ascii  "Firewall",0
0040626C  ascii  "\Kaspersky",0
00406280  ascii  "\JiangMin\",0
00406294  ascii  "\KV200",0
004062A4  ascii  ".kxp",0
004062B4  ascii  "\Rising\",0
004062C8  ascii  "\RAV\",0
004062D8  ascii  "\RFW\",0
004062E8  ascii  "\KAV200",0
004062F8  ascii  "\KAV6",0
00406308  ascii  "McAfe",0
00406318  ascii  "\Network Associa"
00406328  ascii  "tes\",0
00406338  ascii  "\TrustPort",0
0040634C  ascii  "Norton",0
0040635C  ascii  "Symantec",0
00406370  ascii  "\SYMANT~1\",0
00406384  ascii  "Norton SystemWor"
00406394  ascii  "ks",0
004063A0  ascii  "\ESET\",0
004063B0  ascii  "\Grisoft\",0
004063C4  ascii  "\F-Pro",0
004063D4  ascii  "\Alwil Software\"
004063E4  ascii  0
004063F0  ascii  "\ALWILS~1\",0
00406404  ascii  "F-Secure",0
00406418  ascii  "\ArcaBit\",0
0040642C  ascii  "\Softwin\",0
00406440  ascii  "\ClamWin\",0
00406454  ascii  "\DrWe",0
00406464  ascii  "\Fortine",0
00406478  ascii  "anda Software\",0
00406490  ascii  "\Vba3",0
004064A0  ascii  "\Trend Micro\",0
004064B8  ascii  "\QUICKH~1\",0
004064CC  ascii  "\TRENDM~1\",0
004064E0  ascii  "Quick Heal",0
004064F4  ascii  "\eSaf",0
00406504  ascii  "ewido",0
00406514  ascii  "\Prevx1\",0
00406528  ascii  "ers\avg",0
00406538  ascii  "\Ikarus\",0
0040654C  ascii  "Sopho",0
0040655C  ascii  "Sunbelt",0
0040656C  ascii  "PC-cilli",0
00406580  ascii  "\ZoneAlar",0
00406594  ascii  "\Agnitum\",0
004065A8  ascii  "WinAntiVirus",0
004065C0  ascii  "\AhnLab",0
004065D0  ascii  "\Norma",0
004065E0  ascii  "surfsecret",0
004065F4  ascii  "\Bullguard\",0
00406608  ascii  "BlackICE",0
0040661C  ascii  "Armor2net",0
00406630  ascii  "\360safe\",0
00406644  ascii  "\SkyNet\",0
00406658  ascii  "Micropoint",0
0040666C  ascii  "Iparmor",0
0040667C  ascii  "\ftc\",0
0040668C  ascii  "\mmjk2007\",0
004066A0  ascii  "\Antiy Labs\",0
004066B8  ascii  "\LinDirMicro Lab"
004066C8  ascii  "\",0
004066D4  ascii  "\Filseclab\",0
004066E8  ascii  "\ast\",0
004066F8  ascii  "System Safety Mo"
00406708  ascii  "nitor",0
00406718  ascii  "ProcessGuard",0
00406730  ascii  "\FengYun\",0
00406744  ascii  "\Lavasoft\",0
00406758  ascii  "\NOD3",0
00406768  ascii  "\mmsk",0
00406778  ascii  "\The Cleaner\",0
00406790  ascii  "\Defendio",0
004067A4  ascii  "\kis6",0
004067B4  ascii  "Behead",0
004067C4  ascii  "sreng",0
004067D4  ascii  "IceSword",0
004067E8  ascii  "HijackThis",0
004067FC  ascii  "killbox",0
0040680C  ascii  "procexp",0
0040681C  ascii  "\Magicset",0
00406830  ascii  "EQSysSecure",0
00406844  ascii  "ProSecurity",0
00406858  ascii  "\Yahoo!\",0
0040686C  ascii  "\Google\",0
00406880  ascii  "\baidu\",0
00406890  ascii  "\P4P\",0
004068A0  ascii  "\Sogou PXP\",0
004068B4  ascii  "yaskp.sys",0
004068C8  ascii  "BDGuard.sys",0
004068F0  ascii  "木马",0
00406900  ascii  "KSysFilt.sys",0
00406918  ascii  "KSysCall.sys",0
00406930  ascii  "\AVK",0
00406940  ascii  "\K7",0
0040694C  ascii  "\Zondex\",0
00406960  ascii  "\blcorp\",0
00406974  ascii  "\Tiny Firewall P"
00406984  ascii  "ro\",0
00406990  ascii  "\Jetico\",0
004069A4  ascii  "\HAURI\",0
004069B4  ascii  "\CA\",0
004069C4  ascii  "\kmx",0
004069D4  ascii  "\PCClear_Plus\",0
004069EC  ascii  "\Novatix\",0
00406A00  ascii  "\Ashampoo\",0
00406A14  ascii  "\WinPatrol\",0
00406A28  ascii  "\Spy Cleaner Gol"
00406A38  ascii  "d\",0
00406A44  ascii  "\CounterSpy\",0
00406A5C  ascii  "\EagleEyeOS",0
00406A70  ascii  "\Webroot\",0
00406A84  ascii  "\BufferZone",0
00406A98  ascii  "x0w2e3t6m9",0
00406AAC  ascii  "avp",0
00406AB8  ascii  "AgentSvr",0
00406ACC  ascii  "CCenter",0
00406ADC  ascii  "Rav",0
00406AE8  ascii  "RavMonD",0
00406AF8  ascii  "RavStub",0
00406B08  ascii  "RavTask",0
00406B18  ascii  "rfwcfg",0
00406B28  ascii  "rfwsrv",0
00406B38  ascii  "RsAgent",0
00406B48  ascii  "Rsaupd",0
00406B58  ascii  "runiep",0
00406B68  ascii  "SmartUp",0
00406B78  ascii  "FileDsty",0
00406B8C  ascii  "RegClean",0
00406BA0  ascii  "360tray",0
00406BB0  ascii  "360Safe",0
00406BC0  ascii  "360rpt",0
00406BD0  ascii  "kabaload",0
00406BE4  ascii  "safelive",0
00406BF8  ascii  "Ras",0
00406C04  ascii  "KASMain",0
00406C14  ascii  "KASTask",0
00406C24  ascii  "KAV32",0
00406C34  ascii  "KAVDX",0
00406C44  ascii  "KAVStart",0
00406C58  ascii  "KISLnchr",0
00406C6C  ascii  "KMailMon",0
00406C80  ascii  "KMFilter",0
00406C94  ascii  "KPFW32",0
00406CA4  ascii  "KPFW32X",0
00406CB4  ascii  "KPFWSvc",0
00406CC4  ascii  "KWatch9x",0
00406CD8  ascii  "KWatch",0
00406CE8  ascii  "KWatchX",0
00406CF8  ascii  "TrojanDetector",0
00406D10  ascii  "UpLive.EXE",0
00406D24  ascii  "KVSrvXP",0
00406D34  ascii  "KvDetect",0
00406D48  ascii  "KRegEx",0
00406D58  ascii  "kvol",0
00406D68  ascii  "kvolself",0
00406D7C  ascii  "kvupload",0
00406D90  ascii  "kvwsc",0
00406DA0  ascii  "UIHost",0
00406DB0  ascii  "IceSword",0
00406DC4  ascii  "iparmo",0
00406DD4  ascii  "mmsk",0
00406DE4  ascii  "adam",0
00406DF4  ascii  "MagicSet",0
00406E08  ascii  "PFWLiveUpdate",0
00406E20  ascii  "SREng",0
00406E30  ascii  "WoptiClean",0
00406E44  ascii  "scan32",0
00406E54  ascii  "shcfg32",0
00406E64  ascii  "mcconsol",0
00406E78  ascii  "HijackThis",0
00406E8C  ascii  "mmqczj",0
00406E9C  ascii  "Trojanwall",0
00406EB0  ascii  "FTCleanerShell",0
00406EC8  ascii  "loaddll",0
00406ED8  ascii  "rfwProxy",0
00406EEC  ascii  "KsLoader",0
00406F00  ascii  "KvfwMcl",0
00406F10  ascii  "autoruns",0
00406F24  ascii  "AppSvc32",0
00406F38  ascii  "ccSvcHst",0
00406F4C  ascii  "isPwdSvc",0
00406F60  ascii  "symlcsvc",0
00406F74  ascii  "nod32kui",0
00406F88  ascii  "avgrssvc",0
00406F9C  ascii  "RfwMain",0
00406FAC  ascii  "KAVPFW",0
00406FBC  ascii  "Iparmor",0
00406FCC  ascii  "nod32krn",0
00406FE0  ascii  "PFW",0
00406FEC  ascii  "RavMon",0
00406FFC  ascii  "KAVSetup",0
00407010  ascii  "NAVSetup",0
00407024  ascii  "SysSafe",0
00407034  ascii  "QHSET",0
00407044  ascii  "zxsweep",0
00407054  ascii  "AvMonitor",0
00407068  ascii  "UmxCfg",0
00407078  ascii  "UmxFwHlp",0
0040708C  ascii  "UmxPol",0
0040709C  ascii  "UmxAgent",0
004070B0  ascii  "UmxAttachment",0
004070C8  ascii  "KPFW32",0
004070D8  ascii  "KPFW32X",0
004070E8  ascii  "KvXP_1",0
004070F8  ascii  "KVMonXP_1",0
0040710C  ascii  "KvReport",0
00407120  ascii  "KVScan",0
00407130  ascii  "KVStub",0
00407140  ascii  "KvXP",0
00407150  ascii  "KVMonXP",0
00407160  ascii  "KVCenter",0
00407174  ascii  "TrojDie",0
00407184  ascii  "avp.com",0
00407194  ascii  "KRepair.COM",0
004071A8  ascii  "KaScrScn.SCR",0
004071C0  ascii  "\Program Files\",0
004071D8  ascii  "\system32\notepa"
004071E8  ascii  "d.exe",0
004071F8  ascii  "00002338",0
0040720C  ascii  "0EAD7EAA",0
00407220  ascii  "06E3DD06",0
00407234  ascii  "A1D29050",0
00407248  ascii  "85228E60",0
0040725C  ascii  "  ",0
00407268  ascii  "Trojan",0
00407278  ascii  "Virus",0
00407288  ascii  "kaspersky",0
0040729C  ascii  "jiangmin",0
004072B0  ascii  "rising",0
004072C0  ascii  "ikaka",0
004072D0  ascii  ".duba.",0
004072E0  ascii  "kingsoft",0
004072F4  ascii  "360safe",0
00407304  ascii  "木马",0
00407314  ascii  "木馬",0
004073C8  ascii  "瑞星",0
004073DC  ascii  "社区",0
00407414  ascii  "社区",0
00407435  ascii  "褚馊砑?,0
0040744B  ascii  "ト砑?,0
004075A8  ascii  "KvNative",0
004075BC  ascii  "bsmain",0
004075CC  ascii  "aswBoot",0


........


可惜的是传播手段还不大成熟..

注意修复系统漏洞..
gototop
 
天月来了
头像
版主
  • 帖子:76904
  • 注册: 2007-02-06
  • 来自:
发表于: 2007-05-02 13:28 | 短消息 资料
字号: 17楼

我的天啊!!!!!!!!!!!

国内常用的没一个漏过。

要么不运行,一旦运行起来,呵呵!!!!!!!!

真热闹。
gototop
 
sanpiy
头像
拙长孩提狮
  • 帖子:185
  • 注册: 2007-04-28
  • 来自:
发表于: 2007-05-03 15:05 | 短消息 资料
字号: 18楼

辛苦了!顶.
gototop
 
唔知道点
头像
初生襁褓狮
  • 帖子:4
  • 注册: 2007-05-12
  • 来自:
发表于: 2007-05-12 11:03 | 短消息 资料
字号: 19楼

大虾,我电脑里的全是没用的东西,所以选择了重装(傻瓜版的GHOST一键安装)。。。。。。但郁闷的是,重装后还是一样。。。。。什么杀毒软件、网站一样打不开。。。。。。
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-05-12 11:30 | 只看楼主 短消息 资料
字号: 20楼

作者更新后的病毒

增加遍历分区

生成auroun.inf和"8个字符".exe

autorun.inf内容指向"8个字符".exe

意味着你每打开一次分区(D-F)就是运行一次病毒

so.

再重装几次也一样


解决方法:

删除D-F盘的autorun.inf

和那个"随机8个字符".exe


如果条件运行的话,再重装下,OK

这病毒并不难搞,重点是个"随机8个字符".dll

插进程的,用常规方法很难发觉

其实也不用重装,修复安全模式后

进安全模式DOS命令行

删除:

C:\Program Files\Common Files\Microsoft Shared\MSINFO\"随机8个字符".dll

然后修复IFEO劫持

就可以了
gototop
 
<<上一主题|下一主题>>
123   2  /  3  页   跳转
页面顶部
Powered by Discuz!NT