病毒样本：
非专业人士勿用!!!


病毒程序执行后截图：

 附件: 您所在的用户组无法下载或查看附件
 附件: 您所在的用户组无法下载或查看附件
 附件: 您所在的用户组无法下载或查看附件
 附件: 您所在的用户组无法下载或查看附件
 附件: 您所在的用户组无法下载或查看附件


virlist.txt

C:\WINDOWS\SYSTEM32\HBMHLY.DLL
C:\WINDOWS\SYSTEM32\TWAINYY.DLL
C:\WINDOWS\SYSTEM32\WTSAPI32YT2.DLL
C:\WINDOWS\SYSTEM32\LWEURQHX.DLL
C:\WINDOWS\SYSTEM32\DPVVOXMH.DLL
C:\WINDOWS\SYSTEM32\AVICAPWM.DLL
C:\WINDOWS\SYSTEM32\CERTMGRKD.DLL
C:\WINDOWS\SYSTEM32\IMGUTILHX2.DLL
C:\WINDOWS\SYSTEM32\SCRRUNCQSJ.DLL
C:\WINDOWS\SYSTEM32\XOLEHLPJH.DLL
C:\WINDOWS\SYSTEM32\SLBIOPFS2.DLL
C:\WINDOWS\SYSTEM32\BOOTVIDGJ.DLL
C:\WINDOWS\SYSTEM32\NWAPI32DJ.DLL
C:\WINDOWS\SYSTEM32\TSCFGWMIJXSJ.DLL
C:\WINDOWS\SYSTEM32\CLICONFGZX.DLL
C:\WINDOWS\SYSTEM32\ADSNTZT.DLL
C:\WINDOWS\SYSTEM32\DISPEXCB.DLL
C:\WINDOWS\SYSTEM32\DBEAF7DC.DLL
C:\WINDOWS\SYSTEM32\CF8850CD.DLL
C:\PROGRAM FILES\COMMON FILES\PUSHWARE\CPUSH.DLL
C:\WINDOWS\SYSTEM32\WINLIB .DLL
C:\WINDOWS\SYSTEM32\DLLCACHE\WUAUCLT.EXE
C:\WINDOWS\SYSTEM32\WUAUCLT.EXE
C:\PROGRAM FILES\IDNKW\CNUPS.DLL
C:\PROGRAM FILES\IdnKw\cnbho.dll
C:\Program Files\zzToolBar\Toolbar_bho.dll
C:\WINDOWS\SYSTEM32\WRM32.DLL
C:\WINDOWS\SYSTEM32\DRIVERS\ACPIDISK.SYS
C:\WINDOWS\SYSTEM32\AXYOQRX.TMP
C:\WINDOWS\SYSTEM32\BPQCXBOQ.TMP
C:\WINDOWS\SYSTEM32\DBEAF7D.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\ALCXWDM.SYS
C:\WINDOWS\SYSTEM32\E5E3454.SYS

文件删除:201

C:\AUTORUN.INF C:\CXN.PIF C:\Documents and Settings\1.pif C:\Documents and Settings\10.pif C:\Documents and Settings\2.pif C:\Documents and Settings\3.pif C:\Documents and Settings\5.pif C:\Documents and Settings\6.pif C:\Documents and Settings\9.pif C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Hot.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Logo.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\TBAddr.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\iebar\searchtips.txt C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\iebar\tips.txt C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\Recommend\tips.ini C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\Update\IEBar.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\Update\OLPending.ini C:\Documents and Settings\Administrator\AUTORUN.INF C:\Documents and Settings\Administrator\CXN.PIF C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012004091220040913\index.dat C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\2[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\cb_tip[1].ini C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\hotkey[1].ini C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\Hot[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\uijs[1].xml C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\update[1].txt C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DC9U9WZ\Wenwen[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\3[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\config[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\Paipai[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\TBAddr[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\uijs[1].xml C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFYRA1I1\Weather[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRYPS1IJ\5[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRYPS1IJ\9[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRYPS1IJ\IEBar21[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRYPS1IJ\Logo[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRYPS1IJ\QQMail[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\10[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\1[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\6[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\cb_ver[1].ini C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\Shuqian[1].cab C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9C9WZA7\st_ver[1].txt C:\Documents and Settings\Administrator\My Documents\1.bmp C:\Documents and Settings\Administrator\My Documents\2.bmp C:\Documents and Settings\Administrator\My Documents\3.bmp C:\Documents and Settings\Administrator\My Documents\4.bmp C:\Documents and Settings\Administrator\My Documents\all.bmp C:\Documents and Settings\Administrator\Recent\1.bmp.lnk C:\Documents and Settings\Administrator\Recent\2.bmp.lnk C:\Documents and Settings\Administrator\Recent\3.bmp.lnk C:\Documents and Settings\Administrator\Recent\4.bmp.lnk C:\Documents and Settings\Administrator\Recent\all.bmp.lnk C:\Documents and Settings\Administrator\桌面\ds.hiv C:\Program Files\zzToolBar\IP.dat C:\Program Files\zzToolBar\SearchEngineConfig C:\Program Files\zzToolBar\ToolBand.dll C:\Program Files\zzToolBar\Toolbar_bho.dll C:\Program Files\zzToolBar\uISGRLFile.dat C:\Program Files\zzToolBar\Uninstall.exe C:\RegFromAppHelper.dll C:\temp.log C:\WINDOWS\system32\CatRoot2\tmp.edb C:\WINDOWS\system32\wingod.dll C:\新建文件夹\新建文件夹\CXN.PIF C:\新建文件夹\新建文件夹\LN.PIF

文件修改:37

C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Paipai.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\QQMail.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Shuqian.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Toolbar.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Weather.dll C:\Documents and Settings\Administrator\Application Data\Tencent\QQToolbar\buttons\Wenwen.dll C:\Documents and Settings\Administrator\Cookies\index.dat C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat C:\Documents and Settings\Administrator\ntuser.dat.LOG C:\Documents and Settings\Administrator\Recent\pfirewall.log.lnk C:\Documents and Settings\Administrator\Recent\WINDOWS.lnk C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXlm\lmgrd.51C C:\Documents and Settings\LocalService\ntuser.dat.LOG C:\Program Files\Citrix\Licensing\LS\lmgrd_debug.log C:\WINDOWS\Debug\UserMode\ChkAcc.bak C:\WINDOWS\Debug\UserMode\ChkAcc.log C:\WINDOWS\pfirewall.log C:\WINDOWS\system32\CatRoot2\dberr.txt C:\WINDOWS\system32\CatRoot2\edb.chk C:\WINDOWS\system32\CatRoot2\edb.log C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\WINDOWS\system32\config\software.LOG C:\WINDOWS\system32\config\system.LOG C:\WINDOWS\system32\dllcache\wuauclt.exe C:\WINDOWS\system32\drivers\beep.sys C:\WINDOWS\system32\LogFiles\W3SVC1\ex080912.log C:\WINDOWS\system32\wbem\Logs\wbemcore.log C:\WINDOWS\system32\wbem\Logs\wmiprov.log C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA C:\WINDOWS\system32\wuauclt.exe

恶意插件URL：
http://toolbar.soso.com/
http://m.c5x8.com/
http://dr.soso.com/

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

与这个很相似http://bbs.ikaka.com/showtopic-8545588.aspx

感染的主机会发ARP欺骗包，还会造成主机自动重启

就想知道为什么它会运行的原因

360称之为“蝗虫军团”，可下一堆木马，不断弹广告窗、伪QQ消息窗，烦死。

如果手工杀毒苦手，可以用最新版的360顽固木马专杀弄弄……

就是HB那东东吧

金山不是李铁军搞了专杀工具？