首先病毒会创建如下文件
%Windir%\system\MSAPI.DRV
%Windir%\system\MSSETUP.TSK
%Windir%\system\WINDNSAPI.IME
%Windir%\system\MSWINDOW.DRV
病毒文件插入如下系统进程
msApi.drv %Windir%\system\msApi.drv Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1ED0000 - 0x1F1E000


windnsapi.ime %Windir%\system\windnsapi.ime Process name: msmsgs.exe
Process filename: %ProgramFiles%\messenger\msmsgs.exe
Address space: 0x10000000 - 0x1000C000


windnsapi.ime %Windir%\system\windnsapi.ime Process name: sdnsmain.exe
Process filename: %Windir%\dns\sdnsmain.exe
Address space: 0x14E0000 - 0x14EC000


windnsapi.ime %Windir%\system\windnsapi.ime Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1940000 - 0x194C000


注册表文件分析 ，病毒创建了如下注册表键值并修改


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSSYSTEM\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "msSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSSYSTEM\0000]
Service = "msSystem"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "System device driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSSYSTEM]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msSystem\Enum]
0 = "Root\LEGACY_MSSYSTEM\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msSystem\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msSystem]
Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\system\MSSYSTEM.DRV"
DisplayName = "System device driver"
version = "Jun 15 2010"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYSTEM\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "msSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYSTEM\0000]
Service = "msSystem"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "System device driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYSTEM]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msSystem\Enum]
0 = "Root\LEGACY_MSSYSTEM\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msSystem\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msSystem]
Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\system\MSSYSTEM.DRV"
DisplayName = "System device driver"
version = "Jun 15 2010"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
Compatible = "Compatible win32 186.103.69.35"
这个是个百度论坛的朋友用虚拟机启动病毒分析到的！和大版主的分析有出入！！

今天又发现了一个可怕的事情，我拔掉硬盘！然后插入PE启动光盘！然后用PE系统下载文件，前提是单独的网络进行下载 就一台主机 然后下载文件依然会被改变成243K的文件！内存大家想下关闭计算机后 里面数据清空了 没理由还有毒！！主板CIH病毒？但是中毒特征不像？我试过用拨号上网就用猫直接连 或加上路由连接 结果都一样，我想猫没有中毒的例子？难道是电信问题！！迷惑勒！！

电信是出过问题的呀。你换一下宽带连接的DNS试试呢（换成8.8.8.8）

我今晚也中了鬼影(杀毒软件提示的)...暂时没有楼主的厉害...不过我想知道楼主最后是怎样解决你这个难题的...
楼主还看到这贴的话就回一下吧