【前言】
这是一个通过电子邮件传播的蠕虫病毒。该病毒能释放病毒文件,修改注册表项目,达到开机自启动。当任意窗口出现特定字样后,计算机还会被重新启动。病毒能自动搜集用户机器上的电子邮件地址,并把病毒作为附件发送出去。
目前该蠕虫出现了三个变种:
Worm.Brontok.a
Worm.Brontok.b
Worm.Brontok.c
【分析】
本次病毒分析以WINXP系统为例
Worm.Brontok会加载几个常见的可疑进程(举例如下):
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\csrss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\inetinfo.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\services.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\smss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\svchost.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\lsass.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\winlogon.exe
================
Worm.Brontok会添加自启动项(举例如下):
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O4 - 启动项HKLM\\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\用户名\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
特别地
Worm.Brontok会修改注册表相关键值
达到使系统在安全模式下自动调用恶意程序的目的
例如:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
AlternateShell = "cmd-brontok.exe"
==============
Worm.Brontok会修改注册表:
禁用注册表
禁用文件夹选项
以达到隐藏自己,自我保护的目的
==============
Worm.Brontok会修改C:\Autoexec.bat
(C是系统盘符)
==============
【解决参考】
用可以查看系统进程的小工具结束如下进程:
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\csrss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\inetinfo.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\services.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\smss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\svchost.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\lsass.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\winlogon.exe
==============
用HIJACKTHIS修复
O4 - 启动项HKLM\\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\yexianbin\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
O7 -HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegedit=1
==============
开始--运行
输入regedit
确定
进入注册表
修改
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe"C:\WINDOWS\KesenjanganSosial.exe">
为
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>
修改
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\]
AlternateShell = "cmd-brontok.exe"
为
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\]
AlternateShell = "cmd.exe"
修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"
为
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="1"
修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"ShowSuperHidden" = "0"
为
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"ShowSuperHidden" = "1"
修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"HideFileExt"="1"
为
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"HideFileExt"="0"
修改
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions="1"
为
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions="0"
删除如下自启动项:
[HKLM\software\microsoft\windows\currentversion\run\]
Bron-Spizaetus = "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
[HKCU\software\microsoft\windows\currentversion\run\]
Tok-Cirrhatus-1464 = "C:\Documents and Settings\用户名\Local Settings\Application Data\br3951on.exe"
[HKCU\software\microsoft\windows\currentversion\run\]
Tok-Cirrhatus = ""
[HKLM\SoftWare\Microsoft\Windows\CurrentVersionWinlogon\Shell]
Bron-Spizaetus="C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
================
清空C:\Autoexec.bat
(C代表系统盘符)
===============
删除如下文件:
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\csrss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\inetinfo.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\services.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\smss.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\svchost.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\lsass.exe
C:\Documents and Settings\用户名\LocalSettings\ApplicationData\winlogon.exe
C:\Documents and Settings\用户名\Local Settings\Application Data\br3951on.exe
C:\Documents and Settings\用户名\[开始]菜单\程序\启动\empty.pif
C:\Documents and Settings\用户名\Templates\WowTumpeh.com
C:\WINDOWS\System32\administrator'ssetting.exe
C:\WINDOWS\System32\cmd-brontok.exe
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\ShellNew\RakyatKelaparan.exe
提示:
若正常模式下无法解决
建议进入安全模式下操作
另外
本贴只是提供大家一个解决问题的方法和手段
希望不要生搬硬套
