中了艾妮的新变种,所有的exe都打不开了,全部被感染,在网上也查了一下,病毒症状如下:
艾尼新变种MSOSVEXT.EXE,MSOSV.EXE的分析2007-04-21 17:47今天拿到了这个新的变种分析了一下 总的来说基本上延续了之前的下载木马 感染文件等的行径
运行MSOSV.EXE后
释放C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
C:\WINDOWS\svchost.exe(这个根本就是一个记事本的程序,只不过改了名称而已)
这回的特点就是用它感染文件
创建服务Hello Ketty
服务相关注册表项目如下
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\ImagePath: "C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE"
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\DisplayName: "TCP/IP Service"
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\
ObjectName: "LocalSystem"
启动C:\WINDOWS\svchost.exe感染除系统分区以外的exe文件
启动IE连接59.34.197.169:80 下载shift.ini到C:\Program Files\Common Files\Microsoft Shared\Web Folders\
读取shift.ini 里面的配置文件 下载木马TempA.exe~TempH.exe
到C:\Program Files\Common Files\Microsoft Shared\Web Folders\下面
由C:\WINDOWS\svchost.exe启动他们
TempA.exe释放文件1explore.exe和fyzo0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<0><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1explore.exe> []
TempB.exe释放文件C:\WINDOWS\cmdbcs.exe和C:\Windows\system32\cmdbcs.dll
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
TempC.exe释放文件iexpl0re.exe和LgSy0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<y9027jwxw><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexpl0re.exe> []
TempD.exe释放文件crasos.exe和Msxo0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<sfv><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crasos.exe> []
TempE.exe释放文件rundl132.exe和Rav20.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<dj8q4uzi4><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rundl132.exe> []
TempF.exe释放文件winlog0n.exe和LgSy1.dll到临时文件夹
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<ghdi3ri><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlog0n.exe> []
TempG.exe运行出错
TempH.exe释放文件Servera.exe和Kavs0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<yyt><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servera.exe> []
修改hosts文件
添加127.0.0.1 mmm.caifu18.net
127.0.0.1 www.18dmm.com
127.0.0.1 d.qbbd.com
127.0.0.1 www.5117music.com
127.0.0.1 www.union123.com
127.0.0.1 www.wu7x.cn
127.0.0.1 www.54699.com
127.0.0.1 www1.6tan.com
127.0.0.1 www2.6tan.com
127.0.0.1 www.97725.com
127.0.0.1 down.97725.com
127.0.0.1 ip.315hack.com
127.0.0.1 ip.54liumang.com
127.0.0.1 www.41ip.com
127.0.0.1 xulao.com
127.0.0.1 www.heixiou.com
127.0.0.1 www.9cyy.com
127.0.0.1 www.hunll.com
127.0.0.1 www.down.hunll.com
127.0.0.1 do.77276.com
127.0.0.1 www.baidulink.com
127.0.0.1 adnx.yygou.cn
127.0.0.1 222.73.220.45
127.0.0.1 www.f5game.com
127.0.0.1 www.guazhan.cn
127.0.0.1 wm,103715.com
127.0.0.1 www.my6688.cn
127.0.0.1 i.96981.com
127.0.0.1 d.77276.com
127.0.0.1 www1.cw988.cn
127.0.0.1 cool.47555.com
127.0.0.1 www.asdwc.com
127.0.0.1 55880.cn
127.0.0.1 61.152.169.234
127.0.0.1 cc.wzxqy.com
127.0.0.1 www.54699.com
127.0.0.1 t.gcuj.com
127.0.0.1 www.puma163.com
127.0.0.1 ceoww.com
127.0.0.1 boolom.com
连接http://temp.longge8.com/boot/long.htm 做感染统计
病毒体内有字样 myexe
现在用杀毒软件暂时控制了一下,但是被感染的exe却始终带有病毒,不知如何恢复,我不想删除所有感染的exe文件,都是几年的积累啊,各位大人有没有恢复exe的方法??
