样本来至江民社区`````

最近这类的木马群相当多```写个分享下````

一只全能的木马下载器```挺不错的``加了牛壳```

Aditional Information

File size: 23602 bytes
MD5: 6578f288d64a190956e22056ba73639c
SHA1: 038de7fc0e7499cc57ccbdb6f886443cd78b7aed
CRC32    : 29A0A8E2
RIPEMD160: E771D541E11FEC17543FC3C9A8E94E605E054711
Tiger_192: 916239086D96A37DDA67A458AF68BB48F06CD62DA9AB936C

运行后```连接外部,下载病毒````在%temp%````释放romdrivers.dll设置系统全局挂钩`````

并在注册表生成:HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}``

指向的是:C:\Program Files\Internet Explorer\romdrivers.dll

C:\Program Files\Internet Explorer下生成3个病毒文件:

romdrivers.bak  romdrivers.bkk  romdrivers.dll  ````

下载下来的病毒(EXE文件)每个释放一个同名Dll文件,动态插入进程`````一共13个````并加入注册表RUN启动````

最后还删除了%systemroot%\system32\drivers\etc下的hosts(域名解析文件)```````

解决方法:

首先利用清理软件全面清空临时文件夹````断开网络````

下载工具SREng和冰刃和PowerRMV````

http://gudugengkekao.ys168.com  我网盘里有``

下载后直接放桌面```关闭一切不必要的进程````

打开SREng```删除下面的(注册表项)````:

    <wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe>  []
    <ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe>  []
    <mhsa><C:\DOCUME~1\admin\LOCALS~1\Temp\mhso.exe>  []
    <fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe>  []
    <jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe>  []
    <wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe>  []
    <wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe>  []
    <wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe>  []
    <qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe>  []
    <rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe>  []
    <wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe>  []
    <tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe>  []
    <dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe>  []

``````

运行冰刃````查找Explorer模块````强行卸载:

    [C:\DOCUME~1\admin\LOCALS~1\Temp\woso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\ztso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\mhso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\fyso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\jtso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\wgso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\wlso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\daso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\tlso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\wdso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\rxso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\qjso0.dll]  [N/A, ]
    [C:\DOCUME~1\admin\LOCALS~1\Temp\wmso0.dll]  [N/A, ]
````

打开PowerRMV,填入(一下一个)```:

C:\Program Files\Internet Explorer\romdrivers.bak

C:\Program Files\Internet Explorer\romdrivers.bkk

C:\Program Files\Internet Explorer\romdrivers.dll

做完上面工作后重启电脑````修改QQ\邮箱\网游等密码``````````

好象出现很久了呢