文件: 1102cs12.exe
大小: 38400 字节
MD5: 3375D8825625C5F94CC65E2775AD3DF7
SHA1: A843F4A4C19A0345E7FA2676D42224382C57C006
CRC32: 7463DA39
加壳类型: PECompact
编写工具: Delphi
简单行为分析:
为自身进程提升SeDebugPrivilege权限;
释放病毒副本:
%windir%\system32StopAor.exe
%system32%\Contxt.dat
修改注册表破坏显示所有文件和文件夹:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue:00000000
添加注册表启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XMouie :"%windir%\system32StopAor.exe";
遍历进程试图结束并在注册表HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\下添加键值映像劫持以下进程其"Debugger=%windir%\system32StopAor.exe",:
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
adffgh785v.exe
AgentSvr.exe
AoYun.exe
appdllman.exe
AppSvc32.exe
auto.exe
AutoRun.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
cross.exe
Discovery.exe
FileDsty.exe
FTCleanerShell.exe
guangd.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
kernelwind32.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.COM
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
logogo.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
niu.exe
nod32krn.exe
nod32kui.exe
pagefile.exe
pagefile.pif
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
regedit.Exe
regedit32.Exe
rfwcfg.exe
RfwMain.exe
rfwProxy.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
SDGames.exe
servet.exe
shcfg32.exe
SmartUp.exe
sos.exe
SREng.exe
symlcsvc.exe
SysSafe.exe
taskmgr.exe
TNT.Exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
TxoMoU.Exe
UFO.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE
WoptiClean.exe
Wsyscheck.exe
XP.exe
zxsweep.exe
~.exe
关闭带以下字眼的窗口:
FireWall
Virus
Anti
超级巡警
NOD32
Sniffer
DeBug
获取自身下载列表文本联网下载病毒木马并于%Documents and Settings%内运行:
http://txt.50nb.com/update/update.txt
下载列表:
手工处理方法:
下载冰刃
http://www.onlinedown.net/soft/53325.htm;
修改文件名后运行,在进程中查找原文件进程和system32StopAor.exe并结束;
删除文件:
%windir%\system32StopAor.exe
%system32%\Contxt.dat
删除注册表:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XMouie
修复IFEO映像劫持(工具有很多);
修改注册表:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue:00000001
注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
另:该方法不能清理下载并运行的其他木马群;
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; MAXTHON 2.0)
