瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 【原创】一个变态的病毒—杀软终结者

1   1  /  1  页   跳转

【原创】一个变态的病毒—杀软终结者

收藏
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 13:53 | 显示全部 短消息 资料
字号: 1楼

【原创】一个变态的病毒—杀软终结者

幕:

样本来自http://teyqiu.5d6d.com/index.php

崔衍渠崔兄的BBS,呵呵

该病毒“功能强大”,中此病毒者除非有相关经验,不然只能重装,这点,我完全没有夸张

============================================

病毒信息:

File size: 33366 bytes
MD5: 203916db6ac014469b61e3b2c2b28ef9
SHA1: 88eb6f47596348193d0a4e91d8ec4ea556252b6d
packers: UPX
packers: UPX
packers: UPX, BINARYRES
编写语言:Delphi


这个用UPX压缩壳的,其实是加了4次壳,大小33366 bytes


脱掉“马甲”后:

File size: 138752 bytes
MD5: ccfe778901a76663416f8ad175fe886b
SHA1: cdb9c25872b6338ba170a5f788955bf8129d2ce6
packers: BINARYRES
编写语言:Delphi

======================================

Avast 4.7.981.0 04.26.2007 Win32:OnLineGames-LX
AVG 7.5.0.464 04.26.2007 PSW.Generic3.XYS
F-Secure 6.70.13030.0 04.27.2007 Trojan-PSW.Win32.OnLineGames.mu
Kaspersky 4.0.2.24 04.26.2007 Trojan-PSW.Win32.OnLineGames.mu
McAfee 5018 04.26.2007 PWS-Hook
NOD32v2 2222 04.26.2007 a variant of Win32/PSW.Delf.VL

................不一一指出了.


=========================================

病毒行为:

1、修复注册表RUN项实现开机启动

2、按汇编显示还注册为服务项,不过我在影子系统里没有实现。

3、释放的病毒dll动态插入进程,拦截API挂杀软(这点最麻烦)

4、破坏安全模式、修改“显示隐藏文件”

==========================================

病毒分析:

先进行反汇编,大概了解了差不多情况,然后运行之




释放8位随机字母,我这里生成的是04B0A72E.dll,点确定后(插入Explorer进程后,瑞星监控挂。。。






遍历进程,试图插入"TIMPlatform.exe"和"Explorer.exe",汇编看的,不过不能验证,只插入了"Explorer.exe"
随即利用宿主Explorer进行反弹连接,下载木马用的,因为这时候防火墙没任何反映。。
嘿嘿,SSM一个不漏,看下图:






然后下载病毒,也试图插进程,被我阻止了,呵呵,懒的和它纠缠(不是主角)



然后开始工作。。



修改AVG驱动项的启动方式,设置为Disabled。。。
其他亦然,被修改的包括我电脑上所安装的杀软和防火墙,全部禁用。。。
还随便挂了XP自带的防火墙,呵呵(汇编看的,由于是2K系统,无法验证)





随后检查RUN启动项,删除安全工具的启动项。。

还过卡吧。。挂。。








这比较重要,这工作是由04B0A72E.dll完成的

尝试关闭几乎所有安全工具..





利用IFEO重定向;。。。。

劫持项包括:

(+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
    (+)(注册表键) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
      (+)(注册表值) Debugger = REG_SZ, "C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat"
       

全部都指向:C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\04B0A72E.dat

。。。。。。。。。。。为了不浪费版面,就写出一部分。




最后还“顺便”挂了江民杀软。。



看看它还干了什么:












上面大概就是它做的了,来看下解决方法,比较简单

先显示隐藏文件,把下面的东西,弄到记事本,用reg导入注册表:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="显示所有文件和文件夹"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"



然后下载强制删除工具,这里推荐Killbox或PowerRmv

填入C:\Program Files\Common Files\Microsoft Shared\MSINFO\04B0A72E.dll

后面的数字随机的,自己看着办,这时候干掉后,所有的安全工具都可以运行,然后再下载个autoruns,删除IFEO劫持




修复安全模式:



进入注册表查找04B0A72E.dll和04B0A72E.dat,,有的话,全部删除

最后清理下遗留的

例如:

HKEY_CLASSES_ROOT\CLSID\{0A7204B0-04B0-A72E-B0A7-4B0724B0A72E}\InProcServer32
REG_SZ, "C:\Program Files\Common Files\Microsoft Shared\MSINFO\04B0A72E.dll











还有个同名的帮助文件,呵呵,也一起删除,在Help目录下
好了,到这里完美解决这个病毒,其他遗留下的项目可以通过修复杀软进行查杀,建议再用注册表修复器修复!

呵呵,乱乱的,懒得整理了,很抱歉


最后编辑2007-05-12 11:36:09
分享到:
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 13:54 | 显示全部 短消息 资料
字号: 2楼

自己沙发个

呵呵

好累啊,忙了一早上,休息下

别拍砖啊..
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 16:13 | 显示全部 短消息 资料
字号: 3楼

中午因为要忙其他事情,就分析出一部分

其实很有很多"功能"未展示

编病毒的目的很明确

只要挂杀软和安全工具为主

在汇编里还发现拦截瑞星修改注册表监控的函数

发送"允许"命令

最后最狠的一招是,挂防火墙的方法

修改rwf.ini修改日期,然后瑞星防火墙跳出序列号过期

然后自动退出

清除方法我试过了很多,包括P处理和Unlocker等

最后弄个简单的处理方法就OK了
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-04-27 16:33 | 显示全部 短消息 资料
字号: 4楼

别...
置顶..

无聊弄的玩的

还有,我分析的是SSM,不是Tiny

呵呵
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-05-02 12:50 | 显示全部 短消息 资料
字号: 5楼

作者又更新了

增加了遍历分区生成autorun.inf和随机组成的8位数字的病毒

跟上次差不多,带了2次UPX壳

脱壳后瑞星仍无法杀...  - -


尝试关闭相当多的安全软件,使用IFEO重定向劫持

破坏安全模式\修改隐藏文件

注入Eplorer反弹连接等等


几乎所有安全杀软都无法打开


解决方法:

1\修复被破坏的安全模式,也可以找注册表导入

2\进入安全模式DOS模式

输入:

Del C:\Program Files\Common Files\Microsoft Shared\MSINFO\????????.dll

还有dat  chm  ==
....

然后重启下,再清理下剩下的....


尝试关闭窗口字体如下:

00406228  ascii  "Anti",0
00406238  ascii  "Virus",0
00406248  ascii  "Trojan",0
00406258  ascii  "Firewall",0
0040626C  ascii  "\Kaspersky",0
00406280  ascii  "\JiangMin\",0
00406294  ascii  "\KV200",0
004062A4  ascii  ".kxp",0
004062B4  ascii  "\Rising\",0
004062C8  ascii  "\RAV\",0
004062D8  ascii  "\RFW\",0
004062E8  ascii  "\KAV200",0
004062F8  ascii  "\KAV6",0
00406308  ascii  "McAfe",0
00406318  ascii  "\Network Associa"
00406328  ascii  "tes\",0
00406338  ascii  "\TrustPort",0
0040634C  ascii  "Norton",0
0040635C  ascii  "Symantec",0
00406370  ascii  "\SYMANT~1\",0
00406384  ascii  "Norton SystemWor"
00406394  ascii  "ks",0
004063A0  ascii  "\ESET\",0
004063B0  ascii  "\Grisoft\",0
004063C4  ascii  "\F-Pro",0
004063D4  ascii  "\Alwil Software\"
004063E4  ascii  0
004063F0  ascii  "\ALWILS~1\",0
00406404  ascii  "F-Secure",0
00406418  ascii  "\ArcaBit\",0
0040642C  ascii  "\Softwin\",0
00406440  ascii  "\ClamWin\",0
00406454  ascii  "\DrWe",0
00406464  ascii  "\Fortine",0
00406478  ascii  "anda Software\",0
00406490  ascii  "\Vba3",0
004064A0  ascii  "\Trend Micro\",0
004064B8  ascii  "\QUICKH~1\",0
004064CC  ascii  "\TRENDM~1\",0
004064E0  ascii  "Quick Heal",0
004064F4  ascii  "\eSaf",0
00406504  ascii  "ewido",0
00406514  ascii  "\Prevx1\",0
00406528  ascii  "ers\avg",0
00406538  ascii  "\Ikarus\",0
0040654C  ascii  "Sopho",0
0040655C  ascii  "Sunbelt",0
0040656C  ascii  "PC-cilli",0
00406580  ascii  "\ZoneAlar",0
00406594  ascii  "\Agnitum\",0
004065A8  ascii  "WinAntiVirus",0
004065C0  ascii  "\AhnLab",0
004065D0  ascii  "\Norma",0
004065E0  ascii  "surfsecret",0
004065F4  ascii  "\Bullguard\",0
00406608  ascii  "BlackICE",0
0040661C  ascii  "Armor2net",0
00406630  ascii  "\360safe\",0
00406644  ascii  "\SkyNet\",0
00406658  ascii  "Micropoint",0
0040666C  ascii  "Iparmor",0
0040667C  ascii  "\ftc\",0
0040668C  ascii  "\mmjk2007\",0
004066A0  ascii  "\Antiy Labs\",0
004066B8  ascii  "\LinDirMicro Lab"
004066C8  ascii  "\",0
004066D4  ascii  "\Filseclab\",0
004066E8  ascii  "\ast\",0
004066F8  ascii  "System Safety Mo"
00406708  ascii  "nitor",0
00406718  ascii  "ProcessGuard",0
00406730  ascii  "\FengYun\",0
00406744  ascii  "\Lavasoft\",0
00406758  ascii  "\NOD3",0
00406768  ascii  "\mmsk",0
00406778  ascii  "\The Cleaner\",0
00406790  ascii  "\Defendio",0
004067A4  ascii  "\kis6",0
004067B4  ascii  "Behead",0
004067C4  ascii  "sreng",0
004067D4  ascii  "IceSword",0
004067E8  ascii  "HijackThis",0
004067FC  ascii  "killbox",0
0040680C  ascii  "procexp",0
0040681C  ascii  "\Magicset",0
00406830  ascii  "EQSysSecure",0
00406844  ascii  "ProSecurity",0
00406858  ascii  "\Yahoo!\",0
0040686C  ascii  "\Google\",0
00406880  ascii  "\baidu\",0
00406890  ascii  "\P4P\",0
004068A0  ascii  "\Sogou PXP\",0
004068B4  ascii  "yaskp.sys",0
004068C8  ascii  "BDGuard.sys",0
004068F0  ascii  "木马",0
00406900  ascii  "KSysFilt.sys",0
00406918  ascii  "KSysCall.sys",0
00406930  ascii  "\AVK",0
00406940  ascii  "\K7",0
0040694C  ascii  "\Zondex\",0
00406960  ascii  "\blcorp\",0
00406974  ascii  "\Tiny Firewall P"
00406984  ascii  "ro\",0
00406990  ascii  "\Jetico\",0
004069A4  ascii  "\HAURI\",0
004069B4  ascii  "\CA\",0
004069C4  ascii  "\kmx",0
004069D4  ascii  "\PCClear_Plus\",0
004069EC  ascii  "\Novatix\",0
00406A00  ascii  "\Ashampoo\",0
00406A14  ascii  "\WinPatrol\",0
00406A28  ascii  "\Spy Cleaner Gol"
00406A38  ascii  "d\",0
00406A44  ascii  "\CounterSpy\",0
00406A5C  ascii  "\EagleEyeOS",0
00406A70  ascii  "\Webroot\",0
00406A84  ascii  "\BufferZone",0
00406A98  ascii  "x0w2e3t6m9",0
00406AAC  ascii  "avp",0
00406AB8  ascii  "AgentSvr",0
00406ACC  ascii  "CCenter",0
00406ADC  ascii  "Rav",0
00406AE8  ascii  "RavMonD",0
00406AF8  ascii  "RavStub",0
00406B08  ascii  "RavTask",0
00406B18  ascii  "rfwcfg",0
00406B28  ascii  "rfwsrv",0
00406B38  ascii  "RsAgent",0
00406B48  ascii  "Rsaupd",0
00406B58  ascii  "runiep",0
00406B68  ascii  "SmartUp",0
00406B78  ascii  "FileDsty",0
00406B8C  ascii  "RegClean",0
00406BA0  ascii  "360tray",0
00406BB0  ascii  "360Safe",0
00406BC0  ascii  "360rpt",0
00406BD0  ascii  "kabaload",0
00406BE4  ascii  "safelive",0
00406BF8  ascii  "Ras",0
00406C04  ascii  "KASMain",0
00406C14  ascii  "KASTask",0
00406C24  ascii  "KAV32",0
00406C34  ascii  "KAVDX",0
00406C44  ascii  "KAVStart",0
00406C58  ascii  "KISLnchr",0
00406C6C  ascii  "KMailMon",0
00406C80  ascii  "KMFilter",0
00406C94  ascii  "KPFW32",0
00406CA4  ascii  "KPFW32X",0
00406CB4  ascii  "KPFWSvc",0
00406CC4  ascii  "KWatch9x",0
00406CD8  ascii  "KWatch",0
00406CE8  ascii  "KWatchX",0
00406CF8  ascii  "TrojanDetector",0
00406D10  ascii  "UpLive.EXE",0
00406D24  ascii  "KVSrvXP",0
00406D34  ascii  "KvDetect",0
00406D48  ascii  "KRegEx",0
00406D58  ascii  "kvol",0
00406D68  ascii  "kvolself",0
00406D7C  ascii  "kvupload",0
00406D90  ascii  "kvwsc",0
00406DA0  ascii  "UIHost",0
00406DB0  ascii  "IceSword",0
00406DC4  ascii  "iparmo",0
00406DD4  ascii  "mmsk",0
00406DE4  ascii  "adam",0
00406DF4  ascii  "MagicSet",0
00406E08  ascii  "PFWLiveUpdate",0
00406E20  ascii  "SREng",0
00406E30  ascii  "WoptiClean",0
00406E44  ascii  "scan32",0
00406E54  ascii  "shcfg32",0
00406E64  ascii  "mcconsol",0
00406E78  ascii  "HijackThis",0
00406E8C  ascii  "mmqczj",0
00406E9C  ascii  "Trojanwall",0
00406EB0  ascii  "FTCleanerShell",0
00406EC8  ascii  "loaddll",0
00406ED8  ascii  "rfwProxy",0
00406EEC  ascii  "KsLoader",0
00406F00  ascii  "KvfwMcl",0
00406F10  ascii  "autoruns",0
00406F24  ascii  "AppSvc32",0
00406F38  ascii  "ccSvcHst",0
00406F4C  ascii  "isPwdSvc",0
00406F60  ascii  "symlcsvc",0
00406F74  ascii  "nod32kui",0
00406F88  ascii  "avgrssvc",0
00406F9C  ascii  "RfwMain",0
00406FAC  ascii  "KAVPFW",0
00406FBC  ascii  "Iparmor",0
00406FCC  ascii  "nod32krn",0
00406FE0  ascii  "PFW",0
00406FEC  ascii  "RavMon",0
00406FFC  ascii  "KAVSetup",0
00407010  ascii  "NAVSetup",0
00407024  ascii  "SysSafe",0
00407034  ascii  "QHSET",0
00407044  ascii  "zxsweep",0
00407054  ascii  "AvMonitor",0
00407068  ascii  "UmxCfg",0
00407078  ascii  "UmxFwHlp",0
0040708C  ascii  "UmxPol",0
0040709C  ascii  "UmxAgent",0
004070B0  ascii  "UmxAttachment",0
004070C8  ascii  "KPFW32",0
004070D8  ascii  "KPFW32X",0
004070E8  ascii  "KvXP_1",0
004070F8  ascii  "KVMonXP_1",0
0040710C  ascii  "KvReport",0
00407120  ascii  "KVScan",0
00407130  ascii  "KVStub",0
00407140  ascii  "KvXP",0
00407150  ascii  "KVMonXP",0
00407160  ascii  "KVCenter",0
00407174  ascii  "TrojDie",0
00407184  ascii  "avp.com",0
00407194  ascii  "KRepair.COM",0
004071A8  ascii  "KaScrScn.SCR",0
004071C0  ascii  "\Program Files\",0
004071D8  ascii  "\system32\notepa"
004071E8  ascii  "d.exe",0
004071F8  ascii  "00002338",0
0040720C  ascii  "0EAD7EAA",0
00407220  ascii  "06E3DD06",0
00407234  ascii  "A1D29050",0
00407248  ascii  "85228E60",0
0040725C  ascii  "  ",0
00407268  ascii  "Trojan",0
00407278  ascii  "Virus",0
00407288  ascii  "kaspersky",0
0040729C  ascii  "jiangmin",0
004072B0  ascii  "rising",0
004072C0  ascii  "ikaka",0
004072D0  ascii  ".duba.",0
004072E0  ascii  "kingsoft",0
004072F4  ascii  "360safe",0
00407304  ascii  "木马",0
00407314  ascii  "木馬",0
004073C8  ascii  "瑞星",0
004073DC  ascii  "社区",0
00407414  ascii  "社区",0
00407435  ascii  "褚馊砑?,0
0040744B  ascii  "ト砑?,0
004075A8  ascii  "KvNative",0
004075BC  ascii  "bsmain",0
004075CC  ascii  "aswBoot",0


........


可惜的是传播手段还不大成熟..

注意修复系统漏洞..
gototop
 
孤独更可靠
头像
锋芒艾服狮
  • 帖子:1788
  • 注册: 2007-01-27
  • 来自:
发表于: 2007-05-12 11:30 | 显示全部 短消息 资料
字号: 6楼

作者更新后的病毒

增加遍历分区

生成auroun.inf和"8个字符".exe

autorun.inf内容指向"8个字符".exe

意味着你每打开一次分区(D-F)就是运行一次病毒

so.

再重装几次也一样


解决方法:

删除D-F盘的autorun.inf

和那个"随机8个字符".exe


如果条件运行的话,再重装下,OK

这病毒并不难搞,重点是个"随机8个字符".dll

插进程的,用常规方法很难发觉

其实也不用重装,修复安全模式后

进安全模式DOS命令行

删除:

C:\Program Files\Common Files\Microsoft Shared\MSINFO\"随机8个字符".dll

然后修复IFEO劫持

就可以了
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT