听艾玛说艾尼又出变种咯 找他要了下载地址 看了下
感觉就是这玩意下载的木马越来越多了
文件名:table.exe
Size: 10752 bytes
MD5: D79012607DD9C30A480886DC97E74138
SHA1: 3B177D9D063556C9102AC7452A7637F65D02F08C
CRC32: 1008F376
释放
C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
C:\Windows\svchost.exe(就是记事本)
创建服务HKLM\SYSTEM\CurrentControlSet\Services\Hello World
服务涉及的注册表项目:
HKLM\SYSTEM\ControlSet001\Services\Hello World\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00
14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00
00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00
FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00
00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00
00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\Hello World\Type: 0x00000010
HKLM\SYSTEM\ControlSet001\Services\Hello World\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\Hello World\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\Hello World\ImagePath: "C:\Program Files\Common Files\Microsoft
Shared\Web Folders\MSOSV.EXE"
HKLM\SYSTEM\ControlSet001\Services\Hello World\DisplayName: "局域网通讯协议"
HKLM\SYSTEM\ControlSet001\Services\Hello World\
ObjectName: "LocalSystem"
启动C:\Windows\svchost.exe感染文件
启动IE连接59.34.197.169:80下载木马 首先下载一个shift.ini 然后跟据这个配置文件再去下载木马
下载的木马分别为TempA.exe~TempM.exe到C:\Program Files\Common Files\Microsoft Shared\Web Folders文件夹
下
各个文件释放的木马如下
TempA: C:\WINDOWS\Sysfy3
TempB: C:\WINDOWS\Exprer.exe和C:\WINDOWS\system32\Exprer.dll
TempC: C:\WINDOWS\SysJT3
TempD: C:\WINDOWS\system32\SysJ2
TempE: 临时文件夹下的crasos.exe和LgSy0.dll
TempF: 临时文件夹下的iexpl0re.exe和Msxo0.dll
TempG: C:\WINDOWS\SysSun2
TempH: C:\WINDOWS\system32\nwiztlbb.exe和C:\WINDOWS\system32\nwiztlbb.dll
TempI: C:\WINDOWS\system32\nwizAskTao.exe和C:\WINDOWS\system32\nwizAskTao.dll
TempJ: C:\WINDOWS\Syswl3
TempK: C:\WINDOWS\Syswm7
TempL: C:\WINDOWS\Syssj5
TempM: 临时文件夹下的Servera.exe和Kavs0.dll
修改hosts文件
sreng日志表现如下
启动项目
<q24d5hrzvmd7s><C:\DOCUME~1\用户名\LOCALS~1\Temp\iexpl0re.exe> []
<3tt6buug><C:\DOCUME~1\用户名\LOCALS~1\Temp\crasos.exe> []
<ie4feh2wwxs1q><C:\DOCUME~1\用户名\LOCALS~1\Temp\Servera.exe> []
<fy><C:\WINDOWS\Sysfy3\svchost.exe> []
<JT><C:\WINDOWS\SysJT3\svchost.exe> []
<J2><C:\WINDOWS\system32\SysJ2\svchost.exe> []
<sun><C:\WINDOWS\SysSun2\svchost.exe> []
<wl><C:\WINDOWS\Syswl3\svchost.exe> []
<wm><C:\WINDOWS\Syswm7\svchost.exe> []
<sj><C:\WINDOWS\Syssj5\svchost.exe> []
<Exprer><C:\WINDOWS\Exprer.exe> []
<nwiztlbb><C:\WINDOWS\system32\nwiztlbb.exe> []
<nwizAskTao><C:\WINDOWS\system32\nwizAskTao.exe> []
服务
[局域网通讯协议 / Hello World][Stopped/Auto Start]
<C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE><N/A>
进程
HOSTS 文件
[C:\WINDOWS\Sysfy3\Ghook.dll] [N/A, ]
[C:\WINDOWS\system32\SysJ2\Ghook.dll] [N/A, ]
[C:\WINDOWS\SysJT3\Ghook.dll] [N/A, ]
[C:\DOCUME~1\用户名\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\WINDOWS\system32\Exprer.dll] [N/A, ]
[C:\WINDOWS\SysSun2\Ghook.dll] [N/A, ]
[C:\WINDOWS\Syswm7\Ghook.dll] [N/A, ]
[C:\WINDOWS\Syswl3\Ghook.dll] [N/A, ]
[C:\WINDOWS\Syssj5\Ghook.dll] [N/A, ]
[C:\DOCUME~1\用户名\LOCALS~1\Temp\Kavs0.dll] [N/A, ]
[C:\DOCUME~1\用户名\LOCALS~1\Temp\Msxo1.dll] [N/A, ]
HOSTS 文件
127.0.0.1 localhost
127.0.0.1 mmm.caifu18.net
127.0.0.1 www.18dmm.com
127.0.0.1 d.qbbd.com
127.0.0.1 www.5117music.com
127.0.0.1 www.union123.com
127.0.0.1 www.wu7x.cn
127.0.0.1 www.54699.com
127.0.0.1 www1.6tan.com
127.0.0.1 www2.6tan.com
127.0.0.1 www.97725.com
127.0.0.1 down.97725.com
127.0.0.1 ip.315hack.com
127.0.0.1 ip.54liumang.com
127.0.0.1 www.41ip.com
127.0.0.1 xulao.com
127.0.0.1 www.heixiou.com
127.0.0.1 www.9cyy.com
127.0.0.1 www.hunll.com
127.0.0.1 www.down.hunll.com
127.0.0.1 do.77276.com
127.0.0.1 www.baidulink.com
127.0.0.1 adnx.yygou.cn
127.0.0.1 222.73.220.45
127.0.0.1 www.f5game.com
127.0.0.1 www.guazhan.cn
127.0.0.1 wm,103715.com
127.0.0.1 www.my6688.cn
127.0.0.1 i.96981.com
127.0.0.1 d.77276.com
127.0.0.1 www1.cw988.cn
127.0.0.1 cool.47555.com
127.0.0.1 www.asdwc.com
127.0.0.1 55880.cn
127.0.0.1 61.152.169.234
127.0.0.1 cc.wzxqy.com
127.0.0.1 www.54699.com
127.0.0.1 t.gcuj.com
127.0.0.1 www.puma163.com
127.0.0.1 ceoww.com
127.0.0.1 boolom.com
127.0.0.1 adult-novel.cn
127.0.0.1 ll.chinasese.net
127.0.0.1 www.tellumore.com
127.0.0.1 www.o1wg.com
127.0.0.1 www.qq756.com
127.0.0.1 ll.chinasese.net
清除方法:安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
注意 操作过程中不要点击除系统分区外的exe文件
打开sreng 启动项目 注册表 删除如下项目
<q24d5hrzvmd7s><C:\DOCUME~1\用户名\LOCALS~1\Temp\iexpl0re.exe> []
<3tt6buug><C:\DOCUME~1\用户名\LOCALS~1\Temp\crasos.exe> []
<ie4feh2wwxs1q><C:\DOCUME~1\用户名\LOCALS~1\Temp\Servera.exe> []
<fy><C:\WINDOWS\Sysfy3\svchost.exe> []
<JT><C:\WINDOWS\SysJT3\svchost.exe> []
<J2><C:\WINDOWS\system32\SysJ2\svchost.exe> []
<sun><C:\WINDOWS\SysSun2\svchost.exe> []
<wl><C:\WINDOWS\Syswl3\svchost.exe> []
<wm><C:\WINDOWS\Syswm7\svchost.exe> []
<sj><C:\WINDOWS\Syssj5\svchost.exe> []
<Exprer><C:\WINDOWS\Exprer.exe> []
<nwiztlbb><C:\WINDOWS\system32\nwiztlbb.exe> []
<nwizAskTao><C:\WINDOWS\system32\nwizAskTao.exe> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
局域网通讯协议 / Hello World
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(
推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除
C:\WINDOWS\system32\SysJ2文件夹
C:\WINDOWS\Sysfy3文件夹
C:\WINDOWS\SysJT3文件夹
C:\WINDOWS\Syssj5文件夹
C:\WINDOWS\SysSun2文件夹
C:\WINDOWS\Syswl3文件夹
C:\WINDOWS\Syswm7文件夹
C:\WINDOWS\system32\Exprer.dll
C:\WINDOWS\system32\nwizAskTao.dll
C:\WINDOWS\system32\nwizAskTao.exe
C:\WINDOWS\system32\nwiztlbb.dll
C:\WINDOWS\system32\nwiztlbb.exe
C:\WINDOWS\Exprer.exe
清空 C:\DOCUME~1\用户名\LOCALS~1\Temp
使用反病毒软件全盘扫描修复被感染的exe文件
