ctgwglzc 发表于 2008-2-26 14:33:38

U盘:vista.exe,Test.exe,Worm.Win32.Downloader.er

U盘:vista.exe,Test.exe

Worm.Win32.Downloader.er

文件名称:vista.exe

文件大小:53248 byte

AV命名:

卡巴斯基(Worm.Win32.Downloader.er)
NORMAN(W32/OnLineGames.AIOR)
AVG(PSW.OnlineGames.ACHY)

加壳方式:未

编写语言:Borland Delphi 6.0 - 7.0

文件MD5:718c11e8636d34eef2545f0004017f4b

行为:

1、 释放病毒副本:

C:\WINDOWS\system32\Flower.dll   609KB
C:\WINDOWS\system32\a.jpg   1KB
C:\WINDOWS\system32\vista.exe   54KB
C:\WINDOWS\system32\config\systemprofile\vista.exe   54KB

2、 添加注册表,开机启动:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
   Registry value: Shebe
      Type: REG_SZ
Value: C:\windows\system32\vista.exe

3、 调用IE,访问:http://**.196462035.cn/xiazai/tj.asp获得下载列表

4、 下载木马:

http://dj.196462035.cn/xiazai/1.exe
http://dj.196462035.cn/xiazai/2.exe
http://dj.196462035.cn/xiazai/3.exe
http://dj.196462035.cn/xiazai/4.exe
http://dj.196462035.cn/xiazai/5.exe
http://dj.196462035.cn/xiazai/6.exe
http://dj.196462035.cn/xiazai/7.exe
http://dj.196462035.cn/xiazai/8.exe
http://dj.196462035.cn/xiazai/9.exe
http://dj.196462035.cn/xiazai/10.exe
http://dj.196462035.cn/xiazai/11.exe
http://dj.196462035.cn/xiazai/12.exe
http://dj.196462035.cn/xiazai/13.exe
http://dj.196462035.cn/xiazai/14.exe
http://dj.196462035.cn/xiazai/15.exe
http://dj.196462035.cn/xiazai/16.exe
http://dj.196462035.cn/xiazai/17.exe
http://dj.196462035.cn/xiazai/18.exe
http://dj.196462035.cn/xiazai/19.exe
http://dj.196462035.cn/xiazai/20.exe
http://dj.196462035.cn/xiazai/21.exe
http://dj.196462035.cn/xiazai/22.exe
http://dj.196462035.cn/xiazai/23.exe
http://dj.196462035.cn/xiazai/24.exe
http://dj.196462035.cn/xiazai/25.exe
http://dj.196462035.cn/xiazai/26.exe
http://dj.196462035.cn/xiazai/27.exe
http://dj.196462035.cn/xiazai/28.exe
http://dj.196462035.cn/xiazai/29.exe
http://dj.196462035.cn/xiazai/30.exe
http://dj.196462035.cn/xiazai/31.exe
http://dj.196462035.cn/xiazai/32.exe
http://dj.196462035.cn/xiazai/33.exe
http://dj.196462035.cn/xiazai/34.exe
http://dj.196462035.cn/xiazai/35.exe
http://dj.196462035.cn/xiazai/36.exe
http://dj.196462035.cn/xiazai/37.exe
http://dj.196462035.cn/xiazai/38.exe
http://dj.196462035.cn/xiazai/39.exe
http://dj.196462035.cn/xiazai/40.exe
http://dj.196462035.cn/xiazai/1.exe
http://dj.196462035.cn/xiazai/2.exe
http://dj.196462035.cn/xiazai/3.exe
http://dj.196462035.cn/xiazai/4.exe
http://dj.196462035.cn/xiazai/5.exe
http://dj.196462035.cn/xiazai/6.exe
http://dj.196462035.cn/xiazai/7.exe
http://dj.196462035.cn/xiazai/8.exe
http://dj.196462035.cn/xiazai/9.exe
http://dj.196462035.cn/xiazai/10.exe
http://dj.196462035.cn/xiazai/11.exe
http://dj.196462035.cn/xiazai/12.exe
http://dj.196462035.cn/xiazai/13.exe
http://dj.196462035.cn/xiazai/14.exe
http://dj.196462035.cn/xiazai/15.exe
http://dj.196462035.cn/xiazai/16.exe
http://dj.196462035.cn/xiazai/17.exe
http://dj.196462035.cn/xiazai/18.exe
http://dj.196462035.cn/xiazai/19.exe
http://dj.196462035.cn/xiazai/20.exe
http://dj.196462035.cn/xiazai/21.exe
http://dj.196462035.cn/xiazai/22.exe
http://dj.196462035.cn/xiazai/23.exe
http://dj.196462035.cn/xiazai/24.exe
http://dj.196462035.cn/xiazai/25.exe
http://dj.196462035.cn/xiazai/26.exe
http://dj.196462035.cn/xiazai/27.exe
http://dj.196462035.cn/xiazai/28.exe
http://dj.196462035.cn/xiazai/29.exe
http://dj.196462035.cn/xiazai/30.exe
http://dj.196462035.cn/xiazai/31.exe
http://dj.196462035.cn/xiazai/32.exe
http://dj.196462035.cn/xiazai/33.exe
http://dj.196462035.cn/xiazai/34.exe
http://dj.196462035.cn/xiazai/35.exe
http://dj.196462035.cn/xiazai/36.exe
http://dj.196462035.cn/xiazai/37.exe
http://dj.196462035.cn/xiazai/38.exe
http://dj.196462035.cn/xiazai/39.exe
http://dj.196462035.cn/xiazai/40.exe

命名为:

C:\Documents and Settings\taga.exe
C:\Documents and Settings\tagb.exe
C:\Documents and Settings\tagc.exe
C:\Documents and Settings\tagd.exe
C:\Documents and Settings\tage.exe
C:\Documents and Settings\tagf.exe
C:\Documents and Settings\tagg.exe
C:\Documents and Settings\tagaa.exe
C:\Documents and Settings\tagbb.exe
C:\Documents and Settings\tagcc.exe
C:\Documents and Settings\tagdd.exe
C:\Documents and Settings\tagee.exe
C:\Documents and Settings\tagff.exe
C:\Documents and Settings\taggg.exe
C:\Documents and Settings\tagaaa.exe
C:\Documents and Settings\tagbbb.exe
C:\Documents and Settings\tagccc.exe
C:\Documents and Settings\tagddd.exe
C:\Documents and Settings\tageee.exe
C:\Documents and Settings\tagfff.exe
C:\Documents and Settings\tagggg.exe
C:\Documents and Settings\tagaaaa.exe
C:\Documents and Settings\tagbbbb.exe
C:\Documents and Settings\tagcccc.exe
C:\Documents and Settings\md5a.exe
C:\Documents and Settings\md5b.exe
C:\Documents and Settings\md5c.exe
C:\Documents and Settings\md5d.exe
C:\Documents and Settings\md5e.exe
C:\Documents and Settings\md5f.exe
C:\Documents and Settings\md5g.exe
C:\Documents and Settings\md5aa.exe
C:\Documents and Settings\md5bb.exe
C:\Documents and Settings\md5cc.exe
C:\Documents and Settings\md5dd.exe
C:\Documents and Settings\md5ee.exe
C:\Documents and Settings\md5ff.exe
C:\Documents and Settings\md5gg.exe
C:\Documents and Settings\md5aaa.exe
C:\Documents and Settings\md5bbb.exe

5、 尝试关闭进程:

360tray.exe
360safe.exe
avp.exe

6、 Flower.dll注入spoolsv.exe进程,vista.exe则常驻进程,尝试关闭一些安全工具:

过滤窗口:

00409100   ascii   "木马",0
00409110   ascii   "FireWall",0
00409124   ascii   "Virus",0
00409134   ascii   "Anti",0
00409158   ascii   "NOD32",0
00409178   ascii   "瑞星",0
0040918A   ascii   "线程",0

…………………..

7、 每隔几秒检测自身注册表项,如不在则重新写入。

8、 感染可移动介质,写入:Autorun.inf和test.exe。

再次之前也先检测是否存在免疫文件夹,如果有,则删除。

9、 IFEO重定向劫持,受影响的有:

360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
avp.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KvDetect.exe
KvfwMcl.exe
kvol.exe
kvolself.exe
KVSrvXP.exe
kvupload.exe
kvwsc.exe
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
nod32krn.exe
nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
rfwProxy.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.exe
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE
WoptiClean.exe
zxsweep.exe
sos.exe
auto.exe
UFO.exe
AutoRun.exe
XP.exe
taskmgr.exe
guangd.exe
appdllman.exe
kernelwind32.exe
logogo.exe
TNT.Exe
SDGames.exe
TxoMoU.Exe
cross.exe
regedit.Exe
regedit32.Exe
\vista.exe

10、尝试删除注册表项,破坏安全模式:

ControlSet001\Control\SafeBoot\Minimal
{4D36E967-E325-11CE-BFC1-08002BE10318}
ControlSet001\Control\SafeBoot\Network
CurrentControlSet\Control\SafeBoot\Minimal
CurrentControlSet\Control\SafeBoot\Network

(未实现)

11、修改注册表,禁用显示隐藏文件。

…………..


解决方法:

1、 下载冰刃(打不开的话则重命名)和SREng

/Anti-virus/anti_virus_2292.html

2、 用冰刃结束spoolsv.exe(如果有)和vista.exe进程。

3、 不要双击进入磁盘,用冰刃删除硬盘文件:

C:\WINDOWS\system32\Flower.dll   609KB
C:\WINDOWS\system32\a.jpg   1KB
C:\WINDOWS\system32\vista.exe   54KB
C:\WINDOWS\system32\config\systemprofile\vista.exe   54KB

其他的(如果有):

C:\Documents and Settings\taga.exe
C:\Documents and Settings\tagb.exe
C:\Documents and Settings\tagc.exe
C:\Documents and Settings\tagd.exe
C:\Documents and Settings\tage.exe
C:\Documents and Settings\tagf.exe
C:\Documents and Settings\tagg.exe
C:\Documents and Settings\tagaa.exe
C:\Documents and Settings\tagbb.exe
C:\Documents and Settings\tagcc.exe
C:\Documents and Settings\tagdd.exe
C:\Documents and Settings\tagee.exe
C:\Documents and Settings\tagff.exe
C:\Documents and Settings\taggg.exe
C:\Documents and Settings\tagaaa.exe
C:\Documents and Settings\tagbbb.exe
C:\Documents and Settings\tagccc.exe
C:\Documents and Settings\tagddd.exe
C:\Documents and Settings\tageee.exe
C:\Documents and Settings\tagfff.exe
C:\Documents and Settings\tagggg.exe
C:\Documents and Settings\tagaaaa.exe
C:\Documents and Settings\tagbbbb.exe
C:\Documents and Settings\tagcccc.exe
C:\Documents and Settings\md5a.exe
C:\Documents and Settings\md5b.exe
C:\Documents and Settings\md5c.exe
C:\Documents and Settings\md5d.exe
C:\Documents and Settings\md5e.exe
C:\Documents and Settings\md5f.exe
C:\Documents and Settings\md5g.exe
C:\Documents and Settings\md5aa.exe
C:\Documents and Settings\md5bb.exe
C:\Documents and Settings\md5cc.exe
C:\Documents and Settings\md5dd.exe
C:\Documents and Settings\md5ee.exe
C:\Documents and Settings\md5ff.exe
C:\Documents and Settings\md5gg.exe
C:\Documents and Settings\md5aaa.exe
C:\Documents and Settings\md5bbb.exe

4、 下载其他工具,修复安全模式、IEFO劫持和隐藏文件选项。

http://www.kingzoo.com/tools/孤独更可靠/修复安全模式.zip
http://www.kingzoo.com/tools/孤独更可靠/修复IFEO之XP系统专用.rar

5、 用SREng删除病毒启动项
页: [1]
查看完整版本: U盘:vista.exe,Test.exe,Worm.Win32.Downloader.er