快捷導(dǎo)航

test.exe,vista.exe,a.jpg,Flower.dll病毒分析解決

更新時(shí)間：2008年01月11日 16:32:22 作者：

此病毒為之前的夢(mèng)中情人（暗號(hào)）病毒的最新變種

1.病毒運(yùn)行后，釋放如下文件或副本
%systemroot%\system32\config\systemprofile\vista.exe
%systemroot%\system32\a.jpg
%systemroot%\system32\Flower.dll
%systemroot%\system32\vista.exe
各個(gè)分區(qū)下面釋放test.exe和autorun.inf

2.通過(guò)查找software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE的鍵值獲得IEXPLORE.EXE路徑，之后調(diào)用IE連接http://www.3940*.cn/tj.asp進(jìn)行感染統(tǒng)計(jì)

3.提升自身權(quán)限，關(guān)閉如下進(jìn)程
360tray.exe
360safe.exe
關(guān)閉如下進(jìn)程的句柄
avp.exe

4.啟動(dòng)一個(gè)spoolsv.exe進(jìn)程，把Flower.dll注入進(jìn)去，并調(diào)用urlmon.dll進(jìn)行下載操作
下載http://www.*/muma935474/q.exe
http://www.*/muma935474/w.exe
http://www.*/muma935474/e.exe
http://www.*/muma935474/r.exe
http://www.*/muma935474/t.exe
http://www.*/muma935474/y.exe
http://www.*/muma935474/u.exe
http://www.*/muma935474/i.exe
http://www.*/muma935474/o.exe
http://www.*/muma935474/10.exe~http://www.*/muma935474/36.exe
http://www.*/muma.exe
http://www.*/muma1.exe
http://www.*/muma2.exe
http://www.*/muma3.exe

到C:\Documents and Settings\下面分別命名為taga.exe~tagg.exe tagaa.exe~taggg.exe tagaaa.exe~tagggg.exe tagaaaa.exe~tagcccc.exe  md5a.exe~md5g.exe md5aa.exe~md5gg.exe md5aaa.exe~md5bbb.exe
下載間隔2000ms

但下載鏈接幾乎都已失效,幾個(gè)下載來(lái)的病毒也都是鴿子

5.關(guān)閉帶有如下字樣的窗口
防火墻
殺毒
江民
金山
木馬
超級(jí)巡警
NOD32
安全
主線程
微點(diǎn)

6.添加映像劫持項(xiàng)目劫持某些殺毒軟件，安全工具和某些流行病毒指向%systemroot%\system32\vista.exe
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
appdllman.exe
AppSvc32.exe
auto.exe
AutoRun.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
guangd.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
kernelwind32.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.COM
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
logogo.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
nod32krn.exe
nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
rfwProxy.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
sos.exe
SREng.exe
symlcsvc.exe
SysSafe.exe
taskmgr.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UFO.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE
WoptiClean.exe
XP.exe
zxsweep.exe

7.破壞顯示隱藏文件
HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden的值修改為0x00000002

木馬病毒植入完畢以后的sreng日志如下：
啟動(dòng)項(xiàng)目
注冊(cè)表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
    <IFEO[360rpt.exe]><C:\WINDOWS\system32\vista.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
    <IFEO[360Safe.exe]><C:\WINDOWS\system32\vista.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><C:\WINDOWS\system32\vista.exe>  [Microsoft Corporation]...
==================================
服務(wù)
[windows / windows][Running/Disabled]
  <C:\WINDOWS\windows.exe><N/A>

解決方法：
下載srengIcesword:可到down.45it.com下載

1.解壓Icesword,把Icesword改名1.com 運(yùn)行
點(diǎn)擊左下角文件按鈕
刪除如下文件%systemroot%\system32\config\systemprofile\vista.exe
%systemroot%\system32\a.jpg
%systemroot%\system32\Flower.dll
%systemroot%\system32\vista.exe
%systemroot%\windows.exe
以及各個(gè)分區(qū)下的test.exe和autorun.inf

2.打開(kāi)sreng
啟動(dòng)項(xiàng)目注冊(cè)表
刪除所有紅色的IFEO項(xiàng)目

系統(tǒng)修復(fù) － Windows Shell/IE 全選修復(fù)