chenzi.exe的分析及解決方法
File size: 18593 bytes
MD5: c595bc161e1d64b4d8f4d84139ef02b0
SHA1: 100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名稱:未知
測試時間:2007-3-10
更新時間:明晚將更新此分析日志,
運行后病毒樣本,自動刪除病毒本身,自動釋放病毒到%system%目錄下
%system%\del.bat
%system%\msgcom.dll
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
創(chuàng)建啟動項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
<WinlogonNotify: cmdmant><msgcom.dll>
修改Explorer.exe其內存,Explorer.exe嘗試獲取網(wǎng)絡存取權限.202.88.90.186,試圖啟動%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
%system%\1.exe 分析如下:
Explorer.exe啟動1.EXE后,自動刪除本身
釋放病毒文件
%system%\wsvbs.dll
%windows%\wsvbs.exe
創(chuàng)建啟動項
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsvbs.exe>
%system%\2.exe 分析如下
Explorer.exe啟動2.EXE后,
釋放病毒文件
%system%\mppds.dll
%windows%\mppds.exe
創(chuàng)建啟動項
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<mppds><%windows%\mppds.exe>
%system%\3.exe 分析如下
Explorer.exe啟動3.EXE后,
釋放病毒文件
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\4.exe 分析如下:
Explorer.exe啟動4.EXE后,自動刪除本身
釋放病毒文件
%system%\wsttrs.dll
%windows%\wsttrs.exe
創(chuàng)建啟動項
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsttrs.exe>
%system%\5.exe 分析如下:
Explorer.exe啟動5.EXE后,自動刪除本身
釋放病毒文件,并插入各進程.
%windows%\608769.bmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
<AppInit_DLLs><608769M.BMP>
%system%\6.exe 分析如下:
Explorer.exe啟動6.EXE后,
釋放病毒文件
c:\Documents and Settings\你的用戶名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用戶名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用戶名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用戶名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
修改hosts內容,添加以下內容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www.47555.cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
附SRENG日志,
啟動項目
注冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\MIB\LOCALS~1\Temp\ie888.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsvbs><C:\windows\wsvbs.exe>
<mppds><C:\windows\mppds.exe>
<wsttrs><C:\windows\wsttrs.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant><msgcom.dll>
正在運行的進程
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[C:\WINDOWS\system32\msgcom.dll] [N/A, N/A]
[PID: 752][C:\windows\system32\services.exe
[C:\windows\608769M.BMP]
[PID: 764][C:\windows\system32\lsass.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 932][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1020][C:\windows\system32\svchost.exe
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1116][C:\windows\System32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1408][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1456][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
解決方法如下:
1.開始---運行---輸入---regedit---依次展開
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
刪除
<svc>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
刪除
<wsvbs>
<mppds>
<wsttrs>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
刪除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>
刪除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant>
2.重啟計算機
3.刪除以下文件
%system%\del.bat
%system%\msgcom.dll
%system%\wsvbs.dll
%windows%\wsvbs.exe
%system%\mppds.dll
%windows%\mppds.exe
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\wsttrs.dll
%windows%\wsttrs.exe
c:\Documents and Settings\你的用戶名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用戶名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用戶名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用戶名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
%system%\3.exe
%system%\6.exe
system32\drivers\etc\hosts
用記事打開HOSTS文件,刪除以下內容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www47555cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
%windows%\608769M.BMP
到我的E盤下載專殺.
(<因為對SSM監(jiān)控到的桌面進程不是很懂,對這個網(wǎng)絡連接分析存在有問題,將于明晚進行更新,也請高手指正,內容如下,謝謝)
進程:
路徑: C:\WINDOWS\explorer.exe
PID: 1988
信息: Windows Explorer (Microsoft Corporation)
網(wǎng)絡信息:
IP 地址: 222.88.90.186
信任的區(qū)域: 否
協(xié)議: TCP
相關文章
查殺軟件 360安全衛(wèi)士 v3.2.1.1001 下載
查殺軟件 360安全衛(wèi)士 v3.2.1.1001 下載...2007-04-04對于最近出現(xiàn)的Death.exe病毒及其變種的手工查殺辦法不用專殺工具
對于最近出現(xiàn)的Death.exe病毒及其變種的手工查殺辦法不用專殺工具...2007-11-11