快捷導(dǎo)航

chenzi.exe的分析及解決方法

更新時(shí)間：2007年03月14日 00:00:00 投稿：mdxy-dxy

這篇文章主要介紹了chenzi.exe的分析及解決方法

File size: 18593 bytes
MD5: c595bc161e1d64b4d8f4d84139ef02b0
SHA1: 100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名稱(chēng):未知
測(cè)試時(shí)間:2007-3-10
更新時(shí)間:明晚將更新此分析日志,

運(yùn)行后病毒樣本,自動(dòng)刪除病毒本身,自動(dòng)釋放病毒到%system%目錄下
%system%\del.bat
%system%\msgcom.dll
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe

創(chuàng)建啟動(dòng)項(xiàng):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
<WinlogonNotify: cmdmant><msgcom.dll>

修改Explorer.exe其內(nèi)存,Explorer.exe嘗試獲取網(wǎng)絡(luò)存取權(quán)限.202.88.90.186,試圖啟動(dòng)%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe

%system%\1.exe 分析如下:
Explorer.exe啟動(dòng)1.EXE后,自動(dòng)刪除本身
釋放病毒文件
%system%\wsvbs.dll
%windows%\wsvbs.exe

創(chuàng)建啟動(dòng)項(xiàng)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsvbs.exe>

%system%\2.exe 分析如下
Explorer.exe啟動(dòng)2.EXE后,
釋放病毒文件
%system%\mppds.dll
%windows%\mppds.exe

創(chuàng)建啟動(dòng)項(xiàng)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<mppds><%windows%\mppds.exe>

%system%\3.exe 分析如下
Explorer.exe啟動(dòng)3.EXE后,
釋放病毒文件
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys

%system%\4.exe 分析如下:
Explorer.exe啟動(dòng)4.EXE后,自動(dòng)刪除本身
釋放病毒文件
%system%\wsttrs.dll
%windows%\wsttrs.exe

創(chuàng)建啟動(dòng)項(xiàng)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsttrs.exe>

%system%\5.exe 分析如下:
Explorer.exe啟動(dòng)5.EXE后,自動(dòng)刪除本身
釋放病毒文件,并插入各進(jìn)程.
%windows%\608769.bmp

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
<AppInit_DLLs><608769M.BMP>

%system%\6.exe 分析如下:
Explorer.exe啟動(dòng)6.EXE后,
釋放病毒文件
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys

修改hosts內(nèi)容,添加以下內(nèi)容
58.215.65.136         hyap98.com
58.215.65.136       www.hyap98.com
60.169.1.178       www.82087871.com
60.169.1.178         47555.cn
60.169.1.178         nc.47555.cn
60.169.1.178         cn.47555.cn
60.169.1.178         crsky.47555.cn
60.169.1.178       www.47555.cn
60.169.1.178         baibu.com
60.169.1.178       www.baidu.com
60.169.1.178         dgufida.com.cn
60.169.1.178         88.our2000.com
60.169.1.178         new.eyliao.com
60.169.1.178         sybaby.a78.zgsj.com

附SRENG日志,
啟動(dòng)項(xiàng)目
注冊(cè)表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\MIB\LOCALS~1\Temp\ie888.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsvbs><C:\windows\wsvbs.exe>
<mppds><C:\windows\mppds.exe>
<wsttrs><C:\windows\wsttrs.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys>    [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant><msgcom.dll>

正在運(yùn)行的進(jìn)程
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]
      [C:\WINDOWS\system32\msgcom.dll]    [N/A, N/A]
[PID: 752][C:\windows\system32\services.exe
      [C:\windows\608769M.BMP]
[PID: 764][C:\windows\system32\lsass.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]
[PID: 932][C:\windows\system32\svchost.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]
[PID: 1020][C:\windows\system32\svchost.exe
      [C:\windows\608769M.BMP]    [N/A, N/A]
[PID: 1116][C:\windows\System32\svchost.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]
[PID: 1408][C:\windows\system32\svchost.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]
[PID: 1456][C:\windows\system32\svchost.exe]
      [C:\windows\608769M.BMP]    [N/A, N/A]

解決方法如下:

1.開(kāi)始---運(yùn)行---輸入---regedit---依次展開(kāi)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
刪除

<svc>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
刪除
<wsvbs>
<mppds>
<wsttrs>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
刪除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>

刪除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant>

2.重啟計(jì)算機(jī)

3.刪除以下文件
%system%\del.bat
%system%\msgcom.dll
%system%\wsvbs.dll
%windows%\wsvbs.exe
%system%\mppds.dll
%windows%\mppds.exe
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\wsttrs.dll
%windows%\wsttrs.exe
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用戶(hù)名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
%system%\3.exe
%system%\6.exe

system32\drivers\etc\hosts
用記事打開(kāi)HOSTS文件,刪除以下內(nèi)容
58.215.65.136         hyap98.com
58.215.65.136       www.hyap98.com
60.169.1.178       www.82087871.com
60.169.1.178         47555.cn
60.169.1.178         nc.47555.cn
60.169.1.178         cn.47555.cn
60.169.1.178         crsky.47555.cn
60.169.1.178       www47555cn
60.169.1.178         baibu.com
60.169.1.178       www.baidu.com
60.169.1.178         dgufida.com.cn
60.169.1.178         88.our2000.com
60.169.1.178         new.eyliao.com
60.169.1.178         sybaby.a78.zgsj.com

%windows%\608769M.BMP
到我的E盤(pán)下載專(zhuān)殺.

(<因?yàn)閷?duì)SSM監(jiān)控到的桌面進(jìn)程不是很懂,對(duì)這個(gè)網(wǎng)絡(luò)連接分析存在有問(wèn)題,將于明晚進(jìn)行更新,也請(qǐng)高手指正,內(nèi)容如下,謝謝)
進(jìn)程：
     路徑： C:\WINDOWS\explorer.exe
     PID: 1988
     信息： Windows Explorer (Microsoft Corporation)

網(wǎng)絡(luò)信息：
     IP 地址： 222.88.90.186
     信任的區(qū)域：否
     協(xié)議： TCP