查看文章 |
[头疼]七位随机字母和.exe(无文件名)U盘BD
2007-05-28 12:32
原来有写个分析```在百度博客里```乱乱的,懒得整理`````
http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/5e46f4b4943b8b728ad4b271.html 最近又更新了```貌似比以前更垃圾了```` ======================================================== Aditional Information File size: 102400 bytes MD5: d20e3e259c80499716094353dbe49760 SHA1: d4b464794954f637e5bf3d441fe9634db571687d SHA160 : D4B464794954F637E5BF3D441FE9634DB571687D CRC32 : 1B722094 RIPEMD160: 9CF3E2F7CF61199E7DE099C0F99277E17ACEDF14 Tiger_192: 58E3F64DF761D02E6E89F8B07AC0F65770612FB62D06AD3D 加壳方式:FSG 2.0 -> bart/xt [Overlay] 编写语言:Borland Delphi 6.0 - 7.0 ======================================================================== 样本是一个随机7位数字的字母```A—Z随机的````就7位的``` 1、运行时释放%systemroot%\system32\meex.com ,102400 字节,和一个%systemroot%\system32\.exe,35220 字节。呵呵,没文件名字的。(使得强制删除工具无法删除!!)``` 2、然后修改“显示隐藏文件”的选项,达到自身不被“消灭”的目的。 3、常驻进程的.exe遍历分区(隔几秒就刷新一次),在每个分区下生成Autorun.inf和.exe Autorun.inf内容是: [AutoRun] open=.exe shellexecute=.exe shell\Auto\command=.exe 4、支持U盘传播,每5秒检测一次后面是否跟有移动介质盘`,同样监视自身修改的注册表项。 5、加入注册表RUN启动项,指向的是:%systemroot%\system32\.exe 达到开机自启动。(老掉牙咯``) 6、并遍历任务进程,尝试关闭: Ras.exe avp.com avp.exe runiep.exe PFW.exe FYFireWall.exe rfwmain.exe rfwsrv.exe KAVPF.exe KPFW32.exe nod32kui.exe nod32.exe Navapsvc.exe Navapw32.exe avconsol.exe webscanx.exe NPFMntor.exe vsstat.exe KPfwSvc.exe RavTask.exe Rav.exe RavMon.exe mmsk.exe WoptiClean.exe QQKav.exe QQDoctor.exe EGHOST.exe 360Safe.exe iparmo.exe adam.exe IceSword.exe 360rpt.exe 360tray.exe AgentSvr.exe AppSvc32.exe autoruns.exe avgrssvc.exe AvMonitor.exe CCenter.exe ccSvcHst.exe FileDsty.exe FTCleanerShell.exe HijackThis.exe Iparmor.exe isPwdSvc.exe kabaload.exe KaScrScn.SCR KASMain.exe KASTask.exe KAV32.exe KAVDX.exe KAVPFW.exe KAVSetup.exe KAVStart.exe KISLnchr.exe KMailMon.exe KMFilter.exe KPFW32.exe KPFW32X.exe KPFWSvc.exe KRegEx.exe KRepair.com KsLoader.exe KVCenter.kxp KvDetect.exe KvfwMcl.exe KVMonXP.kxp KVMonXP_1.kxp kvol.exe kvolself.exe KvReport.kxp KVScan.kxp KVSrvXP.exe KVStub.kxp kvupload.exe kvwsc.exe KvXP.kxp KvXP_1.kxp KWatch.exe KWatch9x.exe KWatchX.exe loaddll.exe MagicSet.exe mcconsol.exe mmqczj.exe nod32krn.exe PFWLiveUpdate.exe QHSET.exe RavMonD.exe RavStub.exe RegClean.exe rfwcfg.exe RfwMain.exe rfwsrv.exe RsAgent.exe Rsaupd.exe safelive.exe scan32.exe shcfg32.exe SmartUp.exe SREng.EXE symlcsvc.exe SysSafe.exe TrojanDetector.exe Trojanwall.exe TrojDie.kxp UIHost.exe UmxAgent.exe UmxAttachment.exe UmxCfg.exe UmxFwHlp.exe UmxPol.exe UpLive.exe 7、还使用了IFEO重定向劫持,全部都是指向:%systemroot%\system32\.exe (只列一部分): HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe 8、驻进程的.exe每隔2毫秒刷新,拦截FindWindowExA、mouse_event、SendMessageA等信息函数,修改映像命令,并发送“假情报”,向瑞星注册表监控捕捉发送“允许”命令,(不用经过用户操作)同时也过卡吧的主动防御。(拦截AVP.AlertDialog、AVP.Button窗口命令,发送“允许”或“yes”```)。。。。。 9、试图访问网络,到http://www.webweb.com/ReadDown.txt获得下载列表,好像是10个``不过测试时候该网址已经失效。(呼``人品?)所以并未成功,下载例如:http://www.webweb.com/TDown1.exe 。(别去点```` - -) 解决方法: http://free.ys168.com/?gudugengkekao我的网盘下SREng、PowerRMV 、autoruns 工具下载后放桌面,断开网络,关闭一切不必要的进程(也可以进安全模式里)。` 重点:先把SREng和Autoruns改名!!!!例如56.exe apsf.exe 5ae.exe等,乱乱的,不要有规律```在下面完成之前,别双击打开硬盘``` 1、打开PowerRMV,填入(一次一个): C:\autorun.inf D:\autorun.inf E:\autorun.inf F:\autorun.inf (提示:如果后面有移动盘的话,那么自己改变盘符) 2、打开注册表``(开始-运行-regedit)展开到: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue 把CheckedValue的值修改为“1”(如果本来就是1的话,那么不要改变````) 3、到每个分区下(C-F盘),删除.exe 35220 字节的,没有名字的。 4、在地址栏里打入 :%systemroot%\system32\ (也可以直接到C:\windows\system32下)删除:.exe和meex.com。 5、最后打开autoruns,删除IFEO劫持,不要嫌麻烦,挨个删。 6、重启下电脑,杀软不能开的话重装,然后升级下,全盘扫描。     |
最近读者:
