<![CDATA[mopery]]> http://hi.baidu.com http://hi.baidu.com http://img.baidu.com/img/logo-hi.gif http://hi.baidu.com/mopery zh-cn www.baidu.com 5 <![CDATA[Worm.Win32.AutoRun.qvb llwzjy081018.exe 解决方案]]> 文件名称: llwzjy081018.exe
文件大小: 38164 bytes
MD5: 318334b3316bf8d50096650e630322d8
加壳: WinUpack
编写语言: delphi
病毒名: kaspersky: Worm.Win32.AutoRun.qvb
rising: Worm.Win32.Autorun.exk
duba: N/A

详细资料:

文件变化:
释放文件
%WINDIR%\system\llwzjy081018.exe
%WINDIR%\system\mvjaj32dla.dll
%ALLUSERSPROFILE%\jjdf32.ini
%ALLUSERSPROFILE%\jjjydf16.ini

jjdf32.ini 内容:
[sys]
install=20081019

时间即中此病毒当日时间

jjjydf16.ini 内容:
[mydown]
old_exe=
old_dll32=
ver=081018
fnexe=%WINDIR%\system\llwzjy081018.exe
reg_start=dlnajjbdfa
fn_dll=%WINDIR%\system\mvjaj32dla.dll
[kill]
window=32353530383837333637313337373831222525
[run]
delay=90
pzjg=180
xxjg=10

注册表变动:
病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"dlnajjbdfa"="%WINDIR%\system\llwzjy081018.exe"

修改注册表项禁用"显示所有文件和文件夹"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\SHOWALL]
"CheckedValue"=dword:00000000

其他行为:
调用 IE 访问以下URL下载盗号木马
http://www.poplkot.cn/[REMOVED]/mhxy.exe
http://www.poplkot.cn/[REMOVED]/kd.exe
http://www.poplkot.cn/[REMOVED]/jx.exe
http://www.poplkot.cn/[REMOVED]/hx.exe
http://www.poplkot.cn/[REMOVED]/fy.exe
http://www.poplkot.cn/[REMOVED]/dnf.exe
http://www.poplkot.cn/[REMOVED]/dj.exe
http://www.poplkot.cn/[REMOVED]/rxjh.exe
http://www.poplkot.cn/[REMOVED]/my.exe
http://www.poplkot.cn/[REMOVED]/cqsj.exe
http://www.poplkot.cn/[REMOVED]/pt.exe
http://www.poplkot.cn/[REMOVED]/jz.exe
http://www.poplkot.cn/[REMOVED]/zx.exe
http://www.poplkot.cn/[REMOVED]/zt.exe
http://www.poplkot.cn/[REMOVED]/cqwz.exe
http://www.poplkot.cn/[REMOVED]/zf.exe
http://www.poplkot.cn/[REMOVED]/yy.exe
http://www.poplkot.cn/[REMOVED]/wow.exe
http://www.poplkot.cn/[REMOVED]/wl.exe
http://www.poplkot.cn/[REMOVED]/wd.exe
http://www.poplkot.cn/[REMOVED]/tl.exe
http://www.poplkot.cn/[REMOVED]/rxcq.exe
http://www.poplkot.cn/[REMOVED]/qqhx.exe
http://www.poplkot.cn/[REMOVED]/qq.exe
http://www.poplkot.cn/[REMOVED]/qn.exe
http://www.poplkot.cn/[REMOVED]/cb.exe
http://www.lk[REMOVED].cn/1.exe
http://cnzz.back[REMOVED].cn/sky.exe

创建 Image File Execution Options 劫持安全相关程序
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360rpt.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360Safe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360tray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\adam.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AgentSvr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AppSvc32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\auto.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AutoRun.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\autoruns.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avgrssvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AvMonitor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\CCenter.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\ccSvcHst.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\cross.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FileDsty.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FTCleanerShell.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\guangd.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HijackThis.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\IceSword.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\iparmo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Iparmor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\isPwdSvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kabaload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KaScrScn.SCR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASMain.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASTask.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVDX.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVPFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVSetup.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVStart.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KISLnchr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMailMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMFilter.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32X.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFWSvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRegEx.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRepair.COM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KsLoader.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVCenter.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvDetect.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvfwMcl.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP_1.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvolself.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvReport.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVSrvXP.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVStub.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvupload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvwsc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch9x.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatchX.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\loaddll.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\MagicSet.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mcconsol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmqczj.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmsk.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\NAVSetup.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32krn.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32kui.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFWLiveUpdate.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QHSET.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QQDoctor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ras.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMonD.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavStub.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavTask.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RegClean.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwcfg.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RfwMain.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwProxy.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwsrv.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RsAgent.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rsaupd.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RStray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\runiep.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\safelive.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\scan32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SDGames.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\shcfg32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\ShuiNiu.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SmartUp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\sos.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SREng.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\svch0st.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\symlcsvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SysSafe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Systom.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskmgr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TNT.Exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojanDetector.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Trojanwall.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojDie.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TxoMoU.Exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UFO.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UIHost.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAgent.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAttachment.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxCfg.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxFwHlp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxPol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UpLive.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\WoptiClean.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\XP.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\zxsweep.exe]

清除方法:
1. 结束进程 iexplore.exe

2. 删除病毒文件
%WINDIR%\system\llwzjy081018.exe
%WINDIR%\system\mvjaj32dla.dll
%ALLUSERSPROFILE%\jjdf32.ini
%ALLUSERSPROFILE%\jjjydf16.ini

3. 删除病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"dlnajjbdfa"

4. 修改注册表项恢复被禁用"显示所有文件和文件夹"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\SHOWALL]
"CheckedValue"=dword:00000001

5. 删除病毒创建的 Image File Execution Options 劫持项

备注:本处理方法不能清除病毒联网下载的病毒.

阅读全文
类别:病毒查杀 查看评论]]> 2008-10-19 17:05 http://hi.baidu.com/mopery/blog/item/9e92dafc72fd29fbfc037fde.html <![CDATA[暴风主页被劫持(电信访问才能显示代码)]]>

3点左右在群里有人说暴风被挂,奔去看看,果然...

电信用户访问暴风才会出现,其他网络访问无异常..

http://www.baofeng.com/
|->http://www.woaiwf.cn/index.html?05
   |->http://www.woaiwf.cn/flash.htm
   | |->http://www.woaiwf.cn/i1.html
   | | |->http://www.woaiwf.cn/swfobject.js
   | |->http://www.woaiwf.cn/f2.html
   |     |->http://www.woaiwf.cn/swfobject.js
   |->http://www.woaiwf.cn/cx.htm
   |->http://www.woaiwf.cn/06014.htm
   |->http://www.woaiwf.cn/ff.htm
   |->http://www.woaiwf.cn/xl.htm
   |->http://www.woaiwf.cn/mi.htm
   |->http://www.woaiwf.cn/real10.htm
   |->http://www.woaiwf.cn/real11.htm
   |->http://js.users.51.la/2186512.js
      |->http://icon.ajiang.net/icon_0.gif

漏洞下载

http://www.poplkot.cn/1.exe

阅读全文
类别:资讯前沿 查看评论]]> 2008-10-19 16:37 http://hi.baidu.com/mopery/blog/item/3e58ae3e2414d9fc828b13cc.html <![CDATA[10月份windows系统补丁安全公告]]>
Microsoft 安全公告摘要(2008 年 10 月)

本月的安全公告如下所示(按严重性排序):
严重 (4)
Microsoft 安全公告 MS08-060
Active Directory 中的漏洞可能允许远程执行代码 (957280)
此安全更新可解决 Microsoft Windows 2000 Server 上的 Active Directory 实施中一个秘密报告的漏洞。 如果攻击者获得受影响网络的访问权限,则该漏洞可能允许远程执行代码。 此漏洞仅影响配置为主域控制器的 Microsoft Windows 2000 服务器。 如果 Microsoft Windows 2000 服务器没有被提升为域控制器,则它不会侦听轻量目录访问协议 (LDAP) 或 LDAP over SSL (LDAPS) 查询,因此不会被暴露给此漏洞。

Microsoft 安全公告 MS08-058
Internet Explorer 的累积性安全更新 (956390)
此安全更新可消除五个秘密报告的漏洞以及一个公开披露的漏洞。 如果用户使用 Internet Explorer 查看特制网页,这些漏洞可能允许泄露信息或远程执行代码。 那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。

Microsoft 安全公告 MS08-059
Host Integration Server RPC 服务中的漏洞可能允许远程执行代码 (956695)
此安全更新解决了 Microsoft Host Integration Server 中一个秘密报告的漏洞。 如果攻击者向受影响的系统发送特制的远程过程调用 (RPC) 请求,则该漏洞可能允许远程执行代码。 遵循最佳方案并将 SNA RPC 服务帐户配置为对系统具有较少用户权限的客户所受到的影响可能比将 SNA RPC 服务帐户配置为具有管理用户权限的客户所受到的影响要小。

Microsoft 安全公告 MS08-057
Microsoft Excel 中的漏洞可能允许远程执行代码 (956416)
此安全更新解决了 Microsoft Office Excel 中三个秘密报告的漏洞,如果用户打开特制的 Excel 文件,这些漏洞可能允许远程执行代码。 成功利用这些漏洞的攻击者可以完全控制受影响的系统。 攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。 那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。

重要 (6)
Microsoft 安全公告 MS08-066
Microsoft 辅助功能驱动程序中的漏洞可能允许特权提升 (956803)
此安全更新可解决 Microsoft 辅助功能驱动程序中一个秘密报告的漏洞。 成功利用此漏洞的本地攻击者可以完全控制受影响的系统。 攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

Microsoft 安全公告 MS08-061
Windows 内核中的漏洞可能允许特权提升 (954211)
此安全更新可解决 Windows 内核中一个公开披露和两个秘密报告的漏洞。 成功利用这些漏洞的本地攻击者可以完全控制受影响的系统。 匿名用户无法利用这些漏洞,也无法以远程方式利用这些漏洞。

Microsoft 安全公告 MS08-062
Windows Internet 打印服务中的漏洞可能允许远程执行代码 (953155)
此更新解决了 Windows Internet 打印服务中一个秘密报告的漏洞,该漏洞可能允许在当前用户的上下文中远程执行代码。 如果用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。 攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。 那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。

Microsoft 安全公告 MS08-063
SMB 中的漏洞可能允许远程执行代码 (957095)
此安全更新解决了 Microsoft 服务器消息块 (SMB) 中一个秘密报告的漏洞。 该漏洞可能允许在共享文件或文件夹的服务器上远程执行代码。 成功利用这些漏洞的攻击者可以安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

Microsoft 安全公告 MS08-064
虚拟地址描述符操作中的漏洞可能允许特权提升 (956841)
此安全更新可解决虚拟地址描述符中一个秘密报告的漏洞。 如果用户运行特制的应用程序,则该漏洞可能允许特权提升。 成功利用此漏洞并经过身份验证的攻击者可以在受影响的系统上获得特权提升。 攻击者随后可安装程序;查看、更改或删除数据;或者创建拥有完全管理权限的新帐户。

Microsoft 安全公告 MS08-065
消息队列中的漏洞可能允许远程执行代码 (951071)
此安全更新解决了 Microsoft Windows 2000 系统上消息队列服务 (MSMQ) 中一个秘密报告的漏洞。 此漏洞可能允许在启用了 MSMQ 服务的 Microsoft Windows 2000 系统上远程执行代码。

中等 (1)
Microsoft 安全公告 MS08-056
Microsoft Office 中的漏洞可能允许信息泄露 (957699)
此安全更新解决了 Microsoft Office 中一个秘密报告的漏洞。 如果用户点击特制的 CDO URL,该漏洞可能允许信息泄露。 成功利用此漏洞的攻击者可以在用户的浏览器中注入客户端脚本,该脚本可能欺骗内容、泄露信息或执行用户可以在受影响的网站上执行的任何操作。 阅读全文
类别:资讯前沿 查看评论]]> 2008-10-16 00:42 http://hi.baidu.com/mopery/blog/item/6d6d3c738a3b521a8601b012.html <![CDATA[weiai15.exe 解决方案]]> 文件名称: weiai15.exe
文件大小: 36468 bytes
MD5: 2EEF6AFD50B6C811FAC8C86805F1611A
加壳: Upack
编写语言: delphi
病毒名: kaspersky: N/A
rising: N/A
duba: N/A

详细资料:

文件变化:
释放文件
%WINDOWS%\system32\weiai15.exe

各分区根目录释放
X:\weiai15.exe
X:\AutoRun.inf

autorun.inf 内容:
[AutoRun]
Open=weiai15.exe
Shell\Open=打开(&O)
Shell\Open\Command=weiai15.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=weiai15.exe

注册表变动:
病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"weiai15"="%WINDOWS%\system32\weiai15.exe"

修改注册表项禁用"显示所有文件和文件夹"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000

其他行为:
调用IE下载 http://www.888[REMOVED].com/www.txt 依据文档内的地址下载盗号木马.

监视安全相关程序窗口和进程,发现相关程序活动,则立即关闭程序.

创建 Image File Execution Options 劫持安全相关程序,当被劫持程序运行,实际运行的是病毒主程序.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findt2005.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IsHelp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvfw.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravt08.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwolusr.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartassistant.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syscheck.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Syscheck2.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolsUp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe]

清除方法:
1. 使用 xdelbox 删除病毒文件.(xdelbox 使用方法)
%WINDOWS%\system32\weiai15.exe
X:\weiai15.exe
X:\AutoRun.inf

2. 删除病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"weiai15"

3. 修改注册表项恢复被禁用"显示所有文件和文件夹"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001

4. 删除病毒创建的 Image File Execution Options 劫持项

备注:
本处理方法不能清除病毒联网下载的病毒.
联网下载的病毒杀软也都可查杀,绝大多数下载的病毒是HB系列盗号木马,附件为金山HB系列专杀可以尝试使用.

阅读全文
类别:病毒查杀 查看评论]]> 2008-10-16 00:31 http://hi.baidu.com/mopery/blog/item/095db1cc15356c1600e92817.html <![CDATA[Virus.Win32.VB.eu schedl.exe 解决方案]]> 文件大小: 223676 bytes
MD5: 1487e413823e8827f054020b7bb27da9
加壳: N/A
编写语言: VB
病毒名: kaspersky: Virus.Win32.VB.eu
rising: N/A
duba: Win32.Virut.n.84480

详细资料:

文件变化:
释放文件
%WINDOWS%\WINDOWS.exe
%WINDOWS%\Help\schedl.exe
X:\Documents and Settings\All Users\Documents\My Music\My Music.exe
X:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe
X:\Documents and Settings\All Users\Documents\My Videos\My Videos.exe
X:\Documents and Settings\当前用户\My Documents\Downloads\Downloads.exe
X:\Documents and Settings\当前用户\My Documents\My Ducuments.exe
X:\Documents and Settings\当前用户\My Documents\My Music\My Music.exe
X:\Documents and Settings\当前用户\My Documents\My Pictures\My Pictures.exe
X:\Documents and Settings\Documents and Settings.exe
X:\Program Files\Program Files.exe
X:\RECYCLER\RECYCLER.exe

X = 系统盘

依照盘符名称,在对应盘符根目录生成以盘符命名的病毒副本.
如下:
C:\C.exe
D:\D.exe
E:\E.exe
........

注册表变动:
病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"schedl"="%WINDOWS%\Help\schedl.exe"

其他行为:
病毒在除系统盘以外的盘内,依据文件夹命名,在该文件夹内生成与文件夹命名相同的病毒副本

清除方法:
1. 结束进程
%WINDOWS%\Help\schedl.exe

2. 删除病毒文件
%WINDOWS%\WINDOWS.exe
%WINDOWS%\Help\schedl.exe
X:\Documents and Settings\All Users\Documents\My Music\My Music.exe
X:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe
X:\Documents and Settings\All Users\Documents\My Videos\My Videos.exe
X:\Documents and Settings\当前用户\My Documents\Downloads\Downloads.exe
X:\Documents and Settings\当前用户\My Documents\My Ducuments.exe
X:\Documents and Settings\当前用户\My Documents\My Music\My Music.exe
X:\Documents and Settings\当前用户\My Documents\My Pictures\My Pictures.exe
X:\Documents and Settings\Documents and Settings.exe
X:\Program Files\Program Files.exe
X:\RECYCLER\RECYCLER.exe

3. 删除各盘符根目录病毒副本

4. 删除病毒创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"schedl"

5. 在删除各盘符根目录病毒副本时,查看一下病毒副本所创建的时间,搜索除系统盘以外盘符,搜索出来的文件大小为 223676 字节,图标为文件夹图标的.exe 文件全部删除

备注: N/A
阅读全文
类别:病毒查杀 查看评论]]> 2008-10-14 23:39 http://hi.baidu.com/mopery/blog/item/5c7418d175092dd5562c8433.html <![CDATA[Worm.Win32.DownLoad.iz GR.PIF 解决方案 收藏]]> 原帖地址:http://www.vaid.cn/bbs/viewthread.php?tid=129&extra=page%3D1

文件名称: GR.PIF
文件大小: 12036 bytes
MD5: eb92f0f76fdf5316c193cef1f56c2238
加壳: WinUpack
编写语言: N/A
病毒名: kaspersky: Worm.Win32.AutoRun.otv
rising: Worm.Win32.DownLoad.iz
duba: Win32.TrojDownloader.RessdxT.uk.253952

详细资料:

文件变化:
释放文件
%SystemRoot%\system32\wanifts.dll
c:\temp.temp

替换系统文件
%SystemRoot%\system32\wuauclt.exe
%SystemRoot%\system32\dllcache\wuauclt.exe
%SystemRoot%\system32\Drivers\beep.sys

各分区根目录释放
X:\GR.PIF
X:\AUTORUN.INF

autorun.inf 内容:
[AutoRun] shell\open=打开(&O) shell\open\Command=GR.PIF shell\open\Default=1 shell\explore=资源管理器(&X) shell\explore\command=GR.PIF

注册表变动:
病毒创建启动项
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"internetnet"="%SystemRoot%\system32\wuauclt.exe"

修改注册表项禁用"显示所有文件和文件夹:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000002

删除注册表项破坏"安全模式"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]


其他行为:
通过 cacls.exe 命令修改下列文件访问控制权限
%SystemRoot%\system32\packet.dll
%SystemRoot%\system32\pthreadVC.dll
%SystemRoot%\system32\wpcap.dll
%SystemRoot%\system32\drivers\npf.sys
%SystemRoot%\system32\npptools.dll
%SystemRoot%\system32\drivers\acpidisk.sys
%SystemRoot%\system32\wanpacket.dll
c:\Documents and Settings\All Users\「开始」菜单\程序\启动


调用ie访问 58.53.128.146 下载病毒..

病毒修改系统年份:
2004

创建 Image File Execution Options 劫持安全相关程序,当被劫持程序运行,实际运行的是病毒主程序.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.COM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE]

清除方法:
1. 下载 IceSword(冰刃)

解压 运行冰刃

2. 文件(冰刃界面左上)-设置
勾上 禁止进线程创建 和 禁止协议功能

3. 冰刃=>进程=>结束下列进程 wuauclt.exe 和 GR.PIF 进程=>关闭冰刃

4. 下载本帖附件=>解压=>运行 killgr.bat

5. 重启计算机

6. 下载System Repair Engineer (点击下载)
解压=>运行=>系统修复=>高级修复=>修复安全模式

7. 修改系统时间

8. 从相同的操作系统中拷贝下列系统文件,复制到相同位置
%SystemRoot%\system32\wuauclt.exe
%SystemRoot%\system32\dllcache\wuauclt.exe
%SystemRoot%\system32\Drivers\beep.sys

备注: 本处理方法不能清除病毒联网下载的病毒.

killgr.bat http://www.mopery.cn/tools/killgr.rar

阅读全文
类别:病毒查杀 查看评论]]> 2008-09-30 13:56 http://hi.baidu.com/mopery/blog/item/a198247afa75f5eb2f73b32c.html <![CDATA[System Repair Engineer (SREng) 2.6 正式发布]]> 相关具体说明请点击 发行说明 查看..


2.6.10.992 (2.6 Final)
发布日期:2008/06/30
  • 增加将SREng在受限桌面下启动功能(需要使用参数 /safedesktop 启动(注意大小写),示例:SREngLdr.EXE /safedesktop)
  • 增加对AppInit_Dlls HOOK的免疫
  • 增加文件存在检测
  • 集成TrayTooltipFix功能
  • 智能扫描提速50%
  • 修正数字签名检查时内部发生的随机违例
  • 修正logonui提示信息错误
  • 修正部分资源错误
  • 其他内部调整和优化

由于刚刚发布服务器可能超负荷运作,请大家尽量通过其他站点下载(霏凡,华军,天空等等),以减轻 Smallfrogs 网站服务器负荷..谢谢..

http://www.fs2you.com/zh-cn/files/674d5642-45fc-11dd-bf22-001143e7b41c/
SREng 官方分流..

http://www.mopery.cn/Smallfrogs/sreng2.zip

本人网站分流..

各位在签名中转向sreng官方连接的,请更新一下你们的签名,在这几天尽量不要直接转向 kztechs.com ..

阅读全文
类别:资讯前沿 查看评论]]> 2008-06-30 01:26 http://hi.baidu.com/mopery/blog/item/b0abc607eb2833c87a89473c.html <![CDATA[我们这的赛车比赛]]>

说实话,福建这地方很少能见到名车.(宝马 奔驰 倒是满大街)

昨天在我这个鸟地方,举行了直线竞速比赛.

把我家门前整条路给封了,公交都不走我这路了,这俩天路没少走,累啊..

本来是想去凑热闹看看比赛,没想到能见到名车(在我们这算是名车)..

法拉利 一辆跑车,一辆敞篷 保时捷 一辆跑车,一辆商务车 奥迪&三菱&奔驰 跑车

上几张图..=.= 从来都在网路上看到名车. 现实真少见.. 摸一下都爽..

阅读全文
类别:个人日记 查看评论]]> 2008-04-27 13:49 http://hi.baidu.com/mopery/blog/item/6c7be9ed3dd92c4a79f05526.html <![CDATA[windows xp sp3]]>

花了半天把自己的系统换成了英文版xp sp3

用得非常舒服..

进入系统的速度变慢了点.. 浏览文件速度快了..

=.= 剩下探讨中... 还有就是 QQ医生 漏洞扫描sp3 挂..


类别:个人日记 查看评论]]> 2008-04-25 17:19 http://hi.baidu.com/mopery/blog/item/029f87cab1138d83c8176804.html <![CDATA[小记]]> 好久没来写blog了..

其实天天都有来自己的blog..每次都想写些什么,最后都没有写..

突然想起很早很早之前的我..总是喜欢写些自己的情感..每次都能写下自己一大堆事..

现在把以前的日记拿出来看.. 有些日记觉得很无知,很傻.. 有些日记能让我感觉到伤感..

不过这些日记都能让我回忆起刚上网时的种种事情..

一路在网路上"成长"过来..........

现在自己写日记感觉上文不对下文.. 条理等等都很乱.. 写着写着就不知道写什么了.

烦躁.....不写了...

阅读全文
类别:个人日记 查看评论]]> 2008-04-24 20:54 http://hi.baidu.com/mopery/blog/item/00ff8c2fc703013d1f3089f5.html