作者:清新阳光 ( http://hi.baidu.com/newcenturysun)
日期:2007/06/08 (转载请保留此申明)
今天收到了随机8位数病毒的新版本(528版本) 测试了一下 发现对比先前的版本有一些变化 原来写过分析 在http://hi.baidu.com/newcenturysun/blog/item/2ad3d7cedcea3c0292457e2c.html
病毒主要特征
1.破坏安全模式
2.结束常见杀毒软件以及反病毒工具进程
3.监控窗口
4.关闭自动更新,Windows安全中心,Windows防火墙以及常见杀毒软件的服务
5.屏蔽显示隐藏文件
6.下载木马
7.IFEO映像劫持
分析报告
File为C5E46F76.exe
Size为36435 bytes
MD5为E32966B40D3E655F1912B2CD6930B24B
SHA1为1ECE8B7EA4706DF8AA871F0C43E16CBFB6E672FB
CRC32为DC232B41
病毒运行后
在C:\Program Files\Common Files\Microsoft Shared\MSInfo\下面释放一个同样由8个数字和字母组成的组合的文
件名的dll 和一个同名的dat 文件
我这里是C:\Program Files\Common Files\Microsoft Shared\MSInfo\41115BDD.dll
PS为发现病毒的每次更新时文件大小不变 而MD5等值会变
在C:\WINDOWS\Help\下面生成一个同样由8个数字和字母组成的组合的文件名的chm文件
在C:\WINDOWS\下面生成一个同样由8个数字和字母组成的组合的文件名的hlp文件
把C:\WINDOWS\system32\verclsid.exe重命名为verclsid.exe.bak然后删除C:\WINDOWS\system32\verclsid.exe
生成C:\WINDOWS\system32\DirectX\DirectX.ini里面是3个数字 表明现在的主程序(随机8位数病毒)的版本
在除系统分区以外的其他分区释放一个autorun.inf和随机7位字母的exe文件 且右键菜单无变化
监视并关闭以下进程以及窗口
AntiVirus
TrojanFirewall
Kaspersky
JiangMin
KV200
kxp
Rising
RAV
RFW
KAV200
KAV6
McAfe
Network Associates
TrustPort
NortonSymantec
SYMANT~1
Norton SystemWorks
ESET
Grisoft
F-Pro
Alwil Software
ALWILS~1
F-Secure
ArcaBit
Softwin
ClamWin
DrWe
Fortineanda Software
Vba3
Trend Micro
QUICKH~1
TRENDM~1
Quick Heal
eSafewido
Prevx1
ers
avg
Ikarus
SophoSunbeltPC-cilli
ZoneAlar
Agnitum
WinAntiVirus
AhnLab
Normasurfsecret
Bullguard\Blac
360safe
SkyNet
Micropoint
Iparmor
ftc
mmjk2007
Antiy Labs
LinDirMicro Lab
Filseclab
ast
System Safety Monitor
ProcessGuard
FengYun
Lavasoft
NOD3
mmsk
The Cleaner
Defendio
kis6Beheadsreng
IceSword
HijackThis
killbox
procexp
Magicset
EQSysSecureProSecurity
Yahoo!
Google
baidu
P4P
Sogou PXP
ardsys
超级兔子木马
KSysFiltsys
KSysCallsys
AVK
K7
Zondex
blcorp
Tiny Firewall Pro
Jetico
HAURI
CA
kmx
PCClear_Plus
Novatix
Ashampoo
WinPatrol
Spy Cleaner Gold
CounterSpy
EagleEyeOS
Webroot
BufferZ
avp
AgentSvr
CCenter
Rav
RavMonD
RavStub
RavTask
rfwcfg
rfwsrv
RsAgent
Rsaupd
runiep
SmartUp
FileDsty
RegClean
360tray
360Safe
360rpt
kabaload
safelive
Ras
KASMain
KASTask
KAV32
KAVDX
KAVStart
KISLnchr
KMailMon
KMFilter
KPFW32
KPFW32X
KPFWSvc
KWatch9x
KWatch
KWatchX
TrojanDetector
UpLive.EXE
KVSrvXP
KvDetect
KRegEx
kvol
kvolself
kvupload
kvwsc
UIHost
IceSword
iparmo
mmsk
adam
MagicSet
PFWLiveUpdate
SREng
WoptiClean
scan32
hcfg32
mcconsol
HijackThis
mmqczj
Trojanwall
FTCleanerShell
loaddll
rfwProxy
KsLoader
KvfwMcl
autoruns
AppSvc32
ccSvcHst
isPwdSvc
symlcsvcnod32kui
avgrssvc
RfwMain
KAVPFW
Iparmor
nod32krn
PFW
RavMon
KAVSetup
NAVSetup
SysSafe
QHSET
zxsweep.
AvMonitor
UmxCfg
UmxFwHlp
UmxPol
UmxAgent
UmxAttachment
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KVScan
KVStub
KvXP
KVMonXP
KVCenter
TrojDie
avp.com.
krepair.COM
KaScrScn.SCR
Trojan
Virus
kaspersky
jiangmin
rising
ikaka
duba
kingsoft
360safe
木马
木馬
病毒
杀毒
殺毒
查毒
防毒
反病毒
专杀
專殺
卡巴斯基
江民
瑞星
卡卡社区
金山毒霸
毒霸
金山社区
360安全
恶意软件
流氓软件
举报
报警
杀软
殺軟
防駭
注册表相关操作
删除
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
破坏安全模式
修改
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue值
为0x00000000
HKU\S-1-5-21-1085031214-1078145449-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden为0x00000002
HKU\S-1-5-21-1085031214-1078145449-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden为0x00000001
屏蔽显示隐藏文件
修改
HKLM\SYSTEM\ControlSet001\Services\HookUrl\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\mProcRs\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\RfwProxySrv\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\RfwService\StartHKLM\SYSTEM\ControlSet001\Services\HookUrl\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\RsFwDrv\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch为0x0000008B
HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start为0x00000004
HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start为0x00000004
HKLM\SYSTEM\ControlSet002\Services\HookUrl\Start为0x00000004
HKLM\SYSTEM\ControlSet002\Services\mProcRs\Start为0x00000004
HKLM\SYSTEM\ControlSet002\Services\RfwProxySrv\Start为0x00000004
HKLM\SYSTEM\ControlSet002\Services\RsFwDrv\Start为 0x00000004
破坏常见杀毒软件以及windows安全中心 windows防火墙 windows自动更新
添加IFEO映像劫持项
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe
指向C:\Program Files\Common Files\Microsoft Shared\MSInfo\下的那个dat文件
控制IE连接网络 下载http://google.171738.org/update2.exe到临时文件夹命名为dl1.exe
他实际上是下面的木马的下载器
下载
http://head.xxxxhtml.biz/update/wow.exe
http://head.xxxxhtml.biz/update/mh.exe
http://head.xxxxhtml.biz/update/wm.exe
http://head.xxxxhtml.biz/update/my.exe
http://head.xxxxhtml.biz/update/wl.exe
http://head.xxxxhtml.biz/update/zt.exe
http://head.xxxxhtml.biz/update/jh.exe
http://head.xxxxhtml.biz/update/tl.exe
http://head.xxxxhtml.biz/update/1.exe
http://head.xxxxhtml.biz/update/2.exe
http://head.xxxxhtml.biz/update/3.exe
http://head.xxxxhtml.biz/update/4.exe
http://head.xxxxhtml.biz/update/5.exe到C:\Program Files中 分别命名为 stop1.exe~stop13.exe
分别由IE启动他们
木马全部植入完毕后 增加如下文件
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\hreax.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\msacn.dll
C:\WINDOWS\system32\msdebug.dll
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\msport.dll
C:\WINDOWS\system32\netsrvcs.dll
C:\WINDOWS\system32\nslookupi.exe
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\WINDOWS\system32\until.ttc
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\wscsv.dll
C:\WINDOWS\system32\wtrmm.dll...
解决方法:
原先用Xdelbox删除病毒文件的方法在某些情况下可能出现删除不掉的问题 今天给大家提供一个简便的方法
一.清理病毒主程序
1.确定那个8位随机数的dll的名称
这里我们选用winrar确定那个dll的名称
方法是:打开winrar.exe
工具 查看文件
在上面的地址栏中 进入c:\program files\common files\microsoft shared\msinfo目录
(如图1)
我这台被感染的电脑的文件名为41115bdd.dll和41115bdd.dat
2.找到后 在winrar中右键点击随机8位数字的那个dll和那个dat文件 重命名
把他们命名为其他名字 越乱越好 趁这个机会可以命个名字骂骂这个病毒,呵呵!
不过要记住你重命名的文件的名字哦
3.重启计算机
4.由于注册表与那个dll的名字不对应 所以重启后自然不会加载那个dll文件
恢复映像劫持
这里我们使用autoruns这个软件 http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们随便把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:\windows\system32\ntsd.exe
以外的所有项目
5.此时我们就可以打开sreng了
打开sreng
系统修复 高级修复 点击修复安全模式 在弹出的对话框中点击是
5.恢复显示隐藏文件
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
删除c:\program files\common files\microsoft shared\msinfo下面你刚刚重命名的那两个文件(一个dll一个dat)
二.清理下载的木马(由于变种不同,且病毒所连接的下载地址的木马随时在更新,所以你的情况不一定和我测试的相符合,此处仅以我测试时候生成的木马为例)
我测试的时候sreng日志如下:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Kvsc><C:\WINDOWS\Kvsc3.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<MSDEG32><LYLoader.exe> []
<MSDWG32><LYLoadbr.exe> [N/A]
<MSDCG32 ><LYLeador.exe> [N/A]
<MSDOG32><LYLoador.exe> [N/A]
<MSDSG32><LYLoadar.exe> [N/A]
<MSDMG32><LYLoadmr.exe> [N/A]
<MSDHG32><LYLoadhr.exe> [N/A]
<MSDQG32><LYLoadqr.exe> [N/A]
<{15BD4111-4111-5BDD-115B-111BD1115BDD}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\41115BDD.dll> [N/A]
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:\WINDOWS\system32\msacn.dll> []
服务
[Win32 Debug Service / MSDebugsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe windhcp.ocx,input><Microsoft Corporation>
[Wireless Service / WZCSRVC][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe netsrvcs.dll,input><Microsoft Corporation>
实践中最难搞的就是那个C:\WINDOWS\system32\msacn.dll了 有注册表守护,且几个dll插入进程相互守护对方
不过没关系 继续我们的重命名大法
搜索C:\WINDOWS\system32\msacn.dll然后随便把他起个名字
然后打开sreng
启动项目 注册表 删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Kvsc><C:\WINDOWS\Kvsc3.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<MSDEG32><LYLoader.exe> []
<MSDWG32><LYLoadbr.exe> [N/A]
<MSDCG32 ><LYLeador.exe> [N/A]
<MSDOG32><LYLoador.exe> [N/A]
<MSDSG32><LYLoadar.exe> [N/A]
<MSDMG32><LYLoadmr.exe> [N/A]
<MSDHG32><LYLoadhr.exe> [N/A]
<MSDQG32><LYLoadqr.exe> [N/A]
<{15BD4111-4111-5BDD-115B-111BD1115BDD}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\41115BDD.dll> [N/A]
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Win32 Debug Service / MSDebugsvc
Windows DHCP Service / WinDHCPsvc
Wireless Service / WZCSRVC
重启电脑
打开sreng
启动项目 注册表 删除如下项目
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:\WINDOWS\system32\msacn.dll> []
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\hreax.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\msdebug.dll
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\msport.dll
C:\WINDOWS\system32\netsrvcs.dll
C:\WINDOWS\system32\nslookupi.exe
C:\WINDOWS\system32\nwiztlbu.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\WINDOWS\system32\until.ttc
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\wscsv.dll
C:\WINDOWS\system32\wtrmm.dll
以及刚才你重命名msacn.dll的那个文件
最后也是最重要的 就是删除各个分区下面的autorun.inf和8位随机数的exe
一定不要双击 也不能右键打开(因为那个autorun.inf编辑的比较巧妙,所以右键菜单无原先的auto等字样) 所以一定用winrar删除!!!!
update:关闭winrar的变种分析
http://hi.baidu.com/newcenturysun/blog/item/76c1e41ffb59c4f4e0fe0bc6.html
