继机器狗后,又一疯狂病毒IGM.
近日发现IGM.EXE病毒大范围传播,很多网吧深受其害;大家务必引起重视。
目前发现该病毒不能够穿透还原,但是如果局域网内一有台中该病毒的话(如网游服务器);整个局域网就会受到影响;甚至瘫痪
该病毒利用MAC地址欺骗进行局域网传播。木马程序发作的时候会发出大量的数据包导致局域网通讯拥塞,用户会感觉上网速度越来越慢,掉线;甚至无法上网,同时造成整个局域网的不稳定。拦截局域网用户打开的网页。加载hxxp://ask.35832.com/main.js(为了防止点击http改成hxxp)从上面的网站下载木马盗号器,然后打开的网页会自动关闭。
IGM 病毒特征:
进程文件:IGM 或 IGM.exe
进程位置:%windir%\
程序名称:Troj_dl.Win32.Delf.IGM
程序用途:通过IE下载其他病毒,感染文件.盗取QQ.游戏帐号密码 ==
传播方式:局域网 IE
进程分析:该病毒修改注册表创建Run/WinSysM=C:\WINDOWS\IGM.exe实现自启动,病毒可能在各盘符下会生成:auto.exe,autorun.inf。并可能将大量病毒模块*****MM.DLL注入进程SVCHOST.EXE开始大量下载木马病毒 木马病毒自相残杀后在临时文件夹下随机生成病毒名并运行。
igm.exe病毒中毒症状:
1.MSconfig的启动项及进程里发现IGM.EXE
2.还自动启动 保护
3.中毒的电脑 劫持路由,修改MAC,IP,并不停的向局域网机器发MAC欺骗包
生成相关文件
系统
%windir%\igm.exe
%windir%\system32\rsjzbpm.dll
%windir%\system32\racvsvc.exe
%windir%\system32\drivers\svchost.exe
%windir%\cmdbcs.exe
%windir%\dbghlp32.exe
%windir%\nvdispdrv.exe
%windir%\upxdnd.exe
%windir%\AVPSrv.exe
%windir%\DiskMan32.exe
%windir%\Kvsc3.exe
%windir%\lqvytv.exe
%windir%\MsIMMs32.exe
%windir%\system32\cmdbcs.dll
%windir%\system32\dbghlp32.dll
%windir%\system32\upxdnd.dll
%windir%\system32\yfmtdiouaf.dll
c:\program files\microsoft activesync\rapiproxystub.dll
临时文件夹下\*.exe
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<upxdnd><%windir%\upxdnd.exe>
<WinSysM><%windir%\IGM.exe>
<NVDispDrv><%windir%\NVDispDrv.exe>
<DbgHlp32><%windir%\DbgHlp32.exe>
<cmdbcs><%windir%\cmdbcs.exe>
<KVP><%windir%\system32\drivers\svchost.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<RavRuneip><%windir%\system32\RacvSvc.EXE yfmtdiouaf.dll,HHanMa>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><rsjzbpm.dll>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{22FAACDE-34DA-CCD4-AB4D-DA34485A3422}><%windir%\system32\rsjzbpm.dll>
相关网站IP:
212.22.225.82
203.174.87.210
64.233.167.99
58.211.79.107
219.153.42.98
221.130.191.207
218.75.91.248
60.190.110.47
解决办法:
把下面代码保存成批处理通过欲留通道加载!
md %windir%\IGM.exe
md %windir%\IG.exe
md %windir%\IGW.exe
md %windir%\AVPSrv.exe
md %windir%\DiskMan32.exe
md %windir%\Kvsc3.exe
md %windir%\lqvytv.exe
md %windir%\MsIMMs32.exe
md %windir%\system32\racvsvc.exe
md %windir%\system32\drivers\svchost.exe
md %windir%\cmdbcs.exe
md %windir%\dbghlp32.exe
md %windir%\nvdispdrv.exe
md %windir%\upxdnd.exe
md %Temp%\QQSC.exe
md %Temp%\close.exe
md %Temp%\tomons.exe
md "%ProgramFiles%\1.exe"
md "%ProgramFiles%\2.exe"
md "%ProgramFiles%\3.exe"
md "%ProgramFiles%\4.exe"
md "%ProgramFiles%\4.exe"
md "%ProgramFiles%\6.exe"
md "%ProgramFiles%\7.exe"
md "%ProgramFiles%\8.exe"
md "%ProgramFiles%\9.exe"
md "%ProgramFiles%\10.exe"
md "%ProgramFiles%\11.exe"
md "%ProgramFiles%\12.exe"
md "%ProgramFiles%\13.exe"
md "%ProgramFiles%\14.exe"
md "%ProgramFiles%\15.exe"
md "%ProgramFiles%\16.exe"
md "%ProgramFiles%\17.exe"
md "%ProgramFiles%\18.exe"
md "%ProgramFiles%\19.exe"
md "%ProgramFiles%\20.exe"
md "%ProgramFiles%\21.exe"
md "%ProgramFiles%\22.exe"
md "%ProgramFiles%\23.exe"
md "%ProgramFiles%\24.exe"
md "%ProgramFiles%\25.exe"
md "%ProgramFiles%\26.exe"
md "%ProgramFiles%\27.exe"
md "%ProgramFiles%\28.exe"
md "%ProgramFiles%\29.exe"
md "%ProgramFiles%\30.exe"
ATTRIB +R +H +S %windir%\IGM.exe
ATTRIB +R +H +S %windir%\IG.exe
ATTRIB +R +H +S %windir%\IGW.exe
ATTRIB +R +H +S %windir%\system32\racvsvc.exe
ATTRIB +R +H +S %windir%\system32\drivers\svchost.exe
ATTRIB +R +H +S %windir%\cmdbcs.exe
ATTRIB +R +H +S %windir%\dbghlp32.exe
ATTRIB +R +H +S %windir%\nvdispdrv.exe
ATTRIB +R +H +S %windir%\upxdnd.exe
ATTRIB +R +H +S %windir%\AVPSrv.exe
ATTRIB +R +H +S %windir%\DiskMan32.exe
ATTRIB +R +H +S %windir%\Kvsc3.exe
ATTRIB +R +H +S %windir%\lqvytv.exe
ATTRIB +R +H +S %windir%\MsIMMs32.exe
ATTRIB +R +H +S %Temp%\QQSC.exe
ATTRIB +R +H +S %Temp%\close.exe
ATTRIB +R +H +S %Temp%\tomons.exe
ATTRIB +R +H +S "%ProgramFiles%\1.exe"
ATTRIB +R +H +S "%ProgramFiles%\2.exe"
ATTRIB +R +H +S "%ProgramFiles%\3.exe"
ATTRIB +R +H +S "%ProgramFiles%\4.exe"
ATTRIB +R +H +S "%ProgramFiles%\4.exe"
ATTRIB +R +H +S "%ProgramFiles%\6.exe"
ATTRIB +R +H +S "%ProgramFiles%\7.exe"
ATTRIB +R +H +S "%ProgramFiles%\8.exe"
ATTRIB +R +H +S "%ProgramFiles%\9.exe"
ATTRIB +R +H +S "%ProgramFiles%\10.exe"
ATTRIB +R +H +S "%ProgramFiles%\11.exe"
ATTRIB +R +H +S "%ProgramFiles%\12.exe"
ATTRIB +R +H +S "%ProgramFiles%\13.exe"
ATTRIB +R +H +S "%ProgramFiles%\14.exe"
ATTRIB +R +H +S "%ProgramFiles%\15.exe"
ATTRIB +R +H +S "%ProgramFiles%\16.exe"
ATTRIB +R +H +S "%ProgramFiles%\17.exe"
ATTRIB +R +H +S "%ProgramFiles%\18.exe"
ATTRIB +R +H +S "%ProgramFiles%\19.exe"
ATTRIB +R +H +S "%ProgramFiles%\20.exe"
ATTRIB +R +H +S "%ProgramFiles%\21.exe"
ATTRIB +R +H +S "%ProgramFiles%\22.exe"
ATTRIB +R +H +S "%ProgramFiles%\23.exe"
ATTRIB +R +H +S "%ProgramFiles%\24.exe"
ATTRIB +R +H +S "%ProgramFiles%\25.exe"
ATTRIB +R +H +S "%ProgramFiles%\26.exe"
ATTRIB +R +H +S "%ProgramFiles%\27.exe"
ATTRIB +R +H +S "%ProgramFiles%\28.exe"
ATTRIB +R +H +S "%ProgramFiles%\29.exe"
ATTRIB +R +H +S "%ProgramFiles%\30.exe"
echo y| CACLS %windir%\IGM.exe /d everyone
echo y| CACLS %windir%\IG.exe /d everyone
echo y| CACLS %windir%\IGW.exe /d everyone
echo y| CACLS %windir%\system32\racvsvc.exe /d everyone
echo y| CACLS %windir%\system32\drivers\svchost.exe /d everyone
echo y| CACLS %windir%\cmdbcs.exe /d everyone
echo y| CACLS %windir%\dbghlp32.exe /d everyone
echo y| CACLS %windir%\nvdispdrv.exe /d everyone
echo y| CACLS %windir%\upxdnd.exe /d everyone
echo y| CACLS %windir%\AVPSrv.exe /d everyone
echo y| CACLS %windir%\DiskMan32.exe /d everyone
echo y| CACLS %windir%\Kvsc3.exe /d everyone
echo y| CACLS %windir%\lqvytv.exe /d everyone
echo y| CACLS %windir%\MsIMMs32.exe /d everyone
echo y| CACLS %Temp%\QQSC.exe /d everyone
echo y| CACLS %Temp%\close.exe /d everyone
echo y| CACLS %Temp%\tomons.exe /d everyone
echo y| CACLS "%ProgramFiles%\1.exe" /d everyone
echo y| CACLS "%ProgramFiles%\2.exe" /d everyone
echo y| CACLS "%ProgramFiles%\3.exe" /d everyone
echo y| CACLS "%ProgramFiles%\4.exe" /d everyone
echo y| CACLS "%ProgramFiles%\4.exe" /d everyone
echo y| CACLS "%ProgramFiles%\6.exe" /d everyone
echo y| CACLS "%ProgramFiles%\7.exe" /d everyone
echo y| CACLS "%ProgramFiles%\8.exe" /d everyone
echo y| CACLS "%ProgramFiles%\9.exe" /d everyone
echo y| CACLS "%ProgramFiles%\10.exe" /d everyone
echo y| CACLS "%ProgramFiles%\11.exe" /d everyone
echo y| CACLS "%ProgramFiles%\12.exe" /d everyone
echo y| CACLS "%ProgramFiles%\13.exe" /d everyone
echo y| CACLS "%ProgramFiles%\14.exe" /d everyone
echo y| CACLS "%ProgramFiles%\15.exe" /d everyone
echo y| CACLS "%ProgramFiles%\16.exe" /d everyone
echo y| CACLS "%ProgramFiles%\17.exe" /d everyone
echo y| CACLS "%ProgramFiles%\18.exe" /d everyone
echo y| CACLS "%ProgramFiles%\19.exe" /d everyone
echo y| CACLS "%ProgramFiles%\20.exe" /d everyone
echo y| CACLS "%ProgramFiles%\21.exe" /d everyone
echo y| CACLS "%ProgramFiles%\22.exe" /d everyone
echo y| CACLS "%ProgramFiles%\23.exe" /d everyone
echo y| CACLS "%ProgramFiles%\24.exe" /d everyone
echo y| CACLS "%ProgramFiles%\25.exe" /d everyone
echo y| CACLS "%ProgramFiles%\26.exe" /d everyone
echo y| CACLS "%ProgramFiles%\27.exe" /d everyone
echo y| CACLS "%ProgramFiles%\28.exe" /d everyone
echo y| CACLS "%ProgramFiles%\29.exe" /d everyone
echo y| CACLS "%ProgramFiles%\30.exe" /d everyone
echo y| CACLS "e:\30.exe" /d everyone
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IGM.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IGw.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IG.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kvsc3.exe" /v debugger /t reg_sz /d debugfile.exe /f
taskkill /im IGM.exe /f
taskkill /im IG.exe /f
taskkill /im IGW.exe /f
在这病毒横行的年代,网络没有绝对的安全;因为总是先有“魔”后有“道”,安全一定是“适度的”。但是,我们并不能因此放任自流,维持“适度”安全离不开建立一套完整的管理和技术保障体系。
