Virus.Win32.AutoRun.bk(M1.exe)病毒手动清除

时间:2007-07-20 20:54:42   来源:  作者:  点击:次  出处:技术无忧
关键字:卡吧斯基 病毒 U盘

病毒信息:

文件名称:M1.exe

文件大小:23087字节

AV命名:Virus.Win32.AutoRun.bk(卡吧斯基)

感染平台:MS-DOS executable (EXE), OS/2 or MS Windows(9X以上系统)

加壳方式:UPX 0.89.6 - 1.02 / 1.05 - 1.24

编写语言:Borland Delphi 6.0 - 7.0

病毒类型:Virus.Win32

文件MD5:c7f7e9d653cba09ee2e935c3061dfd8e

文件SHA1 :    da39a3ee5e6b4b0d3255bfef95601890afd80709

文件CRC32     : 1AC355C7

危害等级:★ ★ ★ ☆

传播方式:U盘等移动介质,网页漏洞,邮件传播等


行为分析:

1、释放病毒文件:

C:\Program Files\Common Files\Relive.dll   14895 字节, HSA

C:\Program Files\Common Files\svchost.exe 21756 字节, A

C:\Program Files\Internet Explorer\msvcrt.bak 23087 字节, HS

C:\Program Files\Internet Explorer\msvcrt.dll 14895 字节, HSA

C:\Program Files\Internet Explorer\msvcrt.ebk 14895 字节, HSA

2、msvcrt.dll注入Explorer.exe进程,反弹连接209.11.243.**,下载盗号木马

C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll

C:\Documents and Settings\User name\Local Settings\Temp\wmso.exe
C:\Documents and Settings\User name\Local Settings\Temp\BCG5.tmp
C:\Documents and Settings\User name\Local Settings\Temp\mhso.exe
C:\Documents and Settings\User name\Local Settings\Temp\mhso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wmso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\woso.exe
C:\Documents and Settings\User name\Local Settings\Temp\woso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\fyso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\qjso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso.exe
C:\Documents and Settings\User name\Local Settings\Temp\fyso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\$$a.bat
C:\Documents and Settings\User name\Local Settings\Temp\rxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\M1.exe
C:\Documents and Settings\User name\Local Settings\Temp\oKoK.exe

注:User name是你的用户名```

3、msvcrt.dll通过搜索注册表,获得卡吧、360、瑞星、江民等安装目录,在其目录下生成:

ws2_32.dll\!O!0. 

导致杀软的监控(初始化)失败!

由于是非法文件夹,那么这个文件夹无法用常规手段删除。

4、添加注册表,实现Dll文件开机注入进程:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

指向:C:\Program Files\Internet Explorer\msvcrt.dll

5、删除文件:

%Systemroot%\system32\drivers\etc\Hosts (域名解析文件)

和一些ShellExecuteHooks键下一些常见的安全工具启动项。(未实现)


解决方法:

到www.pc51.net下载sreng2.zip和IceSword120_cn.zip

然后关闭不必要的进程和断开网络连接并全面清空系统临时文件,按步骤进行:

(1)打开冰刃,设置“禁止进线程创建”,确定。并使用冰刃“文件”功能,删除:

C:\Program Files\Common Files\Relive.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.ebk

和上面提到的木马群。

(2)设置冰刃,选择“重启并监视”。重启后,打开SREng,删除:

注册表:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

      <mhsa><C:\DOCUME~1\admin\LOCALS~1\Temp\mhso.exe>    []
      <wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe>    []
      <ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe>    []
      <jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe>    []
      <wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe>    []
      <wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe>    []
      <wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe>    []
      <fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe>    []
      <qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe>    []
      <rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe>    []
      <wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe>    []
      <tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe>    []
      <dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe>    []
      <zxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\zxso.exe>    []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

<C:\Program Files\Internet Explorer\msvcrt.dll>    [Microsoft Corporation]

驱动

[Netgroup Packet Filter / NPF][Running/Manual Start]
   <system32\drivers\npf.sys><CACE Technologies>

(请先备份)

(3)下载:Unlocker.rar

安装后,打开至杀软目录下,右键删除ws2_32.dll文件夹。

(4)及时修改QQ、邮箱、网游等密码。并升级杀软,全盘扫。


顶一下

文章评论

共有 0 位网友发表了评论 此处只显示部分留言 点击查看完整评论页面

特别推荐

最新信息