SHA-160 : DA14DDB10D14C568B62176AAB738B0C479A06863
MD5 : C505733FFDDA0394D404BD5BB652C1A6
RIPEMD-160 : 410EF9736AD4966094C096E57B477B7572B7ED9C
CRC-32 : FF6E4568
病毒大小:43,900 字节
连接网络下载病毒:
输入地址:61.152.255.252
对应地址:上海市电信IDC
在本机随机生成如下病毒文件:
meex.com、rmwaccq.exe、wojhadp.exe、nqgphqd.exe、autorun.inf
下载运行如下文件:
1A11.exe、2B12.exe、3C13.exe、2B12.exe
随机生成hiv文件进行进程互守
破坏安全模式;
.Upack:00408184 s_SystemControl db 'SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:00408184 ; DATA XREF: sub_407CF4+6B o
.Upack:004081D9 align 4
.Upack:004081DC s_T db 0FFh,0FFh,0FFh,0FFh,'T',0
.Upack:004081E2 align 4
.Upack:004081E4 s_SystemContr_0 db 'SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:004081E4 ; DATA XREF: sub_407CF4+7A o
.Upack:00408239 align 4
.Upack:0040823C s_X db 0FFh,0FFh,0FFh,0FFh,'X',0
.Upack:00408242 align 4
.Upack:00408244 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:00408244 ; DATA XREF: sub_407CF4+89 o
.Upack:0040829D align 10h
.Upack:004082A0 s_X_0 db 0FFh,0FFh,0FFh,0FFh,'X',0
.Upack:004082A6 align 4
.Upack:004082A8 s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:004082A8 ; DATA XREF: sub_407CF4+98 o
.Upack:00408301 align 4
.Upack:00408304 dd 0FFFFFFFFh, 0Ch
破坏隐藏文件选项:
.Upack:0040830C s_Checkedvalue db 'CheckedValue',0 ; DATA XREF: sub_407CF4+A7 o
.Upack:00408319 align 4
.Upack:0040831C s_Q db 0FFh,0FFh,0FFh,0FFh,'Q',0
.Upack:00408322 align 4
.Upack:00408324 s_SoftwareMicro db 'software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall',0
开启自动播放;
.Upack:00408524 s_SoftwareMic_4 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer',0
.Upack:00408524 ; DATA XREF: sub_407CF4+201 o
.Upack:00408560 ; char s_Nodrivetypeau[]
.Upack:00408560 s_Nodrivetypeau db 'NoDriveTypeAutoRun',0 ; DATA XREF: sub_407CF4+21A o
关闭并禁用AVP、wuauserv、wscsvc'、RsRavMon、RsCCenter、RSPPSYS服务
.Upack:004085CC ; char s_SystemCurre_5[]
.Upack:00408600 s_SystemCurre_6 db 'SYSTEM\CurrentControlSet\Services\RSPPSYS',0
.Upack:00408600 ; DATA XREF: sub_407CF4+2D9 o
.Upack:0040862A align 4
.Upack:0040862C ; char s_SystemCurre_7[]
.Upack:0040862C s_SystemCurre_7 db 'SYSTEM\CurrentControlSet\Services\RsCCenter',0
.Upack:0040862C ; DATA XREF: sub_407CF4+30F o
.Upack:00408658 ; char s_SystemContr_1[]
.Upack:00408658 s_SystemContr_1 db 'SYSTEM\ControlSet001\Services\RsCCenter',0
.Upack:00408658 ; DATA XREF: sub_407CF4+345 o
.Upack:00408680 ; char s_SystemContr_2[]
.Upack:00408680 s_SystemContr_2 db 'SYSTEM\ControlSet001\Services\RsRavMon',0
.Upack:00408680 ; DATA XREF: sub_407CF4+37B o
.Upack:004086A7 align 4
.Upack:004086A8 ; char s_SystemContr_5[]
.Upack:004086A8 s_SystemContr_5 db 'SYSTEM\ControlSet001\Services\wscsvc',0
.Upack:004086A8 ; DATA XREF: sub_407CF4+3B1 o
.Upack:004086CD align 10h
.Upack:004086D0 ; char s_SystemContr_3[]
.Upack:004086D0 s_SystemContr_3 db 'SYSTEM\ControlSet001\Services\wuauserv',0
.Upack:004086D0 ; DATA XREF: sub_407CF4+3E7 o
.Upack:004086F7 align 4
.Upack:004086F8 ; char s_SystemContr_4[]
.Upack:004086F8 s_SystemContr_4 db 'SYSTEM\ControlSet002\Services\AVP',0
.Upack:004086F8 ; DATA XREF: sub_407CF4+41D o
对N多的安全工具、系统程序以及杀毒软件做映像劫持(IFEO)
由于太多就不列出了,和以前的病毒样本劫持的一样,具体可以参见好友余弦函数的文章。
解决方法
使用procexp.exe暂停病毒两个进程,运行里面键入“system32”后按时间排列图标找到病毒文件后删除:
重命名autoruns打开找到映像劫持项只保留Your Image File Name Here without a path项其他全部删除
打开acdsee删除每个盘符下的病毒文件和autorun.inf脚本,切忌不要使用右键的打开和资源管理器,
[AutoRun]
open=nqgphqd.exe
shell\open=打开(&O)
shell\open\Command=nqgphqd.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=nqgphqd.exe
修复安全模式和隐藏文件的注册表如下(将如下文件保存为reg文件双击导入注册表):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Type"="radio"
"CheckedValue"=dword:00000001
病毒用脚本插入了这两个常规命令,由于病毒生成的文件名随机,而且进程标识符(PID)也是随机变化的,所以只能够贴图来写解决方法了。