上兴。。。
文件名称:360.exe(不固定)
文件大小:655360 bytes
AV命名:Backdoor.Win32.Hupigon.aahi(Kaspersky)
中文别名:上兴远控
加壳方式:ASProtect
编写语言:Borland Delphi
文件MD5:57530fb86e6def307e32dcb97c03bb44
病毒类型:后门
1、释放病毒副本:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\360.exe
C:\windows\system32\_360.exe
都系655360字节。
2、添加注册表,以服务方式加载:
服务名称:360C
描述:360安全卫士硬盘保护(汗)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360C]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,00,5c,00,4d,\
00,53,00,49,00,4e,00,46,00,4f,00,5c,00,33,00,36,00,30,00,2e,00,65,00,78,00,\
65,00,00,00
"DisplayName"="360C"
"ObjectName"="LocalSystem"
"Description"="360安全卫士硬盘保护"
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,00,5c,00,4d,\
00,53,00,49,00,4e,00,46,00,4f,00,5c,00,33,00,36,00,30,00,2e,00,65,00,78,00,\
65,00,00,00
"DisplayName"="360C"
"ObjectName"="LocalSystem"
"Description"="360安全卫士硬盘保护"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360C\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,7a,e0,92,3b,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,7a,e0,92,3b,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,7a,e0,92,3b,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,7a,e0,92,3b,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00
3、启动系统文件Calc.exe,并把自身代码注入其中,实现进程守护。
这样Calc.exe在进程就等同于病毒。
4、直接获取物理内存,隐藏进程,防止自身被关闭。
5、查找可用磁盘,生成Autorun.inf和360.exe,U盘感染。。。
6、每隔一段时间检查自身文件和注册表项,如不在则重新生成。
7、尝试调用IE反向连接外部,接受黑客控制,没有成功,哈哈``
8、查找klif.sys驱动,如发现则修改日期,为1981-01-12 。
还有其他的小细节,就不写了..
解决方法:
1、下载冰刃和SREng:
[url]http://www.kingzoo.com/tools/[/url]孤独更可靠/冰刃.rar
[url]http://www.kingzoo.com/tools/[/url]孤独更可靠/sreng2.5.zip
2、断开网络,关闭不需要的进程。
3、打开冰刃,结束2个红色显示的进程:
记得要同时结束,按ctrl同时选上哈...
4、打开SREng,删除服务:
[360C / 360C][Stopped/Auto Start]
<C:\Program Files\Common Files\Microsoft Shared\MSINFO\360.exe><N/A>
<C:\Program Files\Common Files\Microsoft Shared\MSINFO\360.exe><N/A>
注意,这个名称不固定,不过路径是一样的:
C:\Program Files\Common Files\Microsoft Shared\MSINFO\
5、用Wnrar删除磁盘下的病毒,记得别双击进入啊。
