Win32.Logogo(ntldr.exe)类变种...
其实这东西就是之前的logogo.exe、XP.exe、logogogo.exe的东东
最近MS比较流行,我重新写次。
文件名称:C0NIME.EXE\ntldr.exe
文件大小:28000 bytes
AV命名:瑞星(Win32.Logogo)卡吧斯基(Virus.Win32.AutoRun.aik )
加壳方式:Upack 0.3.9
编写语言: Delphi
文件MD5:ac3a188ef9f96ced8ef8d4e4dfe8dc04
病毒类型:感染类\下载器
行为分析:
1、释放病毒副本:
%Systemroot%\system\C0NIME.EXE 28000 字节
查找可用的磁盘,生成:Autorun.inf和ntldr.exe
2、添加注册表,开机启动:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表值TBMonEx = REG_SZ, "C:\winnt\system\C0NIME.EXE "
3、IFEO重定向劫持,一些安全工具和威金受影响:
Logo_1.exe
Logo1_.exe
Navapw32.exe
Navapsvc.exe
NMain.exe
navw32.EXE
KVFW.EXE
KAVSvcUI.exe
KAVPFW.EXE
KAV32.exe
KvXP.kxp
KVSrvXP.exe
KVMonXP.kxp
KVwsc.exe
KAVsvc.exe
KWatchUI.EXE
360Safe.exe
360rpt.exe
RAVmonD.exe
RAVmon.exe
RAVtimer.exe
Rising.exe
Rav.exe
RavMon.exe
Ravtimer.exe
Iparmor.exe
TrojanHunter.exe
THGUARD.EXE
PFW.EXE
EGHOST.EXE
MAILMON.EXE
ZONEALARM.EXE
WFINDV32.EXE
360tray.exe
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
FESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
PFW.exe
KAVsvcUI.exe
rising.exe
rav.exe
KVsrvXP.exe
KVMonXP.exe
Logo1_.exe
Navapw32.exe
Navapsvc.exe
NMain.exe
navw32.EXE
KVFW.EXE
KAVSvcUI.exe
KAVPFW.EXE
KAV32.exe
KvXP.kxp
KVSrvXP.exe
KVMonXP.kxp
KVwsc.exe
KAVsvc.exe
KWatchUI.EXE
360Safe.exe
360rpt.exe
RAVmonD.exe
RAVmon.exe
RAVtimer.exe
Rising.exe
Rav.exe
RavMon.exe
Ravtimer.exe
Iparmor.exe
TrojanHunter.exe
THGUARD.EXE
PFW.EXE
EGHOST.EXE
MAILMON.EXE
ZONEALARM.EXE
WFINDV32.EXE
360tray.exe
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
FESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
PFW.exe
KAVsvcUI.exe
rising.exe
rav.exe
KVsrvXP.exe
KVMonXP.exe
4、访问网络,下载
[url]http://x.98725.com/xin.jpg[/url]
里面包含加密过的木马下载地址。解密后开始连接,一共30来个(其中一个ARP病毒)
都被俺喀嚓了,嘿嘿
域名有下面这些,注意屏蔽:
[url]http://a.6u6.biz[/url]
[url]http://x.98725.com[/url]
[url]http://g.6u6.biz/[/url]
[url]http://b.8q8.biz[/url]
[url]http://union.21575.com[/url](在线解密校验)
5、HKEY_LOCAL_MACHINE\SOFTWARE\里记录一些病毒的状况,和那些主体有着密切的关系。
6、感染文件细节:
(1)首先跳过一些文件夹,防止重要文件被破坏:
windows
winnt
recycler
system volume information
Common Files
Internet Explorer
Windows NT
(2)感染文件时,如果发现以下文件则跳过,不感染:
CA.exe NMCOSrv.exe CONFIG.exe Updater.exe WE8.exe settings.exe PES5.exe PES6.exe zhengtu.exenettools.exe laizi.exe proxy.exe Launcher.exe WoW.exe Repair.exe BackgroundDownloader.exeo2_unins_web.exe O2Jam.exe O2JamPatchClient.exe O2ManiaDriverSelect.exe OTwo.exe sTwo.exeGAME2.EXE GAME3.EXE Game4.exe game.exe hypwise.exe Roadrash.exe O2Mania.exe Lobby_Setup.exeCoralQQ.exe QQ.exe QQexternal.exe BugReport.exe tm.exe ra2.exe ra3.exe ra4.exe ra21006ch.exedzh.exe Findbug.EXE fb3.exe Meteor.exe mir.exe KartRider.exe NMService.exe AdBalloonExt.exeztconfig.exe patchupdate.exe
好乱啊,不整理了。
(3)被感染的文件增加28802字节,还有一个节表.ani(同时也是感染标记,避免反复感染)
里面包含加载病毒的命令。
(4)如果运行感染后的文件会在原文件夹生成ani.ani和一个删ani.ani的批处理。
那么也就是先执行病毒体,再运行感染前程序。
手工修复方法:
[url]http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/f61329088242fc33e92488df.html[/url]
解决方法:
1、先下载这个:
[url]http://www.kingzoo.com/tools/[/url]孤独更可靠/修复IFEO之XP系统专用.rar
然后按提示进行。
2、这时候杀毒软件可以运行了,全盘扫。
扫描过程中,不要运行任何程序,不然可能病毒会再回来..。
3、再下载这个:
[url]http://www.kingzoo.com/tools/[/url]孤独更可靠/PowerRmv.com
选上抑制杀灭对象生成后填入:
C:\windows\system\C0NIME.EXE
C:\autorun.inf
C:\ntldr.exe
D:\autorun.inf
D:\ntldr.exe
E:\autorun.inf
E:\ntldr.exe
F:\autorun.inf
F:\ntldr.exe
4、然后再去下载个SREng或用注册表,删除它的启动项..
