Virus.Win32.AutoRun.bk(M1.exe)
病毒信息:
文件名称:M1.exe
文件大小:23087字节
AV命名:Virus.Win32.AutoRun.bk(卡吧斯基)
感染平台:MS-DOS executable (EXE), OS/2 or MS Windows(9X以上系统)
加壳方式:UPX 0.89.6 - 1.02 / 1.05 - 1.24
编写语言:Borland Delphi 6.0 - 7.0
病毒类型:Virus.Win32
文件MD5:c7f7e9d653cba09ee2e935c3061dfd8e
文件SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
文件CRC32 : 1AC355C7
危害等级:★ ★ ★ ☆
传播方式:U盘等移动介质,网页漏洞,邮件传播等
行为分析:
1、释放病毒文件:
C:\Program Files\Common Files\Relive.dll 14895 字节, HSA
C:\Program Files\Common Files\svchost.exe 21756 字节, A
C:\Program Files\Internet Explorer\msvcrt.bak 23087 字节, HS
C:\Program Files\Internet Explorer\msvcrt.dll 14895 字节, HSA
C:\Program Files\Internet Explorer\msvcrt.ebk 14895 字节, HSA
2、msvcrt.dll注入Explorer.exe进程,反弹连接209.11.243.**,下载盗号木马:
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\WanPacket.dll
C:\Documents and Settings\User name\Local Settings\Temp\wmso.exe
C:\Documents and Settings\User name\Local Settings\Temp\BCG5.tmp
C:\Documents and Settings\User name\Local Settings\Temp\mhso.exe
C:\Documents and Settings\User name\Local Settings\Temp\mhso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wmso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\woso.exe
C:\Documents and Settings\User name\Local Settings\Temp\woso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\fyso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\qjso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso.exe
C:\Documents and Settings\User name\Local Settings\Temp\fyso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\$$a.bat
C:\Documents and Settings\User name\Local Settings\Temp\rxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\M1.exe
C:\Documents and Settings\User name\Local Settings\Temp\oKoK.exe
C:\Documents and Settings\User name\Local Settings\Temp\BCG5.tmp
C:\Documents and Settings\User name\Local Settings\Temp\mhso.exe
C:\Documents and Settings\User name\Local Settings\Temp\mhso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wmso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\woso.exe
C:\Documents and Settings\User name\Local Settings\Temp\woso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\fyso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso.exe
C:\Documents and Settings\User name\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\qjso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso.exe
C:\Documents and Settings\User name\Local Settings\Temp\jtso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso.exe
C:\Documents and Settings\User name\Local Settings\Temp\wgso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso.exe
C:\Documents and Settings\User name\Local Settings\Temp\fyso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\$$a.bat
C:\Documents and Settings\User name\Local Settings\Temp\rxso.exe
C:\Documents and Settings\User name\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\daso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\zxso0.dll
C:\Documents and Settings\User name\Local Settings\Temp\M1.exe
C:\Documents and Settings\User name\Local Settings\Temp\oKoK.exe
注:User name是你的用户名```
3、msvcrt.dll通过搜索注册表,获得卡吧、360、瑞星、江民等安装目录,在其目录下生成:
ws2_32.dll\!O!0.
导致杀软的监控(初始化)失败!
由于是非法文件夹,那么这个文件夹无法用常规手段删除。
4、添加注册表,实现Dll文件开机注入进程:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
指向:C:\Program Files\Internet Explorer\msvcrt.dll
5、删除文件:
%Systemroot%\system32\drivers\etc\Hosts (域名解析文件)
和一些ShellExecuteHooks键下一些常见的安全工具启动项。(未实现)
解决方法:
[url]http://gudugengkekao.ys168.com/[/url]下载:
冰刃.rar 2,110KB
sreng2.5.zip 780KB
然后关闭不必要的进程和断开网络连接并全面清空系统临时文件,按步骤进行:
(1)打开冰刃,设置“禁止进线程创建”,确定。并使用冰刃“文件”功能,删除:
C:\Program Files\Common Files\Relive.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.ebk
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\msvcrt.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.ebk
和上面提到的木马群。
(2)设置冰刃,选择“重启并监视”。重启后,打开SREng,删除:
注册表:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mhsa><C:\DOCUME~1\admin\LOCALS~1\Temp\mhso.exe> []
<wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe> []
<ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
<zxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\zxso.exe> []
<wosa><C:\DOCUME~1\admin\LOCALS~1\Temp\woso.exe> []
<ztsa><C:\DOCUME~1\admin\LOCALS~1\Temp\ztso.exe> []
<jtsa><C:\DOCUME~1\admin\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wmso.exe> []
<fysa><C:\DOCUME~1\admin\LOCALS~1\Temp\fyso.exe> []
<qjsa><C:\DOCUME~1\admin\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\admin\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\admin\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\admin\LOCALS~1\Temp\daso.exe> []
<zxsa><C:\DOCUME~1\admin\LOCALS~1\Temp\zxso.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<C:\Program Files\Internet Explorer\msvcrt.dll> [Microsoft Corporation]
驱动:
[Netgroup Packet Filter / NPF][Running/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
<system32\drivers\npf.sys><CACE Technologies>
(请先备份)
(3)下载:
unlocker1.8.5.exe 191KB
安装后,打开至杀软目录下,右键删除ws2_32.dll文件夹。
(4)及时修改QQ、邮箱、网游等密码。并升级杀软,全盘扫。
上述方面无法清除的联系Q526170722
新样本请发至: [email protected]
用Winrar加密virus
