Backdoor.Win32.Rukap.gen(directx.exe)
文件名称:directx.exe
文件大小:58880字节
AV命名:Backdoor.Win32.Rukap.gen(卡吧斯基)
感染平台:MS-DOS executable (EXE), OS/2 or MS Windows(9X以上系统)
加壳方式:UPX 0.89.6 - 1.02 / 1.05 - 1.24
编写语言:Microsoft Visual C++ 6.0
病毒类型:Backdoor.Win32
文件MD5:4f381a8be1b3f72613ffc408ffbe849f
危害等级:☆
传播方式:网页漏洞
行为分析:
1、释放病毒文件:
%systemroot%\tools\explorer.exe 126976 字节
%systemroot%\system32\directx.exe 58880 字节
2、注册为系统服务(DirectSupk),实现服务方式启动:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DirectSupk]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,\
74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,\
00,67,00,73,00,5c,00,61,00,64,00,6d,00,69,00,6e,00,5c,00,4c,68,62,97,5c,00,\
64,00,69,00,72,00,65,00,63,00,74,00,78,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="DirectX Service"
"ObjectName"="LocalSystem"
"Description"="Improve the performance of games and multimedia programs"
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,\
74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,\
00,67,00,73,00,5c,00,61,00,64,00,6d,00,69,00,6e,00,5c,00,4c,68,62,97,5c,00,\
64,00,69,00,72,00,65,00,63,00,74,00,78,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="DirectX Service"
"ObjectName"="LocalSystem"
"Description"="Improve the performance of games and multimedia programs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DirectSupk\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,6d,00,61,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,75,00,64,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,75,00,64,00,01,01,00,00,00,00,00,05,12,00,00,\
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,6d,00,61,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,75,00,64,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,75,00,64,00,01,01,00,00,00,00,00,05,12,00,00,\
3、%systemroot%\tools\explorer.exe 正面连接:
尝试访问207.46.18.** 204.13.161.*** 222.77.14.** 63.81.164.*等
解决方法:
[url]http://free.ys168.com/?gudugengkekao1[/url]下载:
sreng2.5.zip 780KB
直接放桌面,断开网络。
1、打开SREng,删除下面服务:
[DirectX Service / DirectSupk][Stopped/Auto Start]
<%病毒路径%\directx.exe><N/A>
<%病毒路径%\directx.exe><N/A>
注:%病毒路径%是变量,可能路径会不一样,可以区别文件名。
2、重启电脑,删除:
%systemroot%\tools\explorer.exe
%systemroot%\system32\directx.exe
注:%systemroot%\是C:\Windows\(XP) C:\Winnt(2K、ME)
