[警惕]AV终结者并未退出我们的视线```
AV终结并未退出我们的视线```
MS竞争越来越激烈了``
(看D13点``)
(看D13点``)
文件名称:obdaxmi.exe
文件大小:65118 bytes
AV命名:Virus.Win32.AutoRun.f
加壳方式:NsPack
编写语言:Borland Delphi 6.0 - 7.0
病毒类型:AV Killer
文件MD5:B7F5DEDF88BFB66B094B2ABFE804341F
文件SHA1:24218F7784B5CCF8CD1B1037C0287EE8157B4EF1
传播方式:U盘等移动介质、网络。
行为分析:
1、释放病毒副本:
C:\Program Files\meex.exe 65118 字节
C:\Program Files\Common Files\Microsoft Shared\pyqmcfy.inf 169 字节
C:\Program Files\Common Files\Microsoft Shared\txofyde.exe 65118 字节
C:\Program Files\Common Files\System\obdaxmi.exe 65118 字节
C:\Program Files\Common Files\System\pyqmcfy.inf 169 字节
(PS:文件名是随机的,可能不固定!)
遍历分区(D―Z盘),尝试在磁盘目录下生成:
X:\autorun.inf 169 字节
X:\swaanck.exe 65118 字节
双击磁盘则激活病毒。
2、txofyde.exe和obdaxmi.exe“相濡以沫”,使用进程守护技术,如发现对方被结束,则重新激活。
3、写注册表,开机自启:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C:\Program Files\Common Files\System\obdaxmi.exe
C:\Program Files\Common Files\Microsoft Shared\txofyde.exe
4、驻进程病毒,以每秒为周期访问Run注册表项,如发现不再或被修改则重写。
5、每隔3秒检测(可用)磁盘下的Autorun.inf和指向的病毒,如不在则生成。
(注意:移动盘也遭殃)
5、破坏安全模式,删除注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot下
Minimal和Network的一些键值, 导致系统无法进入安全模式。
6、修改注册表,破坏显示隐藏文件功能:
…………\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
REG_DWORD, 1 修改为REG_DWORD, 0
REG_DWORD, 1 修改为REG_DWORD, 0
7、为了保证磁盘的自动播放功能,修改注册表:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
NoDriveTypeAutoRun = REG_DWORD, 145
(如原值是145则跳过)
8、IFEO重定向劫持,这次最要命的是连QQ自动升级都不放过``` =。=
指向的是:C:\Program Files\Common Files\Microsoft Shared\txofyde.exe
瀑布汗,我列一部分吧``
仅仅只是一小部分``:
9、反弹连接222.172.81.* (黑龙江省佳木斯市 电信)下载木马,不过未实现。。
10、枚举进程,尝试关闭:(一部分)
Ras.exe
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KvDetect.exe
KvfwMcl.exe
kvol.exe
kvolself.exe
KVSrvXP.exe
kvupload.exe
kvwsc.exe
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KvDetect.exe
KvfwMcl.exe
kvol.exe
kvolself.exe
KVSrvXP.exe
kvupload.exe
kvwsc.exe
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
(其实就是IFEO劫持项里面的)
11、关闭出现的下列窗口文字:
"瑞星"
"专杀
":\ - WinRAR"
" ?
"System"
"Microsoft Shared"
" 2007"
"�M程"
"Process"
"Sysinternals"
"Virus"
"Trojan"
"meex"
"autorun"
"噬菌体"
"专杀
":\ - WinRAR"
" ?
"System"
"Microsoft Shared"
" 2007"
"�M程"
"Process"
"Sysinternals"
"Virus"
"Trojan"
"meex"
"autorun"
"噬菌体"
12、修改注册表,关闭自动更新、系统帮助和防火墙等功能。
13、查找磁盘文件,尝试删除(带路径判断):(黑吃黑了``=。=)(未实现)
MSInfo\
.dll
wniapsvr.exe
niu.exe
Shell.exe
Shell.pci
crsss.exe
directx.exe
progmon.exe
internt.exe
SoftDLL.dll
MySetup.exe
fixfile.exe
WMDSINFO.dll
Mcshie1d.exe
compobj32.dll
Web\
css.css
Com\
lsass.exe
IME\
svchost.exe
smss.exe
Debug\
debug.exe
tools\
explorer.exe
drivers\
csrss.exe
System16.ins
System16.jup
Common Files\
svchost.cnc
Relive.dll
Internet Explorer\
msvcrt.dll
Internet Explorer\PLUGINS\
SysWin64.Jmp
SysWin64.Sys
SysWin64.Tao
.dll
wniapsvr.exe
niu.exe
Shell.exe
Shell.pci
crsss.exe
directx.exe
progmon.exe
internt.exe
SoftDLL.dll
MySetup.exe
fixfile.exe
WMDSINFO.dll
Mcshie1d.exe
compobj32.dll
Web\
css.css
Com\
lsass.exe
IME\
svchost.exe
smss.exe
Debug\
debug.exe
tools\
explorer.exe
drivers\
csrss.exe
System16.ins
System16.jup
Common Files\
svchost.cnc
Relive.dll
Internet Explorer\
msvcrt.dll
Internet Explorer\PLUGINS\
SysWin64.Jmp
SysWin64.Sys
SysWin64.Tao
(以上都是病毒木马``)
解决方法:
下载专杀:
[url]http://down.www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer.COM[/url]
[url]http://duba-011.duba.net/duba/kavtools/DubaTool_AV_Killer.COM[/url]
[url]http://down.www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer.COM[/url]
[url]http://down.www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer.COM[/url]
杀完后重启``
[url]http://gudugengkekao.ys168.com/[/url]下载:
修复IFEO之XP系统专用.rar 72KB
sreng2.5.zip 780KB
显示隐藏文件.reg 9KB
打开SREng,删除:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<pyqmcfy><C:\Program Files\Common Files\System\obdaxmi.exe> []
<swaanck><C:\Program Files\Common Files\Microsoft Shared\txofyde.exe> []
<pyqmcfy><C:\Program Files\Common Files\System\obdaxmi.exe> []
<swaanck><C:\Program Files\Common Files\Microsoft Shared\txofyde.exe> []
然后把那两个东西导入就可以了``
附上IS手工删除:
PS:漏了一个,第一点要设置“禁止线程创建”(懒得补了=,=)``
AD:专杀杀不掉的``
请发样本至 [email protected]
加密virus
不懂发的加Q526170722
``远程杀毒的闪```