类似AV终结者的病毒分析
昨天拿到一个病毒 据说类似AV终结者,测试了一下
结果如下:
File: debug.exe
Size: 46592 bytes
MD5: 153D51C2BB487B1DFE9F40355C34BE23
SHA1: 13B4466D8CEFC5A71B787E5B8AB21CDB8FEB8049
CRC32: 6EB3D331
加壳方式:ASPack 2.12
瑞星 卡巴等还不能检测出该病毒
文件变化:
释放文件
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
在D盘 E盘下 生成gbk.com和autorun.inf
C:/WINDOWS/Web/css.css插入其他进程
结束如下进程
kvmonxp.kxp
kvsrvxp.exe
trojdie.kxp
kregex.exe
uihost.exe
avp.exe
avp.exe
360safe.exe
runiep.exe
ras.exe
ccenter.exe
ravtask.exe
ravmon.exe
ravmond.exe
ravstub.exe
kwatch.exe
kavstart.exe
kpfwsvc.exe
kmailmon.exe
kpfw32.exe
kavsvc.exe
kav.exe
关闭如下服务 并把相应服务的启动类型改为 禁用
sharedaccess
ccenter
kvsrvxp
kvwsc
kavsvc
kingsoft antivirus kwatch service
kingsoft personal firewall service
rsravmon service
rising proxy service
rising process communication center
rising personal firewall service
卡巴斯基反病毒6.0个人版
创建如下影像劫持项
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/conime.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.COM
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
指向 C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css监视 IFEO键值的修改 如果一旦被删除则马上恢复
删除HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden 键
破坏显示隐藏文件
连接网络 下载 http://xxxxxxxx.mircosofts.com/history.txt到C盘下
读取里面的内容下载木马
http://xxxxxxxx.2288.org/ms_info32.exe
http://xxxxxxxx.2288.org/ms_info33.exe
http://xxxxxxxx.2288.org/bots.exe
到C:/Windows下面 分别命名为1.exe~3.exe
木马运行完毕后
生成的文件如下
C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
其中1.exe会把系统时间改为2099年12月30日
sreng日志情况
启动项目
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
服务
[Net Login Helper / netlog][Stopped/Auto Start] <C:/WINDOWS/system32/SCardSer.exe ><N/A>
测试中未发现 主程序 有创建启动项的行为 很奇怪
解决方法:
安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
首先把系统时间改回来
把sreng改名为其他名称 运行
启动项目 注册表 删除如下项目
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Net Login Helper / netlog
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL]
"RegPath"="Software//Microsoft//Windows//CurrentVersion//Explorer//Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
右键点击 菜单中的打开 打开D E删除gbk.com和autorun.inf
重启计算机 进入正常模式
下载 autoruns
http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:/windows/system32/ntsd.exe
以外的所有项目
然后修复你的杀毒软件 和其他安全软件 全盘杀毒即可
结果如下:
File: debug.exe
Size: 46592 bytes
MD5: 153D51C2BB487B1DFE9F40355C34BE23
SHA1: 13B4466D8CEFC5A71B787E5B8AB21CDB8FEB8049
CRC32: 6EB3D331
加壳方式:ASPack 2.12
瑞星 卡巴等还不能检测出该病毒
文件变化:
释放文件
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
在D盘 E盘下 生成gbk.com和autorun.inf
C:/WINDOWS/Web/css.css插入其他进程
结束如下进程
kvmonxp.kxp
kvsrvxp.exe
trojdie.kxp
kregex.exe
uihost.exe
avp.exe
avp.exe
360safe.exe
runiep.exe
ras.exe
ccenter.exe
ravtask.exe
ravmon.exe
ravmond.exe
ravstub.exe
kwatch.exe
kavstart.exe
kpfwsvc.exe
kmailmon.exe
kpfw32.exe
kavsvc.exe
kav.exe
关闭如下服务 并把相应服务的启动类型改为 禁用
sharedaccess
ccenter
kvsrvxp
kvwsc
kavsvc
kingsoft antivirus kwatch service
kingsoft personal firewall service
rsravmon service
rising proxy service
rising process communication center
rising personal firewall service
卡巴斯基反病毒6.0个人版
创建如下影像劫持项
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/conime.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.COM
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
指向 C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css监视 IFEO键值的修改 如果一旦被删除则马上恢复
删除HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden 键
破坏显示隐藏文件
连接网络 下载 http://xxxxxxxx.mircosofts.com/history.txt到C盘下
读取里面的内容下载木马
http://xxxxxxxx.2288.org/ms_info32.exe
http://xxxxxxxx.2288.org/ms_info33.exe
http://xxxxxxxx.2288.org/bots.exe
到C:/Windows下面 分别命名为1.exe~3.exe
木马运行完毕后
生成的文件如下
C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
其中1.exe会把系统时间改为2099年12月30日
sreng日志情况
启动项目
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
服务
[Net Login Helper / netlog][Stopped/Auto Start] <C:/WINDOWS/system32/SCardSer.exe ><N/A>
测试中未发现 主程序 有创建启动项的行为 很奇怪
解决方法:
安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
首先把系统时间改回来
把sreng改名为其他名称 运行
启动项目 注册表 删除如下项目
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Net Login Helper / netlog
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL]
"RegPath"="Software//Microsoft//Windows//CurrentVersion//Explorer//Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
右键点击 菜单中的打开 打开D E删除gbk.com和autorun.inf
重启计算机 进入正常模式
下载 autoruns
http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:/windows/system32/ntsd.exe
以外的所有项目
然后修复你的杀毒软件 和其他安全软件 全盘杀毒即可