兄弟公司开发组网络瘫痪,第一时间赶去Troubleshoot,经过检查,原来是一种较新的蠕虫病毒。
症状:系统进程中存在一个dxdmain.exe的进程,Kill掉后会自动重新启动,使用HijackThis可以发现一项:
O23 - Service: DirectX Graphics - Unknown Owner - C:\WINDOWS\System32\dxdmain.exe
使用Services.msc打开服务,可以看到有一项DirectX Graphics的服务,指向%systemroot%\dxdmain.exe(也可能是%systemroot%\system32\dxdmain.exe),禁止此服务,将会在下次重启自动启动,并且此蠕虫修改了注册表文件,在安全模式下也加载了,故安全模式下无法删除此文件,此蠕虫会在后台运行,开启一个远程后门给入侵者通过IRC Channels(Port 6556)远程控制用,带有反弹型木马的性质,并且如果多台机器都同时中了,还会因为大量的数据包严重阻塞网络,影响正常上网。
解决办法:由于网上关于此蠕虫讨论很少,似乎没有什么手动删除的办法,我的尝试是先禁用此服务,然后搜索所有注册表项/值并删除之,并kill掉进程,删除系统目录下的dxdmain.exe文件,重启后问题解决。不过最重要的,是打好Windows和MSSQL的安全补丁,此蠕虫利用了微软的缓冲区溢出漏洞进行传播,包括LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039)。
以下是Sophos病毒信息库对此病毒的信息,更新日期是27 Jul 2005(刚好是我接到故障处理电话的那天,传播得真快 -_-!):
http://www.sophos.com/virusinfo/analyses/w32codboto.html
W32/Codbot-O is a worm with backdoor functionality for the Windows platform.
W32/Codbot-O spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039) (CAN-2002-0649). The following patches for the operating system vulnerabilities exploited by W32/Codbot-O can be obtained from the Microsoft website:
MS04-011
MS04-012
MS02-039 (问题就在于,开发组的所有机器MSSQL都没有打SP,汗~~)
W32/Codbot-O runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Codbot-O copies itself to \dxdmain.exe.
W32/Codbot-O is registered as a new system driver service named "dxdmain", with a display name of "DirectX Graphics" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\dxdmain\