瑞星卡卡安全论坛

首页 » 技术交流区 » 可疑文件交流 » U盘病毒
smallyou93 - 2009-5-12 18:22:00
U盘病毒~

VirScan:http://www.virscan.org/report/e4 ... 79f97da6b2a3a0.html
MD5:CA8750E643C25C104CD2C6BA4CA4E900

1.提升限权


引用:
Access: Using dangerous system privileges
Object: AdjustTokenPrivileges(SeDebugPrivilege)



2.释放驱动并安装,加载后删除
%WinDir%\system32\drivers\klif.sys
HKLM\System\CurrentControlSet\Services\KAVsys

3.释放文件
%WinDir%\system32\uret463.exe(MD5:CA8750E643C25C104CD2C6BA4CA4E900)
%WinDir%\system32\hgjyit0.dll

4.创建启动项
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"dorfgwe"="C:\\WINDOWS\\system32\\uret463.exe"

CA/Tiny还监控到这些动作:

引用:

Access: Forced process/thread termination
Object: PostMessageA(Message=WM_CLOSE,Handle=0x0)

Access: Injecting code into other processes
Object: VirtualAllocEx

Access: Injecting code into other processes
Object: WriteProcessMemory

Access: Injecting code into other processes
Object: CreateRemoteThread


知道的麻烦告知下

用户系统信息:Opera/9.64 (Windows NT 5.1; U; zh-cn) Presto/2.1.1

附件: a.rar
zg1_2004 - 2009-5-12 18:29:00
该用户帖子内容已被屏蔽
★蓝色羽毛★ - 2009-5-14 13:03:00
又是一个不是病毒。。。。:kaka6:
RisingCSC - 2009-5-18 10:12:00
瑞星最新版本病毒库:21.29.62已可查杀。
1
查看完整版本: U盘病毒
© 2000 - 2025 Rising Corp. Ltd.