原作者:海色の月
地址:http://www.simkz.com/bbs/archiver/?tid-57.html
档案编号:CISRT2006011
病毒名称:msime.exe:Trojan-PSW.Win32.Lmir.ate(AVP)
winmer.exe:N/A(AVP)
病毒别名:
病毒大小:20,361 字节 (msime.exe)
9,525 字节 (winmer.exe)
加壳方式:FSG
样本MD5:c915639c0723393318873341abfc3a5c (msime.exe)
0d30b166735c6c7a7acf3adbbd716378 (winmer.exe)
发现时间:2006.4
更新时间:2006.6.4前
关联病毒:
传播方式:通过恶意网站传播,其它病毒下载
技术分析==========
病毒运行后复制自身到:
%Windows%\update.exe
并创建启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="%Windows%\update.exe"
尝试访问网络下载并运行木马程序:
http://www.6ydy.com/down/muma.exe
下载后保存为:
%Windows%\cq.exe
cq.exe尝试下载:
http://www.6ydy.com/1/host.txt
host.txt用于覆盖系统HOSTS文件,里面的重定向信息是:
127.0.0.1 localhost
218.85.132.38 www.bastong.com
218.85.132.38 cool889987.bigwww.com
127.0.0.1 www.3721see.com
218.85.132.38 ert0003.e76.163ns.com
218.85.132.38 www.mir5173.com
218.85.132.38 www.se911.com
尝试下载并运行:
http://www.6ydy.com/1/muma.exe
下载后保存为:
%System%\msime.exe
msime.exe创建启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"KernelFaultCheck"="%System%\msime.exe"
设置注册表信息:
[HKEY_LOCAL_MACHINE\SOFTWARE\MSkysoft]
下载并运行:
http://www.3721see.com/Run.exe
保存为:
%System%\winmer.exe
winmer.exe创建启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"KernelCheck"="%System%\winmer.exe"
设置关机脚本:
%System%\GroupPolicy\Machine\Scripts\scripts.ini
scripts.ini内容为:
[Shutdown]
0CmdLine=%System%\winmer.exe
0Parameters=AVP
创建配置文件:
%Windows%\vbarun.dll
设置注册表信息:
[HKEY_LOCAL_MACHINE\SOFTWARE\wSkysoft]
病毒在第一次运行时会尝试结束一些安全相关软件的进程:
apvxdwin.exe
assistse.exe
avengine.exe
avp.exe
ccapp.exe
ccenter.exe
ccevtmgr.exe
ccsetmgr.exe
defwatch.exe
filmsg.exe
frogagent.exe
fygtcleaner.exe
iparmor.exe
isafe.exe
kav.exe
kavpfw.exe
kavstart.exe
kavsvc.exe
kmailmon.exe
kpfwsvc.exe
kregex.exe
kvmonxp.kxp
kvsrvxp.exe
kvxp.kxp
kwatch.exe
mantispm.exe
mcshield.exe
mcvsescn.exe
mcdetect.exe
mcmnhdlr.exe
pavsrv51.exe
pccguide.exe
pcclient.exe
pcctlcom.exe
psimsvc.exe
pavprsrv.exe
pavprsrv.exe
ravmond.exe
ravmon.exe
rfwmain.exe
rfwsrv.exe
rtvscan.exe
srvload.exe
tmpfw.exe
tmproxy.exe
tmntsrv.exe
tpsrv.exe
trojanwall.exe
trojdie.kxp
vsmon.exe
webproxy.exe
xfilter.exe
zlclient.exe
删除安全软件的服务信息:
AVP
CAISafe
kavsvc
KPfwSvc
KVSrvXP
KVWSC
KWatchSvc
McTskshd.exe
McDetect.exe
PAVFNSVR
PavPrSrv
PAVSRV
PcCtlCom
pmshellsrv
PNMSRV
PSIMSVC
RfwService
RsCCenter
Tmntsrv
TmPfw
tmproxy
TPSrv
vsmon
关闭窗口:
Jiangmin Registry Monitor Ex
KVXP_Monitor
清除步骤==========
1. 结束病毒进程:
%System%\msime.exe
%System%\winmer.exe
2. 删除病毒文件:
%Windows%\cq.exe
%Windows%\update.exe
%Windows%\vbarun.dll
%System%\msime.exe
%System%\winmer.exe
3. 删除启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"KernelFaultCheck"="%System%\msime.exe"
"KernelCheck"="%System%\winmer.exe"
4. 删除关机脚本:
%System%\GroupPolicy\Machine\Scripts\scripts.ini
也可以从“开始”>>“运行”,输入“gpedit.msc”,打开“组策略”编辑器,依次到“计算机配置”>>“Windows 设置”>>“脚本(启动/关闭)”,双击右边框里“关机”,打开“关机属性”,删除里面的关机脚本。
5. 恢复被修改的HOSTS文件,删除被添加的信息:
218.85.132.38 www.bastong.com
218.85.132.38 cool889987.bigwww.com
127.0.0.1 www.3721see.com
218.85.132.38 ert0003.e76.163ns.com
218.85.132.38 www.mir5173.com
218.85.132.38 www.se911.com
6. 删除其它注册表信息:
[HKEY_LOCAL_MACHINE\SOFTWARE\MSkysoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\wSkysoft]
7. 修复或重新安装被破坏的安全软件
