所以硬盘(除系统盘外)的EXE文件被感染,现在虽然用防火墙隔离了病毒联网,但是被感染的EXE文件依然无法修复,天啊!! 谁救救我吧。
NORTON对他根本没有反应。想装个金山,又没有正版。并且现在各大软件厂商都还没有专杀工具。
症状大概如下:
艾尼新变种MSOSVEXT.EXE,MSOSV.EXE的分析2007-04-21 17:47今天拿到了这个新的变种分析了一下 总的来说基本上延续了之前的下载木马 感染文件等的行径
运行MSOSV.EXE后
释放C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
C:\WINDOWS\svchost.exe(这个根本就是一个记事本的程序,只不过改了名称而已)
这回的特点就是用它感染文件
创建服务Hello Ketty
服务相关注册表项目如下
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\ImagePath: "C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE"
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\DisplayName: "TCP/IP Service"
HKLM\SYSTEM\CurrentControlSet\Services\Hello Ketty\
ObjectName: "LocalSystem"
启动C:\WINDOWS\svchost.exe感染除系统分区以外的exe文件
启动IE连接59.34.197.169:80 下载shift.ini到C:\Program Files\Common Files\Microsoft Shared\Web Folders\
读取shift.ini 里面的配置文件 下载木马TempA.exe~TempH.exe
到C:\Program Files\Common Files\Microsoft Shared\Web Folders\下面
由C:\WINDOWS\svchost.exe启动他们
TempA.exe释放文件1explore.exe和fyzo0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<0><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1explore.exe> []
TempB.exe释放文件C:\WINDOWS\cmdbcs.exe和C:\Windows\system32\cmdbcs.dll
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<cmdbcs><C:\WINDOWS\cmdbcs.exe> []
TempC.exe释放文件iexpl0re.exe和LgSy0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<y9027jwxw><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexpl0re.exe> []
TempD.exe释放文件crasos.exe和Msxo0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<sfv><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crasos.exe> []
TempE.exe释放文件rundl132.exe和Rav20.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<dj8q4uzi4><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rundl132.exe> []
TempF.exe释放文件winlog0n.exe和LgSy1.dll到临时文件夹
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<ghdi3ri><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlog0n.exe> []
TempG.exe运行出错
TempH.exe释放文件Servera.exe和Kavs0.dll到临时文件夹
在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
添加注册表项目<yyt><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servera.exe> []
修改hosts文件
添加127.0.0.1 mmm.caifu18.net
127.0.0.1 www.18dmm.com
127.0.0.1 d.qbbd.com
127.0.0.1 www.5117music.com
127.0.0.1 www.union123.com
127.0.0.1 www.wu7x.cn
127.0.0.1 www.54699.com
127.0.0.1 www1.6tan.com
127.0.0.1 www2.6tan.com
127.0.0.1 www.97725.com
127.0.0.1 down.97725.com
127.0.0.1 ip.315hack.com
127.0.0.1 ip.54liumang.com
127.0.0.1 www.41ip.com
127.0.0.1 xulao.com
127.0.0.1 www.heixiou.com
127.0.0.1 www.9cyy.com
127.0.0.1 www.hunll.com
127.0.0.1 www.down.hunll.com
127.0.0.1 do.77276.com
127.0.0.1 www.baidulink.com
127.0.0.1 adnx.yygou.cn
127.0.0.1 222.73.220.45
127.0.0.1 www.f5game.com
127.0.0.1 www.guazhan.cn
127.0.0.1 wm,103715.com
127.0.0.1 www.my6688.cn
127.0.0.1 i.96981.com
127.0.0.1 d.77276.com
127.0.0.1 www1.cw988.cn
127.0.0.1 cool.47555.com
127.0.0.1 www.asdwc.com
127.0.0.1 55880.cn
127.0.0.1 61.152.169.234
127.0.0.1 cc.wzxqy.com
127.0.0.1 www.54699.com
127.0.0.1 t.gcuj.com
127.0.0.1 www.puma163.com
127.0.0.1 ceoww.com
127.0.0.1 boolom.com
连接http://temp.longge8.com/boot/long.htm 做感染统计
病毒体内有字样 myexe
