幕:
样本来至江民社区...
=======================================

File size: 1253376 bytes
MD5_128  : CD3DCE3B6DAF4FC288D75120CC15F4A9
SHA160  : 627E97071363CE03DC05B374DB0F3B210AC07C84
CRC32    : 428ACA5D
加壳方式:未知
编写语言:未知(估计是Delphi)


行为(据我跟踪到的就这些):
生成:
C:\Windows\system32\dllcache\mm50krnl.exe

添加服务项:

注册表内容是:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Logitech MM50 Kernel Drivers]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,\
  73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6c,00,6c,00,63,\
  00,61,00,63,00,68,00,65,00,5c,00,6d,00,6d,00,35,00,30,00,6b,00,72,00,6e,00,\
  6c,00,2e,00,65,00,78,00,65,00,22,00,00,00
"DisplayName"="Logitech MM50 Kernel Drivers"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,40,b3,0e,\
  00,01,00,00,00,b8,0b,00,00
"Description"="Enable Logitech MM50 Kernel Segment."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Logitech MM50 Kernel Drivers\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,48,b7,08,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
  00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,23,02,00,00,48,b7,08,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Logitech MM50 Kernel Drivers\Enum]
"0"="Root\\LEGACY_LOGITECH_MM50_KERNEL_DRIVERS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

服务项指向的是:C:\Windows\system32\dllcache\mm50krnl.exe

修改内容:

C:\WINNT\system32\drivers\tcpip.sys

后来证实这个项没问题,傀儡?!


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM\

修改成:'N'

禁用DCOM?  RPC漏洞哈~

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel


修改成:'1'

(取消系统匿名登陆功能)这个修改比较明显,应该是配合远程控制用的,似乎不是单纯病毒那么简单..

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

修改成:"4"

这步应该是挂系统自带的防火墙吧?

还尝试关闭下面窗口包含的安全软件,看情况,似乎该病毒作者不是"国产"的:


Ad-aware
spyware
hijack
kav
proc
norton
mcafee
f-pro
lockdown
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
avp
troja
viru
anti

然后mm50krnl.exe正向连接,哈,被瑞星防火墙拦下拉(太菜了)

看样子这病毒是类似灰鸽子或盗号的病毒(木马)..

哈,对拉,运行后还删除自身,自尽拉,嘿嘿~


情况大概就这是这些拉,写的很差,没什么技术含量,看看解决方案吧:


强制删除工具 PowerRMV
下载地址: http://free.ys168.com/?gudugengkekao
(其他工具-PowerRMV.com 大小101.4KB)
填入:

C:\Windows\system32\dllcache\mm50krnl.exe

选上抑止杀灭对象再次生成,然后杀灭,然后有个提示,选确定就可以了

进程里也有发现的,不过关不掉,如果想关的话,用DOS的ntsd -c -p -q强制关闭或者用冰刃关闭(我懒得关它)

太懒了,不详细说拉,用上面的覆盖后,修复下其他的

打开注册表:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM\

修改成:'Y'

这个是RPC的漏洞,他为啥要关闭哈?偶菜,对黑道工具不大清楚,忽略拉,只要他修改的,我们都改回来~ ^_^


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel


修改成:'0'

系统匿名登陆功能而已,只是一个隐蔽手段,其实不重要


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

修改成:"3"

嘿嘿,XP自带防火墙就可以用拉,也可以在服务里直接开启它



然后下载SREng,启动项目-服务-Win32服务应用程序

把Logitech MM50 Kernel这个服务项删除,就OK拉



  这个看似简单的病毒其实一点都不"简单",重点是连接外面,受他人控制,作者思路很明确,他先挂防火墙,然后

再正向连接,并不使用传统的注入技术.我写比较简单了,大概就是这样清理,如果有其他病毒的话,请及时升级杀

软清楚解决.

另:注意打好系统补丁等,看样子是靠漏洞传播的..

5.1节大发送

带包送免疫

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mm50krnl.exe]
"debugger"="c:\\windows\\regedit.exe"

上面那些导入注册表,呵呵

直接免疫!

有意思