捕获时间
2009-2-10
病毒摘要
该样本是使用“ vc ”编写的蠕虫程序,由微点主动防御软件自动捕获,采用“petite”加壳方式试图躲避特征码扫描,加壳后长度为 “29,396字节”,图标为“”,使用“exe”扩展名,通过“网页木马”、“文件捆绑”、“移动存储介质”等途径植入用户计算机,运行后下载其他木马到本地运行。
感染对象
windows 2000/windows xp/windows 2003
传播途径
文件捆绑、网页木马、可移动存储介质
防范措施
已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知木马”,请直接选择删除处理(如图1);
图1 微点主动防御软件自动捕获未知病毒(未升级)
如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现"worm.win32.autorun.klb”,请直接选择删除(如图2)。
图2 微点主动防御软件升级后截获已知病毒
对于未使用微点主动防御软件的用户,微点反病毒专家建议:
1、不要在不明站点下载非官方版本的软件进行安装,避免病毒通过捆绑的方式进入您的系统。
2、建议关闭u盘自动播放,具体操作步骤:开始->运行->gpedit.msc->计算机配置->管理模板->系统->在右侧找到"关闭自动播放"->双击->选择"已启用"。
3、尽快将您的杀毒软件特征库升级到最新版本进行查杀,并开启防火墙拦截网络异常访问,如依然有异常情况请注意及时与专业的安全软件厂商联系获取yb亚博全站首页的技术支持。
4、开启windows自动更新,及时打好漏洞补丁。
病毒分析
(1)、删除指定的金山组件并释放指定的病毒衍生物
(2)、尝试结束指定的安全进程并停止指定服务
(3)、查找指定的360注册表项,找到后进行特定的修改实现对360监控的关闭
(4)、关闭指定关键字的窗口
(5)、对大部分安全软件进行映像劫持
(6)、修改文件的隐藏显示
(7)、访问指定网络连接下载其他木马到本地运行
(8)、对各个磁盘进行创建特定的auto文件,实现自动传播
病毒删除文件:
d:\program files\kingsoft\kingsoft internet security 2008
\kasbrowsershield.dll
%system32%\mfc71.dll
病毒创建文件:
%programfiles%\ als.pif
%system32%\dllcache\linkinfo.dll
%temp%\dll[随机数字].tmp
%system32%\mfc1.dll
c:\autorun.inf
c:\znz.pif
病毒结束进程
avp.exe
360safe.exe
360tray.exe
360rpt.exe
runiep.exe
rsaupd.exe
rav.exe
rstray.exe
ccenter.exe
ravmon.exe
ravservice.exe
scanfrm.exe
rsnetsvr.exe
ravtray.exe
ravmond.exe
rsagent.exe
guardfield.exe
ravxp.exe
gfupd.exe
kmailmon.exe
kavstart.exe
kavpfw.exe
kwatch.exe
kav32.exe
kissvc.exe
病毒停止服务:
sharedaccess
mcshield
kwhatchsvc
kpfwsvc
kingsoft internet security common service
symantec antivirus
norton antivirus server
defwatch
symantec antivirus drivers services
symantec antivirus definition watcher
norton antivirus server
病毒删除服务:
ravccenter
rsscansrv
ravtask
rsravmon
病毒关闭窗口:
监视
监控
后门
nod32
process
瑞星
木马
杀马
绿鹰
mcafee
firewall
virus
anti
worm
sreng
清理
下载者
病毒删除注册表:
项:
|
hklm\system\controlset001\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
hklm\system\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}
hklm\currentcontrolset\control\safeboot\minimal{4d36e967-e325-11ce-bfc1-08002be10318}
hklm\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318} |
|
项:
|
hklm\software\microsoft\windows\currentversion\run
键值:360safetray
键值:360safebox
键值:kavstart
键值:vptray
键值:ccapp
键值:ravtray |
|
病毒修改注册表:
项:
|
hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
键值:checkedvalue
数据:2 |
|
项:
|
hklm\software\360safe\safemon
键值:execaccess
数据:0
键值:monaccess
数据:0
键值:leakshowed
数据:0
键值:siteaccess
数据:0
键值:udiskaccess
数据:0
键值:weeken
数据:0
键值:arpaccess
数据:0
键值:ieprotaccess
数据:0
|
|
病毒创建注册表:
项:
|
hklm\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\antiarp.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\arswp.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ast.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\autorunkiller.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.com
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\frameworkservice.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\gfupd.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\guardfield.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kasarp.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\qqdoctor.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rav.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravservice.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsmain.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\srengldr.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp
hklm\software\microsoft\windows nt\currentversion\image file execution options\vpc32.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\vptray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\woptilities.exe
键值:debugger
数据:%system32%\dllcache\spoolsv.exe |
|
病毒访问网络:
|
http://m. w**8.com/tt.txt
http://m. w**8.com/dd/x.gif
http://m. w**8.com/dd/1.exe
http://m. w**8.com/dd/2.exe
http://m. w**8.com/dd/6.exe
http://m. w**8.com/dd/9.exe
http://m. w**8.com/dd/10.exe |
|
|