东方微点-yb体育官方

  yb体育官方  
yb体育官方-yb亚博全站首页  |  微点新闻  |  业界动态  |  安全资讯  |   |   |  网络版yb亚博全站首页
 |   |   |   |   |   |  各地代理商
 

蠕虫程序worm.win32.autorun.kqk



捕获时间

2009-2-20

病毒摘要

        该样本是使用“vc”编写的蠕虫程序,由微点主动防御软件自动捕获,采用“winupack”加壳方式,企图躲避特征码扫描,加壳后长度为“26,856 字节”,图标为“”,病毒扩展名为“exe”,主要通过“网页挂马”、“文件捆绑”、“下载器下载”、“移动存储介质”等方式传播,病毒主要目的为下载大量病毒木马至用户主机运行。
        用户中毒后,会发现系统运行及网络响应缓慢,无法进入系统安全模式,大量安全软件无法正常运行,各本地磁盘根目录与可移动磁盘发现autorun.ini与ztz.pif文件。




感染对象


windows 2000/windows xp/windows 2003

传播途径

网页挂马、文件捆绑、下载器下载、移动存储介质

防范措施

已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知木马”,请直接选择删除处理(如图1);


          图1 微点主动防御软件自动捕获未知病毒(未升级)



如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现"worm.win32.autorun.kqk”,请直接选择删除(如图2)。


          图2   微点主动防御软件升级后截获已知病毒



对于未使用微点主动防御软件的用户,微点反病毒专家建议
1、不要在不明站点下载非官方版本的软件进行安装,避免病毒通过捆绑的方式进入您的系统。
2、建议关闭u盘自动播放,具体操作步骤:开始->运行->gpedit.msc->计算机配置->管理模板->系统->在右侧找到"关闭自动播放"->双击->选择"已启用"。
3、尽快将您的杀毒软件特征库升级到最新版本进行查杀,并开启防火墙拦截网络异常访问,如依然有异常情况请注意及时与专业的安全软件厂商联系获取yb亚博全站首页的技术支持。
4、开启windows自动更新,及时打好漏洞补丁。


未安装微点主动防御软件的手动解决办法:

1、手动删除以下文件:
  %systemroot%\system32\dllcache\linkinfo.dll
  %systemroot%\system32\sbbsk.ini,
  %program files%\bccd.pif
2、手动删除以下注册表值:
  键:hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options
  值:全部
  键:hkey_local_machine\system\currentcontrolset\services\naks
  键:hkey_local_machine\system\currentcontrolset\services\fangdapp
3、修改下列注册表项修改为以下值:
  键:hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
  值:checkedvalue
  数据:1
  键:hkey_local_machine\system\currentcontrolset\control\session manager
  值:pendingfilerenameoperations
  数据:空
3、修复安全模式。


变量声明:

%systemdriver%         系统所在分区,通常为“c:\”
%systemroot%          windodws所在目录,通常为“c:\windows”
%documents and settings%    用户文档目录,通常为“c:\documents and settings”
%temp%             临时文件夹,通常为“c:\documents and settings\当前用户名称\local settings\temp”
%programfiles%         系统程序默认安装目录,通常为:“c:\programfiles”

病毒分析

(1)、申请内存空间,启动线程,注入cmd.exe,利用cmd.exe加载动态库;
(2)、注入rundll32.exe,利用rundll32.exe加载动态库;
(3)、尝试关闭各类安全软件;
(4)、修改注册表,映像劫持各类安全软件,均指向“%systemroot%\system32\dllcache\spoolsv.exe”;
(5)、修改注册表,破坏系统安全模式;
(6)、修改注册表,删除常见安全软件启动项;
(7)、释放驱动,恢复ssdt表;
(8)、注入net1.exe,利用net1.exe检测服务;
(9)、注入sc.exe,利用sc.exe删除部分安全软件服务;
(10)、设立autorun.ini至各本地磁盘与可移动磁盘;
(11)、连接网络,下载自身升级文件并执行;
(12)、下载病毒列表,读取后下载病毒并执行;
  
  病毒创建文件:
  
  %program files%\avpp.pif
  %systemdriver%\runt.dll
  %systemroot%\system32\dllcache\linkinfo.dll
  %systemroot%\fonts\fangdapp.sys
  %systemroot%\system32\sbbsk.ini,
  %program files%\bccd.pif
  %systemroot%\fonts\naks.sys
  
  在本地磁盘和可移动磁盘根目录生成以下文件:
  autorun.inf
  ztz.pif
  
  
  病毒修改文件:
  
  %systemroot%\system32\mfc71.dll
  
  病毒删除文件:
  
  %program files%\avpp.pif
  %systemdriver%\runt.dll
  %systemroot%\fonts\fangdapp.sys
  %systemroot%\fonts\naks.sys
  
  病毒创建注册表:
  
  hkey_local_machine\system\currentcontrolset\services\naks
  hkey_local_machine\system\currentcontrolset\services\fangdapp
  hklm\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\antiarp.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\arswp.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ast.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\autorunkiller.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.com
  hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\frameworkservice.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\gfupd.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\guardfield.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kasarp.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\qqdoctor.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rav.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravservice.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtray.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rsmain.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\srengldr.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp
  hklm\software\microsoft\windows nt\currentversion\image file execution options\vpc32.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\vptray.exe
  hklm\software\microsoft\windows nt\currentversion\image file execution options\woptilities.exe
  
  病毒修改注册表:
  
  键:hkey_local_machine\system\currentcontrolset\control\session manager
  值:pendingfilerenameoperations
  数据:\??\c:\sample.exe
  键:hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
  值:checkedvalue
  数据:2
  
  病毒删除注册表:
  
  hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
  hkey_local_machine\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}
  hkey_local_machine\software\microsoft\windows\currentversion\run\360safetray
  hkey_local_machine\software\microsoft\windows\currentversion\run\360safebox
  hkey_local_machine\software\microsoft\windows\currentversion\run\kavstart
  hkey_local_machine\software\microsoft\windows\currentversion\run\vptray
  hkey_local_machine\software\microsoft\windows\currentversion\run\ccapp
  hkey_local_machine\software\microsoft\windows\currentversion\run\ravtray
  
  病毒创建进程:
  
  %program files%\avpp.pif
  
  病毒访问网络:
  
  http://m.w**8.com/dd/x.gif
  http://m.w**8.com/tt.txt
  http://d.w**8.com/dd/1.exe
  http://d.w**8.com/dd/2.exe
  http://d.w**8.com/dd/6.exe
  http://d.w**8.com/dd/9.exe
  http://d.w**8.com/dd/10.exe

免费试用
下  载

网站地图