类似AV终结者的病毒分析
昨天拿到一个病毒 据说类似AV终结者,测试了一下
结果如下:
File: debug.exe
Size: 46592 bytes
MD5: 153D51C2BB487B1DFE9F40355C34BE23
SHA1: 13B4466D8CEFC5A71B787E5B8AB21CDB8FEB8049
CRC32: 6EB3D331
加壳方式:ASPack 2.12
瑞星 卡巴等还不能检测出该病毒
文件变化:
释放文件
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
在D盘 E盘下 生成gbk.com和autorun.inf
C:/WINDOWS/Web/css.css插入其他进程
结束如下进程
kvmonxp.kxp
kvsrvxp.exe
trojdie.kxp
kregex.exe
uihost.exe
avp.exe
avp.exe
360safe.exe
runiep.exe
ras.exe
ccenter.exe
ravtask.exe
ravmon.exe
ravmond.exe
ravstub.exe
kwatch.exe
kavstart.exe
kpfwsvc.exe
kmailmon.exe
kpfw32.exe
kavsvc.exe
kav.exe
关闭如下服务 并把相应服务的启动类型改为 禁用
sharedaccess
ccenter
kvsrvxp
kvwsc
kavsvc
kingsoft antivirus kwatch service
kingsoft personal firewall service
rsravmon service
rising proxy service
rising process communication center
rising personal firewall service
卡巴斯基反病毒6.0个人版
创建如下影像劫持项
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/conime.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.COM
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
指向 C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css监视 IFEO键值的修改 如果一旦被删除则马上恢复
删除HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden 键
破坏显示隐藏文件
连接网络 下载 http://xxxxxxxx.mircosofts.com/history.txt到C盘下
读取里面的内容下载木马
http://xxxxxxxx.2288.org/ms_info32.exe
http://xxxxxxxx.2288.org/ms_info33.exe
http://xxxxxxxx.2288.org/bots.exe
到C:/Windows下面 分别命名为1.exe~3.exe
木马运行完毕后
生成的文件如下
C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
其中1.exe会把系统时间改为2099年12月30日
sreng日志情况
启动项目
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
服务
[Net Login Helper / netlog][Stopped/Auto Start] <C:/WINDOWS/system32/SCardSer.exe ><N/A>
测试中未发现 主程序 有创建启动项的行为 很奇怪
解决方法:
安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
首先把系统时间改回来
把sreng改名为其他名称 运行
启动项目 注册表 删除如下项目
<MS Reporter(dont disable)><C:/WINDOWS/W1NL0GON.EXE> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Net Login Helper / netlog
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL]
"RegPath"="Software//Microsoft//Windows//CurrentVersion//Explorer//Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
双击1.reg把这个注册表项导入
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除C:/WINDOWS/1.exe
C:/WINDOWS/2.bat
C:/WINDOWS/2.exe
C:/WINDOWS/2.vbs
C:/WINDOWS/3.exe
C:/WINDOWS/IEXPLORE.EXE
C:/WINDOWS/tmp$$$.vbs
C:/WINDOWS/W1NL0GON.EXE
C:/WINDOWS/system32/comspn.dll
C:/WINDOWS/system32/inetcfg.h
C:/WINDOWS/system32/mst.tlb
C:/WINDOWS/system32/SCardSer.exe
C:/WINDOWS/system32/spnup.dll
C:/WINDOWS/Debug/debug.exe
C:/WINDOWS/Web/css.css
C:/MSDOS.log
C:/WINDOWS/Temp/~tmp83.tmp
右键点击 菜单中的打开 打开D E删除gbk.com和autorun.inf
重启计算机 进入正常模式
下载 autoruns
http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:/windows/system32/ntsd.exe
以外的所有项目
然后修复你的杀毒软件 和其他安全软件 全盘杀毒即可
类似AV终结者的病毒分析相关推荐
- “AV终结者/8749”病毒清理办法
症状如下: 1.禁用所有杀毒软件以相关安全工具,让用户电脑失去安全保障: 2.破坏安全模式,致使用户根本无法进入安全模式清除病DU: 3.强行关闭带有病毒字样的网页,只要在网页中输入"病DU ...
- 专家谈手工查杀AV终结者病毒详解
"AV终结者"病毒泛滥成灾,身边不断有朋友的电脑倒在"AV终结者"的刀下,毒霸终结者专杀工具也更新到了3.8版.从昨天论坛的反馈看,效果比以前的版本好用多了.但 ...
- 大战AV终结者(一)……AV简介
AV简介:(摘自百度知道) "AV终结者"即"帕虫"是一系列反击杀毒软件,破坏系统安全模式.植入木马下载器的病毒,它指的是一批具备如下破坏性的病毒.木马和蠕虫."AV终结 ...
- AV终结者病毒大全及防范
AV终结病毒大全及防范 AV终结者 的症状及破坏性: 6月8日,金山毒霸发布紧急预警,"AV终结者"病毒导致大量安全软件无法正常使用,用户系统安全面临严峻威胁:短短三天之后,6月1 ...
- 详尽分析:AV终结者采用重定向劫持技术(转)
详尽分析:AV终结者采用重定向劫持技术 该病毒利用了IFEO重定向劫持技术,使大量的杀毒软件和安全相关工具无法运行:会破坏安全模式,使中毒用户无法在安全模式下查杀病毒:会下载大量病毒到用户计算机来盗取 ...
- AV终结者病毒全面解读及完整解决方案
AV终结者病毒清除方法 AV终结者 "杀毒软件不能用,想用搜索引擎去查找一些解决办法,输入杀毒,浏览器窗口就被关掉."造成这种现象的病毒"AV终结者",它能破坏 ...
- 教你如何清除AV终结者病毒
AV 终结者简介 AV 终结者是通过修改注册表达到映射的作用,所以我们要限定该项的写入权限来防止这个 AV 终结者再次将恶意代码写入注册表. HKEY_LOCAL_MACHINE\SOFTWARE\M ...
- 久违了,AV终结者病毒
一段时间以来,病毒***主要以篡改浏览器,锁定主页.安全软件也在不断的检查和修复浏览器故障.现在,这个僵局被打破,金山安全中心监测到全新的AV终结者病毒,是以前AV终结者病毒的改进型.中毒电脑上安装的 ...
- 如何预防AV终结者病毒
简单的方法:用一个REG或INF重建IFEO,修复安全模式,清理启动项,清理AUTORUN.INF,重启电脑就可以了! 不过管理员应该提醒大家,记得中了AV终结者时最好拔掉网线,杀完毒后要记得清理流氓 ...
最新文章
- python 如何判断一个函数执行完成_Python核心编程的四大神兽迭代器、生成器 、闭包以及装饰器...
- python 预测足球_利用 Python 预测英雄联盟胜负,分析了 5 万多场比赛才得出的数据!...
- linux man手册_读书笔记:Linux命令行与shell脚本编程大全 第一章~第五章
- PHP的autoload自动加载机制使用说明
- java多核并行计算_谈谈Java任务的并行处理
- python json()是什么函数_python 处理 json 四个函数dumps、loads、dump、load的区别
- ffmpeg 简单教程
- MATLAB —— 散点图绘制
- java并发编程(三)--java中的锁(Lock接口和队列同步器AQS)
- IIS-网站报500.19错误代码0x8007000d问题解决
- mybatis中如何防止sql注入和传参
- mktime()函数使用
- echart报错(Unkown series surface)
- 密歇根安娜堡计算机排名,密歇根大学安娜堡分校计算机科学与工程研究生最新专业排名...
- orchard文档之-orchard工作原理
- uboot启动流程webee210启动第二阶段
- 2020年开局流年不利,苏宁的“到家经济”能管用吗?
- (12)使用depends-on
- Unity 使用IO流读取PNG文本流并加载
- Echarts实现3d图表