当前位置: 电脑软硬件应用网 > 电脑学院 > 网络安全 > 正文 |
|
|||
关于IE弹出QQ迷你首页(ad1.exe)的分析解决教程 | |||
2006-11-3 18:03:28 文/killviru… 出处:virus analysis | |||
标题显示:QQ迷你首页 任务栏显示: Explorer.exe 进程里显示: ad1.exe hosts文件被修改:部分网页指向IP (61.135.150.114) hxxp://hxxp://www.8000qq.com hxxp://www.800f.net hxxp://www.1000sf.cn hxxp://jfengsha.comfb hxxp://www.1000yf.net hxxp://www.159sifu.com hxxp://www.9s5.cn hxxp://www.spbuy.net hxxp://www.wym.cn hxxp://www.cc4f.cn hxxp://mafan.net hxxp://www.6688qn.net hxxp://www.177z.com hxxp://www.131sf.net hxxp://tj.cntg.cn hxxp://www.china45.net hxxp://www.ok22.com hxxp://www.17mi.net hxxp://www.sf8.com.cn hxxp://www.13177.com hxxp://ip94.fd4f.com hxxp://www.521it.net hxxp://www.ytdj.cn hxxp://www.fwoool.cn hxxp://www.5u37.net hxxp://www.87sf.com hxxp://ww1.swoool.com hxxp://wooljsz.cn hxxp://www.57wool.com hxxp://www.58816.com hxxp://chuanqisjsf.blwool.com hxxp://www.woool188.com hxxp://www.sf1260.com hxxp://linf23.b12.cn hxxp://wg.cn hxxp://www.wooolweb.com hxxp://www.yq520.net hxxp://www.cs222.com hxxp://www.ok22.com hxxp://www.7100sf.com hxxp://www.1352sf.com hxxp://www.458wool.cn hxxp://www.555woool.cn hxxp://www.kaosf.com hxxp://www.siyuwl.com hxxp://www.csjsz.cn hxxp://www.13177.com hxxp://www.458cs.com hxxp://www.5573.com hxxp://www.02945.com hxxp://www.pkchina.net hxxp://www.5181314.com hxxp://www.fknf2.com hxxp://www2.yoursf.com hxxp://www.paocs.com hxxp://www.sfboke.com hxxp://www.xx878.com hxxp://ww1.woool188.com hxxp://www.cs119.com hxxp://www.xdwoool.net hxxp://www.xx515.com hxxp://www.cs176.com hxxp://www.552sf.com hxxp://www.ipmir.com hxxp://www.898woool.com hxxp://www.qqks.com hxxp://www.368idc.com hxxp://www.csbaba.com hxxp://www.4745.cn hxxp://www.636400.com hxxp://www.oursf.cn hxxp://www.laiba173.com hxxp://www.14455.com hxxp://www.zheshan.net hxxp://zt.aaaaasf.cn hxxp://www.zt1314.cn hxxp://www.zt4f.net hxxp://www.zt002.com hxxp://www.amir3.com hxxp://www.sf1717.com hxxp://www.cq333.cn hxxp://www.3316.cn hxxp://www.sosmir3.com hxxp://www.95279.com hxxp://www.sf1788.com hxxp://www.4fboss.com hxxp://www.45net.net hxxp://www.lian2.cn hxxp://www.ytdj.cn hxxp://www.laiba173.com hxxp://www.wow1314.com hxxp://www.zgwow.com hxxp://www.1000wow.net hxxp://www.gowowsf.com hxxp://www.wowsf.com hxxp://www.wxwow.com hxxp://520.xinwow.com hxxp://www.wowhelp.cn hxxp://www.800wow.com hxxp://www.56wow.com hxxp://www.45wow.com hxxp://www.sfhao123.net hxxp://www.sfgoogle.cn hxxp://www.45top.com hxxp://www.915mu.com hxxp://www.gm911.net hxxp://www.4000mu.com hxxp://www.99musf.com hxxp://www.mu45.com hxxp://www.369mu.com hxxp://www.525sf.com hxxp://www.2345w.com hxxp://www.3jsf.net hxxp://www.xxfsf.com hxxp://www.521ee.com hxxp://www.997j.com hxxp://www.wz4f.net hxxp://www.hoxx2.com hxxp://www.398q.com hxxp://www.xx1314.com hxxp://www.xx2sf.net hxxp://www.sifu114.com hxxp://www.2z2.cn hxxp://www.haosf.com hxxp://www.cqsf999.com hxxp://www.zhaosf.com hxxp://www.920666.com hxxp://www.450666.com hxxp://www.3000ok.com hxxp://www.3000ok.net hxxp://www.sf001.com hxxp://www.92045.com hxxp://www.45bang.com hxxp://www.30ok.com hxxp://www.sf123.com hxxp://www.sf920.com hxxp://www.99945.com hxxp://www.176sf.com hxxp://www.mir2mir2.com hxxp://www.33520.com hxxp://www.xp13.com hxxp://www.45yes.com hxxp://www.92095.com hxxp://www.17ww.com hxxp://www.4000sf.com hxxp://www.haouc.com hxxp://www.921uc.com hxxp://17126.uc999.com hxxp://www.45pao.com hxxp://www.177g.com hxxp://www.95217.com hxxp://www.2345sf.com 生成主要文件: debug.txt cj1.exe cj2.exe c:\~12qwe.exe c:\1.htm %SystemRoot%\system32\trks.dll 似乎修改了QQ.Ini 指向hxxp://www.37ss.com/index20.htm 下载:hxxp://www.cj888.net/trkwks.dll c:\trkwks.dll dllcache\Trkwks.dll 替换了系统文件:Trkwks.dll 一、案例分析: 本程序主要是替换了系统文件:Trkwks.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Parameters] "ServiceDll"="%SystemRoot%\system32\rkks.dll" 真正的文件信息如下(以我系统的为例): Filename : C:\WINDOWS\system32\trkwks.dll File Size: 90,624 Bytes SHA-160: A133A57BC40E380A6D9C434BF7C452E1619A8321 MD5 : 91BEF237CAAA97ABF07FF235A7F2DA7F CRC-32 : C347ADF5 加壳方式:未加壳 编写语言:Microsoft Visual C++ Version Information ==================== Operating System : Windows NT, 32-bit Windows File Type : Application File Sub-Type : Unknown File Version : 5,1,2600,2180 Product Version : 5,1,2600,2180 ============================================================ Product Name : Microsoft? Windows? Operating System File Description : Distributed Link Tracking Client File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Product Version : 5.1.2600.2180 Company Name : Microsoft Corporation Internal Name : trkwks.dll Legal Copyright : ? Microsoft Corporation. All rights reserved. Original FileName : trkwks.dll 病毒文件: File Size: 91,853 Bytes SHA-160: AD15B02C282380E523C01114648C134390F746E4 MD5 : A0481500214BF0483238BFC247FA9B6F CRC-32 : C781D72F 加壳方式:1.25 UPX 编写语言:Microsoft Visual Basic 5.0 / 6.0 无文件信息 二、恢复还原系统文件方法:(怎么来就让它怎么走,呵呵) 1、net stop TrkWks 2、终止ad1.exe、QQ等进程 3、关闭系统文件保护 sfc /cancel 4、用真正的系统文件Trkwks.dll替换掉病毒Trkwks.dll 5、把下面一段复制到记事本保存为TrkWks.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks] "Description"="在计算机内 NTFS 文件之间保持链接或在网络域中的计算机之间保持链接。" "DisplayName"="Distributed Link Tracking Client" "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "ObjectName"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000020 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 74,00,72,00,6b,00,77,00,6b,00,73,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\ 02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Enum] "0"="Root\\LEGACY_TRKWKS\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 6、执行一次:TrkWks.reg 7、开启系统文件保护 sfc /enable 8、删除相关生成的病毒文件(可能有多个同时生成的Trkwks.dll类似的文件请一并删除) =========================================== 附SFC的命令 SFC/SCANNOW 立即扫描所有受保护的系统文件。 SFC/SCANONCE 扫描所有受保护的系统文件一次。 SFC/SCANBOOT 每次启动时扫描所有受保护的系统文件。 SFC/CANCEL 取消所有暂停的受保护系统文件的扫描。 SFC/QUIET 不提示用户就替换所有不正确的文件版本。 SFC/ENABLE 为正常操作启用 Windows 文件保护 SFC/PURGECACHE 清除文件缓存并立即扫描所有受保护的系统文件。 SFC/CACHESIZE=x 设置文件缓存大小 |
|||
关于45IT | About 45IT | 联系方式 | 版权声明 | 网站导航 | |
Copyright © 2003-2011 45IT. All Rights Reserved 浙ICP备09049068号 |