电脑软硬件应用网
当前位置: 电脑软硬件应用网 > 电脑学院 > 网络安全 > 正文
简要分析解决Ghost.pif病毒
简要分析解决Ghost.pif病毒
2007-5-30 9:04:15  文/清新阳光   出处:网络博客   

病毒特点:
1.通过U盘传播
2.木马下载器

File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56

运行后
生成
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

注册表操作
删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}

增加HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
指向C:\Program Files\Internet Explorer\romdrivers.dll

使用Explorer进程 连接网络 下载木马
http://XXa.us/oKK/TestOKK.exe
http://XXa.us/oKK/smss.exe
http://XXa.us/Sign/csrss.exe
http://XXa.us/Sign/svchost32.exe
http://XXa.us/Sign/smss.exe
http://XXa.us/Sign/services.exe
http://XXa.us/Sign/svchost.exe
http://XXa.us/Sign/conime.exe
http://XXa.us/Sign/ctfmon.exe
http://XXa.us/Sign/mmc.exe
http://XXa.us/Sign/IEXPLORE.EXE
http://XXa.us/Sign/stpgldk.exe
http://XXa.us/Sign/srogm.exe
http://XXa.us/Sign/spglsdr.exe
http://XXa.us/Sign/copypfh.exe

到临时文件夹
各个木马分别在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\下面添加自己的启动项目
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe"


创建HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer
分别在其下面增加值
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7y7: "v1.9"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\Me: "1.28"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\1: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\2: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\3: "2.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\4: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\5: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\6: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\8: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\9: "2.95"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\10: "1.93"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\11: "1.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\12: "1.86"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\13: "1.6"
后面ver对应的值为各个木马的版本 以便木马更新对照更新使用

清除方法:

安全模式下

1.使用冰刃 删除以下文件(可到down.45its.com下载)

C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

2.sreng删除类似(可到down.45its.com下载)

     <wosa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe>   []
     <fysa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe>   []
     <wlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe>   []
     <wgsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe>   []
     <qjsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe>   []
     <wdsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe>   []
     <tlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe>   []
     <dasa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe>   []的启动项目

3.清空临时文件夹
  • 上一篇文章:

  • 下一篇文章:
    • 最新热点 最新推荐 相关文章
    删不掉的"淘宝图标"来侵 教你删"淘宝…
    微软高危漏洞"快捷方式自动执行"手工…
    acad.vlx删除方法
    360se.exe病毒清除解决方案
    regedit32.exe 病毒清除解决方案
    3874jr98.exe,long.exe等病毒清除解…
    RG8.tmp病毒清除解决方案
    139ujf939.exe,2.exe等病毒清除解决…
    EntSoQn.exe病毒清除解决方案
    360safess.net.exe等病毒清除解决方…
    关于45IT | About 45IT | 联系方式 | 版权声明 | 网站导航 |

    Copyright © 2003-2011 45IT. All Rights Reserved 浙ICP备09049068号