病毒特点: 1.通过U盘传播 2.木马下载器
File: Ghost.pif Size: 19527 bytes MD5: 32C89902E912757B30C648C2AFAB2E3A SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268 CRC32: 49BA1E56
运行后 生成 C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe C:\Program Files\Internet Explorer\romdrivers.bak C:\Program Files\Internet Explorer\romdrivers.bkk C:\Program Files\Internet Explorer\romdrivers.dll
注册表操作 删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
增加HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll" HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\: "" HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll" HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-3E63-636B-B693E62F6236}: "" 指向C:\Program Files\Internet Explorer\romdrivers.dll
使用Explorer进程 连接网络 下载木马 http://XXa.us/oKK/TestOKK.exe http://XXa.us/oKK/smss.exe http://XXa.us/Sign/csrss.exe http://XXa.us/Sign/svchost32.exe http://XXa.us/Sign/smss.exe http://XXa.us/Sign/services.exe http://XXa.us/Sign/svchost.exe http://XXa.us/Sign/conime.exe http://XXa.us/Sign/ctfmon.exe http://XXa.us/Sign/mmc.exe http://XXa.us/Sign/IEXPLORE.EXE http://XXa.us/Sign/stpgldk.exe http://XXa.us/Sign/srogm.exe http://XXa.us/Sign/spglsdr.exe http://XXa.us/Sign/copypfh.exe
到临时文件夹 各个木马分别在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\下面添加自己的启动项目 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe"
创建HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer 分别在其下面增加值 HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7y7: "v1.9" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\Me: "1.28" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\1: "2.92" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\2: "2.92" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\3: "2.96" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\4: "2.8" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\5: "2.8" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\6: "2.91" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7: "2.91" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\8: "2.8" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\9: "2.95" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\10: "1.93" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\11: "1.96" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\12: "1.86" HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\13: "1.6" 后面ver对应的值为各个木马的版本 以便木马更新对照更新使用
清除方法:
安全模式下
1.使用冰刃 删除以下文件(可到down.45its.com下载)
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe C:\Program Files\Internet Explorer\romdrivers.bak C:\Program Files\Internet Explorer\romdrivers.bkk C:\Program Files\Internet Explorer\romdrivers.dll
2.sreng删除类似(可到down.45its.com下载)
<wosa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe> [] <fysa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe> [] <wlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe> [] <wgsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe> [] <qjsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe> [] <wdsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe> [] <tlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe> [] <dasa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe> []的启动项目
3.清空临时文件夹
|