|
|
|||||||||||
|
|||||||||||||
| 当前位置: 电脑软硬件应用网 > 电脑学院 > 网络安全 > 正文 |
|
|||
| 通过MSN传播的img317.zip winsyshp.exe病毒的清除 | |||
| 2007-8-24 9:23:01 文/海色の月 出处:C.I.S.R.T | |||
|
病毒别名:Trojan.Win32.Agent.vrw(瑞星) 病毒大小:138,752 字节 样本MD5:5101877e880eae72419d17cef84ee9b9 样本SHA1:adf5fb136ab1d6e150d1162affcadeb9f648e917 传播方式:通过MSN传播 技术分析 ========== MSN蠕虫变种,带有伪装JPG图标,向MSN联系人发送欺骗文字消息和带毒压缩包,当联系人接收并打开带毒压缩包中的病毒文件时系统受到感染。 病毒运行后在系统目录生成包含自身的带毒ZIP压缩包: %Windows%\img317.zip 其中包含病毒文件名为:img317.jpg-www.imagehosting.com 创建副本: %Windows%\winsyshp.exe 创建启动项: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Visual Application"="winsyshp.exe" 使用批处理c:\a.bat停止“安全中心”和“WINVNC”服务: @echo off net stop "Security Center" net stop winvnc4 del c:\a.bat 向MSN联系人发送以下文字,同时发送带毒压缩包imgac157.zip: Why is this picture blurry? Look @ my new car? Where did you find this picture? why did you show me this picture? look at my baby picture Did you see this? Where is this picture taken? Did you take this picture? you drunk 2 much in this picture Why are you naked in this picture? look @ this accept this picture hey, mom my just told me 2 show this 2 you 尝试连接远程IRC:pwn.basecore.info 清除步骤 ========== 1. 删除病毒创建的启动项(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Visual Application"="winsyshp.exe"
PS:其它变种也可以同上对比解决。 |
|||
| 关于45IT | About 45IT | 联系方式 | 版权声明 | 网站导航 | |
|
Copyright © 2003-2011 45IT. All Rights Reserved 浙ICP备09049068号 |
