样本来自网友,瑞星报Worm.Win32.AvKiller.bm
File: oyo.exe Size: 430080 bytes MD5: 2C068E6CC68ABAC97FB2011313A0AF36 SHA1: CC3E94456CE02B8A1DEF89D4296F0B4DBA15794F CRC32: 5D3156A8
1.生成如下文件 %system32%\oyo.exe 各个分区下面生成 autorun.inf和oyo.exe
运行后通过cmd命令打开被运行的病毒所在盘cmd.exe /c explorer X:\ 默认为cmd.exe /c explorer C:\
2.注册表变化 在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面创建 的启动项目
修改[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000000 破坏显示隐藏文件
删除HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} HKU\S-1-5-21-448539723-1580436667-725345543-1003 破坏显示隐藏文件
IFEO映像劫持一些杀毒软件 指向病毒文件 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.com HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.com HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
3.感染行为 感染除以下目录的exe和scr文件 WINDOWS WINNT COMMON FILES
感染方式是文件头寄生,在被感染文件头部加入430080字节的内容
清除办法: down.45its.com下载sreng2.zip和IceSword120_cn.zip(以下简称冰刃)
1.把Icesword.exe改名 打开冰刃 在进程中结束oyo.exe
点击左下角的文件 按钮 删除如下文件 %system32%\oyo.exe 以及各个分区下面的autorun.inf和oyo.exe
2.打开sreng 启动项目 注册表 删除如下项目 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面的 []
删除所有红色的IFEO项
sreng中 系统修复-高级修复-修复安全模式
sreng中 系统修复-Windows shell/IE-勾选显示隐藏文件-修复
3.使用杀毒软件修复受感染的exe文件(目前还没有能够修复文件的)
|