文件名称:WinNt32.dll
文件大小:33,792 bytes
AV命名:Trojan.DL.Wigon.Gen.6
编写语言:VC++
文件MD5:9B2F70D0C4793164633D006B8145E8EA
病毒类型:后门
1.释放文件:
C:\Windows\System32\drivers\Afm74.sys 14,976 bytes
C:\Windows\System32\WinNt32.dll 10,240 bytes
2.添加启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32]
DLLName = "WinNt32.dll"
StartShell = "WLEventStartShell"
Impersonate = 0x00000000
Asynchronous = 0x00000000
ID = 0x00000016
每次开机注入Winlogon进程
3.修改注册表,保证安全模式也加载驱动:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Afm74.sys]
(Default) = "Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Afm74.sys]
(Default) = "Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Afm74"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74\0000]
Service = "Afm74"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Afm74"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74\Enum]
0 = "Root\LEGACY_AFM74\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74]
Type = 0x00000001
Start = 0x00000000
ErrorControl = 0x00000000
ImagePath = "%System%\Drivers\Afm74.sys"
Group = "SCSI Class"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afm74]
Type = 0x00000001
Start = 0x00000000
ImagePath = "%System%\Drivers\Afm74.sys"
Group = "SCSI Class"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afm74.sys]
(Default) = "Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Afm74.sys]
(Default) = "Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Afm74"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74\0000]
Service = "Afm74"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Afm74"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74\Enum]
0 = "Root\LEGACY_AFM74\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74]
Type = 0x00000001
Start = 0x00000000
ErrorControl = 0x00000000
ImagePath = "%System%\Drivers\Afm74.sys"
Group = "SCSI Class"
4.连接网络208.66.195.**尝试下载其他木马。
解决方法:
1、删除文件(如遇提示无法删除文件,到down.45its.com下载费尔木马强制删除器工具进行强制删除):
C:\Windows\System32\drivers\Afm74.sys 14,976 bytes
C:\Windows\System32\WinNt32.dll 10,240 bytes
2、查找删除注册表并删除有关于Afm74的项(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作,详细的项见上文)!
3、重启计算机,升级杀毒软件,全盘扫描。