|
病毒名称:msime.exe:Trojan-PSW.Win32.Lmir.ate(AVP) winmer.exe:N/A(AVP) 病毒别名: 病毒大小:20,361 字节 (msime.exe) 9,525 字节 (winmer.exe) 加壳方式:FSG 样本MD5:c915639c0723393318873341abfc3a5c (msime.exe) 0d30b166735c6c7a7acf3adbbd716378 (winmer.exe) 发现时间:2006.4 更新时间:2006.6.4前 关联病毒: 传播方式:通过恶意网站传播,其它病毒下载 //本文来自电脑软硬件应用网www.45its.com 技术分析 ========== 病毒运行后复制自身到: %Windows%\update.exe 并创建启动项: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry"="%Windows%\update.exe" 尝试访问网络下载并运行木马程序: http://www.6ydy.com/down/muma.exe 下载后保存为: %Windows%\cq.exe cq.exe尝试下载: http://www.6ydy.com/1/host.txt host.txt用于覆盖系统HOSTS文件,里面的重定向信息是: [code]127.0.0.1 localhost 218.85.132.38 www.bastong.com 218.85.132.38 cool889987.bigwww.com 127.0.0.1 www.3721see.com 218.85.132.38 ert0003.e76.163ns.com 218.85.132.38 www.mir5173.com 218.85.132.38 www.se911.com[/code] 尝试下载并运行: http://www.6ydy.com/1/muma.exe 下载后保存为: %System%\msime.exe msime.exe创建启动项: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "KernelFaultCheck"="%System%\msime.exe" 设置注册表信息: [HKEY_LOCAL_MACHINE\SOFTWARE\MSkysoft] 下载并运行: http://www.3721see.com/Run.exe 保存为: %System%\winmer.exe winmer.exe创建启动项: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "KernelCheck"="%System%\winmer.exe" 设置关机脚本: %System%\GroupPolicy\Machine\Scripts\scripts.ini scripts.ini内容为: [code][Shutdown] 0CmdLine=%System%\winmer.exe 0Parameters=AVP[/code] 创建配置文件: %Windows%\vbarun.dll 设置注册表信息: [HKEY_LOCAL_MACHINE\SOFTWARE\wSkysoft] 病毒在第一次运行时会尝试结束一些安全相关软件的进程: apvxdwin.exe assistse.exe avengine.exe avp.exe ccapp.exe ccenter.exe ccevtmgr.exe ccsetmgr.exe defwatch.exe filmsg.exe frogagent.exe fygtcleaner.exe iparmor.exe isafe.exe kav.exe kavpfw.exe kavstart.exe kavsvc.exe kmailmon.exe kpfwsvc.exe kregex.exe kvmonxp.kxp kvsrvxp.exe kvxp.kxp kwatch.exe mantispm.exe mcshield.exe mcvsescn.exe mcdetect.exe mcmnhdlr.exe pavsrv51.exe pccguide.exe pcclient.exe pcctlcom.exe psimsvc.exe pavprsrv.exe pavprsrv.exe ravmond.exe ravmon.exe rfwmain.exe rfwsrv.exe rtvscan.exe srvload.exe tmpfw.exe tmproxy.exe tmntsrv.exe tpsrv.exe trojanwall.exe trojdie.kxp vsmon.exe webproxy.exe xfilter.exe zlclient.exe 删除安全软件的服务信息: AVP CAISafe kavsvc KPfwSvc KVSrvXP KVWSC KWatchSvc McTskshd.exe McDetect.exe PAVFNSVR PavPrSrv PAVSRV PcCtlCom pmshellsrv PNMSRV PSIMSVC RfwService RsCCenter Tmntsrv TmPfw tmproxy TPSrv vsmon 关闭窗口: Jiangmin Registry Monitor Ex KVXP_Monitor 清除步骤 ========== 1. 结束病毒进程: %System%\msime.exe %System%\winmer.exe 2. 删除病毒文件: %Windows%\cq.exe %Windows%\update.exe %Windows%\vbarun.dll %System%\msime.exe %System%\winmer.exe 3. 删除启动项: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "KernelFaultCheck"="%System%\msime.exe" "KernelCheck"="%System%\winmer.exe" 4. 删除关机脚本: %System%\GroupPolicy\Machine\Scripts\scripts.ini 也可以从“开始”>>“运行”,输入“gpedit.msc”,打开“组策略”编辑器,依次到“计算机配置”>>“Windows 设置”>>“脚本(启动/关闭)”,双击右边框里“关机”,打开“关机属性”,删除里面的关机脚本。 5. 恢复被修改的HOSTS文件,删除被添加的信息: 218.85.132.38 www.bastong.com 218.85.132.38 cool889987.bigwww.com 127.0.0.1 www.3721see.com 218.85.132.38 ert0003.e76.163ns.com 218.85.132.38 www.mir5173.com 218.85.132.38 www.se911.com 6. 删除其它注册表信息: [HKEY_LOCAL_MACHINE\SOFTWARE\MSkysoft] [HKEY_LOCAL_MACHINE\SOFTWARE\wSkysoft] 7. 修复或重新安装被破坏的安全软件 |