45IT.COM- 电脑学习从此开始!
RSS订阅 设为首页 加入收藏
DIY硬件教程攒机经验装机配置
设计Photoshop网页设计特效
系统注册表DOS系统命令其它
存储主板显卡外设键鼠内存
维修显卡CPU内存打印机
WinXPVistaWin7unix/linux
CPU光驱电源/散热显示器其它
修技主板硬盘键鼠显示器光驱
办公ExcelWordPowerPointWPS
编程数据库CSS脚本PHP
网络局域网QQ服务器
软件网络系统图像安全

搜索

页面导航: 首页 > 电脑学院 > 网络安全 >

简要分析解决Ghost.pif病毒

电脑软硬件应用网 45IT.COM 时间:2007-05-30 09:04 作者:清新阳光

病毒特点:
1.通过U盘传播
2.木马下载器

File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56

运行后
生成
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

注册表操作
删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}

增加HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""
指向C:\Program Files\Internet Explorer\romdrivers.dll

使用Explorer进程 连接网络 下载木马
http://XXa.us/oKK/TestOKK.exe
http://XXa.us/oKK/smss.exe
http://XXa.us/Sign/csrss.exe
http://XXa.us/Sign/svchost32.exe
http://XXa.us/Sign/smss.exe
http://XXa.us/Sign/services.exe
http://XXa.us/Sign/svchost.exe
http://XXa.us/Sign/conime.exe
http://XXa.us/Sign/ctfmon.exe
http://XXa.us/Sign/mmc.exe
http://XXa.us/Sign/IEXPLORE.EXE
http://XXa.us/Sign/stpgldk.exe
http://XXa.us/Sign/srogm.exe
http://XXa.us/Sign/spglsdr.exe
http://XXa.us/Sign/copypfh.exe

到临时文件夹
各个木马分别在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\下面添加自己的启动项目
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe"


创建HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer
分别在其下面增加值
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7y7: "v1.9"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\Me: "1.28"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\1: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\2: "2.92"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\3: "2.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\4: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\5: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\6: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\7: "2.91"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\8: "2.8"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\9: "2.95"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\10: "1.93"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\11: "1.96"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\12: "1.86"
HKU\S-1-5-21-1085031214-1078145449-839522115-500\Software\SetVer\ver\13: "1.6"
后面ver对应的值为各个木马的版本 以便木马更新对照更新使用

清除方法:

安全模式下

1.使用冰刃 删除以下文件(可到down.45it.com下载)

C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

2.sreng删除类似(可到down.45it.com下载)

     <wosa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe>   []
     <fysa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fyso.exe>   []
     <wlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe>   []
     <wgsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe>   []
     <qjsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe>   []
     <wdsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe>   []
     <tlsa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe>   []
     <dasa><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\daso.exe>   []的启动项目

3.清空临时文件夹
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
无法在这个位置找到: baidushare.htm
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
验证码:点击我更换图片
最新评论 进入详细评论页>>
你可能感兴趣的文章
推荐知识
热点知识

关于45IT | About 45IT | 联系方式 | 版权声明 | 网站导航 |

Copyright © 2006-2012 45IT. All Rights Reserved 浙ICP备09049068号