病毒名称:Virus.Win32.AutoRun.bj 病毒类型:QQ尾巴 加壳信息:N/A 编写语言:Microsoft Visual Basic 5.0 / 6.0
病毒将从:h**p://www.sql2000server.cn/V-FILES/update_sendtext1.txt 下载文本信息,并将里面的内容通过QQ发给好友。 特征信息: 看看我的网友,杭州的,皮肤白皙,身材超正,我想让她成为恋人,征求您的建议, 她的视频 h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=2 @@@ 真是太意外了,咱们的好友小刘办色情网站被抓了,好像还要判刑,很多媒体都报道了, 快去看视频报道 h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=1 @@@ Hi,快点帮个忙, 打开这个网址,然后随便点击下面的一个链接, h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=URL-movies.htm 一会在对你说为什么,万分感谢。 @@@ 我刚发现的 ,超刺激的**电影,速度巨快, 一个月免费, h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=URL-free-movies.htm ||| h**p://www.sql2000server.cn/v-files/ALEXA.ASP?q=1 ||| 1.00 ||| 8 [OK-OK]
增加注册表项: 8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\UsbFlags\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\*PNP0501 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WS2IFSL\E
删除注册表项: 6 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\L HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WS2IFSL\
增加键值: 3 HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "" Type: REG_SZ Data: VM1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Akica" Type: REG_SZ Data: %windir%\system32\Akica.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "cacom" Type: REG_SZ Data: %windir%\cacom.exe
修改键值: 5 HKEY_CURRENT_USER\SessionInformation "ProgramCount" Old type: REG_DWORD New type: REG_DWORD Old data: 02, 00, 00, 00 New data: 03, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings" Old type: REG_BINARY New type: REG_BINARY Old data: 3C, 00, 00, 00, B0, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 05, 00, 00, 00, 6C, 6F, 63, 61, 6C, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, 40, 03, 87, 3F, 92, A0, C6, 01, 01, 00, 00, 00, C0, A8, 9F, 80, 00, 00, 00, 00, 00, 00, 00, 00 New data: 3C, 00, 00, 00, B1, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 05, 00, 00, 00, 6C, 6F, 63, 61, 6C, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, 40, 03, 87, 3F, 92, A0, C6, 01, 01, 00, 00, 00, C0, A8, 9F, 80, 00, 00, 00, 00, 00, 00, 00, 00 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed" Old type: REG_BINARY New type: REG_BINARY Old data: 8C, 31, 5C, 0A, 24, 76, 89, EF, 5A, 57, 1E, BC, 54, B5, 98, DC, 1A, 45, BB, A1, 00, F5, 75, EB, 84, 55, D0, 8B, 2C, 4B, B3, 63, 8C, A4, 63, 33, 76, 32, D1, 90, 84, 14, 1E, 79, 57, 4F, 18, 29, 6B, 90, A6, 8A, 02, AB, 77, 78, 46, 42, EA, B8, A4, 9E, 87, 8D, 65, ED, A3, 6C, 68, 3E, 3E, AA, E1, 99, 42, 14, F1, 86, 33, 3E New data: DE, 91, 29, 45, 1D, F0, 9C, 60, A3, C5, 6E, 82, 1F, 8B, 1C, 3C, 7F, 0D, 91, 19, AB, BB, 12, A5, F9, 2A, 16, C3, 73, 79, 7C, B1, 90, 35, C8, 87, 27, F8, 4A, 5E, 42, BC, 30, D1, 08, FD, A9, 7C, E3, 39, CD, 36, E5, EB, F0, 34, C3, DA, 86, 40, BB, B2, 3D, 1B, 9E, 39, D8, 8F, 37, 1C, 88, BF, 72, 37, 55, 74, AB, 32, 76, A7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\0BEC468B1F48FC68ADF8AD51FBB60848E5A118AC "Blob" Old type: REG_BINARY New type: REG_BINARY Old data: (data too large: 1533 bytes) New data: (data too large: 1533 bytes) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher "TracesProcessed" Old type: REG_DWORD New type: REG_DWORD Old data: 14, 00, 00, 00 New data: 15, 00, 00, 00
创建病毒文件: 8 %userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8RSTUDWF\update_sendtext1[1].txt Size: 664 bytes %windir%\cacom.exe Size: 36,864 bytes %windir%\system32\Akica.exe Size: 36,864 bytes %windir%\system32\sol.EXE Size: 36,864 bytes %windir%\system32\dllcache\sol.EXE Size: 36,864 bytes %windir%\Temp\cch~11e74b516.htp Size: 8,192 bytes %windir%\Temp\cch~11e74bf2f.htp Size: 8,192 bytes
解决办法:删除上述注册表添加项,以及生成的文件。注册表打开步骤:在[开始]-->[运行]-->键入[regedit]--> 打开注册表编辑器。文件手动删除时遇不能删除的情况时,到down.45it.com下载费尔木马强制删除器工具(删除时选抑制)删除即可。
|