File: joxch.dll Size: 46402 bytes Modified: 2007年11月3日, 19:29:40 MD5: 3DADA7B474F73E3AE678E5703702DED2 SHA1: 70B12CEE9C970C304816B2A540A0C8C6FE1A79A3 CRC32: 43E49F82 AV命名:Trojan.Win32.Agent.ckw(卡巴)
技术细节: 1.该病毒为一个dll文件,通过rundll32加载后,释放如下副本 %systemroot%\system32\wk.rft 搜索注册表中相关键值找到QQ安装文件夹,在QQ目录下面释放q.dll文件
2.在HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System下面添加 键值项Disabecmd 数据为0x00000001 屏蔽cmd
3.创建如下注册表项目达到开机启动的目的: HKLM\SOFTWARE\Classes\CLSID\{19191919-9191-6e6e-2a2a-919191919191}\InprocServer32\: "%systemroot%\system32\wk.rft"
4.在HKLM\SOFTWARE\下面创建yh的子键 并写入病毒的版本信息
5.监控如下进程或者阻止如下dll加载,如果发现立即结束并将其文件删除 mmskskin.dll KKClean.dll VirUnk.def AntiActi.dll Rsaupd.exe Iereset.dll Libclsid.dat KNetWch.SYS CleanHis.dll WoptiClean.sys kakalib.def libdll.dat kkinst.ini KASearch.DLL KAVBootC.sys Ras.exe iehelp.exe trojandetector.exe KAConfig.DLL KAVPassp.DLL hsfw.dll wopticlean
并且通过查找子窗口查找如下字符,如果找到则将其进程结束并删除对应文件 Smallforgs Kingsoft Antivirus Kingsoft Antispyware TrojanDetector Duba Micropoint
被删除文件被移动到%temp%文件夹下,并命名为_*.TMP
6.修改hosts文件屏蔽常见安全网站和一些大型网站或带毒网站 61.152.244.167 search.114.vnet.cn 61.152.244.167 keyword.vnet.cn 61.152.244.167 auto.search.msn.com 61.152.244.167 search.msn.com 61.152.244.167 cnweb.search.live.com 61.152.244.167 www.hao123.com 61.152.244.167 hao123.com 61.152.244.167 www.360safe.com 61.152.244.167 360safe.com 222.73.126.115 update.360safe.com 61.152.244.167 dl.360safe.com 61.152.244.167 bbs.360safe.com 61.152.244.167 www.btbaicai.com 61.152.244.167 btbaicai.com 61.152.244.167 www.pctutu.com 61.152.244.167 www.7322.com 61.152.244.167 www.5566.net 61.152.244.167 www.9991.com 61.152.244.167 9991.com 61.152.244.167 forum.ikaka.com 61.152.244.167 www.ikaka.com 222.73.126.115 update.ikaka.com 61.152.244.167 forum.jiangmin.com 222.73.126.115 update.jiangmin.com 61.152.244.167 post.baidu.com 222.73.126.115 update.rising.com.cn 61.152.244.167 online.rising.com.cn 222.73.126.115 center.rising.com.cn 61.152.244.167 up.duba.net 61.152.244.167 bbs.duba.net 61.152.244.167 shadu.baidu.com 61.152.244.167 security.symantec.com 61.152.244.167 shadu.duba.net 61.152.244.167 zhuansha.duba.net 61.152.244.167 cu003.www.duba.net 61.152.244.167 online.jiangmin.com 61.152.244.167 cn.mcafee.com 61.152.244.167 www.ahn.com.cn 61.152.244.167 www.kaspersky.com.cn 61.152.244.167 www.pcav.cn 61.152.244.167 mopery.hits.io 61.152.244.167 www.luosoft.com 61.152.244.167 luosoft.com 61.152.244.167 www.im286.com 61.152.244.167 bbs.htmlman.net 61.152.244.167 10000.286er.com 61.152.244.167 im286.net 61.152.244.167 cool.47555.com 61.152.244.167 ju.qihoo.com 61.152.244.167 bbs.chinaz.com 61.152.244.167 www.qihoo.com 222.73.126.115 dnl-cn1.kaspersky-labs.com (等所有卡巴斯基升级网站) 61.152.244.167 ishare.sina.com.cn 61.152.244.167 search.cn.yahoo.com 61.152.244.167 www.google.com 61.152.244.167 google.com 61.152.244.167 www.google.cn 61.152.244.167 www.sogou.com 61.152.244.167 www.yahoo.com.cn 61.152.244.167 cn.yahoo.com 222.73.210.148 www.comewz.com 61.152.244.167 search.tom.com 61.152.244.167 page.so.163.com 61.152.244.167 www.soso.com 61.152.244.167 sou.china.com 61.152.244.167 toolsbar.kuaiso.com 61.152.244.167 www.kuaiso.com
7.“黑吃黑”删除一些常见木马的加载项 HKLM\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74} HKLM\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} HKLM\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
8.连接网络下载其他dll木马(但测试未发现)
解决办法: 1.下载Xdelbox(可到down.45it.com下载)
解压Xdelbox压缩包里的所有文件到一个文件夹 在 添加旁边的框中 输入 %systemroot%\system32\wk.rft 输入完以后 点击旁边的添加 按钮 被添加的文件将出现在下面的大框中 然后选中下面大框中的文件 右键单击 并点击“重启立即删除”
经过两次重启计算机后,病毒主体即被删除 重启计算机后,删除QQ安装文件夹下的q.dll文件
2.修复系统 开始-运行 输入regedit 展开HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System 把Disabecmd的值改为0
使用记事本打开%systemroot%\system32\drivers\etc\hosts文件 仅仅保留 127.0.0.1 localhost 这一行,其它删除,然后保存,重启系统
|