|
File: joxch.dll
Size: 46402 bytes
Modified: 2007年11月3日, 19:29:40
MD5: 3DADA7B474F73E3AE678E5703702DED2
SHA1: 70B12CEE9C970C304816B2A540A0C8C6FE1A79A3
CRC32: 43E49F82
AV命名:Trojan.Win32.Agent.ckw(卡巴)
技术细节:
1.该病毒为一个dll文件,通过rundll32加载后,释放如下副本
%systemroot%\system32\wk.rft
搜索注册表中相关键值找到QQ安装文件夹,在QQ目录下面释放q.dll文件
2.在HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System下面添加
键值项Disabecmd 数据为0x00000001 屏蔽cmd
3.创建如下注册表项目达到开机启动的目的:
HKLM\SOFTWARE\Classes\CLSID\{19191919-9191-6e6e-2a2a-919191919191}\InprocServer32\: "%systemroot%\system32\wk.rft"
4.在HKLM\SOFTWARE\下面创建yh的子键 并写入病毒的版本信息
5.监控如下进程或者阻止如下dll加载,如果发现立即结束并将其文件删除
mmskskin.dll
KKClean.dll
VirUnk.def
AntiActi.dll
Rsaupd.exe
Iereset.dll
Libclsid.dat
KNetWch.SYS
CleanHis.dll
WoptiClean.sys
kakalib.def
libdll.dat
kkinst.ini
KASearch.DLL
KAVBootC.sys
Ras.exe
iehelp.exe
trojandetector.exe
KAConfig.DLL
KAVPassp.DLL
hsfw.dll
wopticlean
并且通过查找子窗口查找如下字符,如果找到则将其进程结束并删除对应文件
Smallforgs
Kingsoft
Antivirus
Kingsoft Antispyware
TrojanDetector
Duba
Micropoint
被删除文件被移动到%temp%文件夹下,并命名为_*.TMP
6.修改hosts文件屏蔽常见安全网站和一些大型网站或带毒网站
61.152.244.167 search.114.vnet.cn
61.152.244.167 keyword.vnet.cn
61.152.244.167 auto.search.msn.com
61.152.244.167 search.msn.com
61.152.244.167 cnweb.search.live.com
61.152.244.167 www.hao123.com
61.152.244.167 hao123.com
61.152.244.167 www.360safe.com
61.152.244.167 360safe.com
222.73.126.115 update.360safe.com
61.152.244.167 dl.360safe.com
61.152.244.167 bbs.360safe.com
61.152.244.167 www.btbaicai.com
61.152.244.167 btbaicai.com
61.152.244.167 www.pctutu.com
61.152.244.167 www.7322.com
61.152.244.167 www.5566.net
61.152.244.167 www.9991.com
61.152.244.167 9991.com
61.152.244.167 forum.ikaka.com
61.152.244.167 www.ikaka.com
222.73.126.115 update.ikaka.com
61.152.244.167 forum.jiangmin.com
222.73.126.115 update.jiangmin.com
61.152.244.167 post.baidu.com
222.73.126.115 update.rising.com.cn
61.152.244.167 online.rising.com.cn
222.73.126.115 center.rising.com.cn
61.152.244.167 up.duba.net
61.152.244.167 bbs.duba.net
61.152.244.167 shadu.baidu.com
61.152.244.167 security.symantec.com
61.152.244.167 shadu.duba.net
61.152.244.167 zhuansha.duba.net
61.152.244.167 cu003.www.duba.net
61.152.244.167 online.jiangmin.com
61.152.244.167 cn.mcafee.com
61.152.244.167 www.ahn.com.cn
61.152.244.167 www.kaspersky.com.cn
61.152.244.167 www.pcav.cn
61.152.244.167 mopery.hits.io
61.152.244.167 www.luosoft.com
61.152.244.167 luosoft.com
61.152.244.167 www.im286.com
61.152.244.167 bbs.htmlman.net
61.152.244.167 10000.286er.com
61.152.244.167 im286.net
61.152.244.167 cool.47555.com
61.152.244.167 ju.qihoo.com
61.152.244.167 bbs.chinaz.com
61.152.244.167 www.qihoo.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
(等所有卡巴斯基升级网站)
61.152.244.167 ishare.sina.com.cn
61.152.244.167 search.cn.yahoo.com
61.152.244.167 www.google.com
61.152.244.167 google.com
61.152.244.167 www.google.cn
61.152.244.167 www.sogou.com
61.152.244.167 www.yahoo.com.cn
61.152.244.167 cn.yahoo.com
222.73.210.148 www.comewz.com
61.152.244.167 search.tom.com
61.152.244.167 page.so.163.com
61.152.244.167 www.soso.com
61.152.244.167 sou.china.com
61.152.244.167 toolsbar.kuaiso.com
61.152.244.167 www.kuaiso.com
7.“黑吃黑”删除一些常见木马的加载项
HKLM\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}
HKLM\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
HKLM\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
8.连接网络下载其他dll木马(但测试未发现)
解决办法:
1.下载Xdelbox(可到down.45it.com下载)
解压Xdelbox压缩包里的所有文件到一个文件夹
在 添加旁边的框中 输入
%systemroot%\system32\wk.rft
输入完以后 点击旁边的添加 按钮 被添加的文件将出现在下面的大框中
然后选中下面大框中的文件
右键单击 并点击“重启立即删除”
经过两次重启计算机后,病毒主体即被删除
重启计算机后,删除QQ安装文件夹下的q.dll文件
2.修复系统
开始-运行 输入regedit
展开HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
把Disabecmd的值改为0
使用记事本打开%systemroot%\system32\drivers\etc\hosts文件
仅仅保留
127.0.0.1 localhost
这一行,其它删除,然后保存,重启系统
|
