样本来自卡饭论坛，此病毒的破坏方式十分像先前的落雪病毒，修改一大堆系统文件关联，暂且叫它新“落雪”病毒吧...

File: 19.exe
Size: 33495 bytes
File Version: 0.00.0204
Modified: 2007年12月29日, 21:23:18
MD5: 4B2BE9775B6CA847FB2547DD75025625
SHA1: 2660F88591AD4DA8849A3A56F357E7DFB9694D45
CRC32: 2A485241
编写语言：VB

1.病毒运行后，衍生如下副本及文件：
%systemroot%\Debug\DebugProgram.exe
%systemroot%\system32\command.pif
%systemroot%\system32\dxdiag.com
%systemroot%\system32\finder.com
%systemroot%\system32\MSCONFIG.COM
%systemroot%\system32\regedit.com
%systemroot%\system32\rundll32.com
%systemroot%\1.com
%systemroot%\ExERoute.exe
%systemroot%\explorer.com
%systemroot%\finder.com
%systemroot%\SERVICES.EXE
D:\autorun.inf
D:\pagefile.pif

2.提升自身权限，试图结束带有如下关键字的进程
360tray*
ravmon*
ccenter*
trojdie*
kpop*
ssistse*
agentsvr*
kv*
kreg*
iefind*
iparmor*
uphc*
rulewize*
fygt*
rfwsrv*
rfwma*
trojan*
svi.exe

3.篡改很多文件关联方式 使得打开这些文件后会启动病毒
HKLM\SOFTWARE\Classes\.bfc\ShellNew\Command: "%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\iexplore.com""
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\explorer.com"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: "rundll32.com %SystemRoot%\system32\mshtml.dll,PrintHTML "%1""
HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"（打开未知程序都能启动病毒，汗...）
HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command\: ""C:\Program Files\common~1\iexplore.pif""

（修改开始程序上的IE的指向文件）
HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: "rundll32.com appwiz.cpl,NewLinkHere %1"
HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" %1"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.com shell32.dll,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\ftp\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" -nohome"
HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\common~1\iexplore.pif" %1"
HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\common~1\iexplore.pif" -nohome"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: "finder.com shdocvw.dll,OpenURL %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "finder.com desk.cpl,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\: ""C:\WINDOWS\system32\finder.com" C:\WINDOWS\system32\scrobj.dll,GenerateTypeLib "%1""
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "finder.com url.dll,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Clients\StartMenuInternet\: "iexplore.pif"
...
增加winfiles的新的文件关联指向C:\WINDOWS\ExERoute.exe
并篡改exe文件关联HKLM\SOFTWARE\Classes\.exe\: "winfiles"

4.修改HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
   的{shell}值为Explorer.exe 1

5.连接网络盗传奇世界等游戏的帐号密码

清除方法：
到down.45it.com下载Icesword和sreng

1.解压缩Icesword 把Icesword.exe改名为Icesword.com运行
进程一栏 结束%systemroot%\SERVICES.EXE

点击左下角的文件按钮删除如下文件
%systemroot%\Debug\DebugProgram.exe
%systemroot%\system32\command.pif
%systemroot%\system32\dxdiag.com
%systemroot%\system32\finder.com
%systemroot%\system32\MSCONFIG.COM
%systemroot%\system32\regedit.com
%systemroot%\system32\rundll32.com
%systemroot%\1.com
%systemroot%\ExERoute.exe
%systemroot%\explorer.com
%systemroot%\finder.com
%systemroot%\SERVICES.EXE
D:\autorun.inf
D:\pagefile.pif
2.把sreng扩展名改为bat，运行

系统修复－文件关联 修复

3.修复系统
打开系统盘 直接运行%systemroot%\system32\regedit.exe
把被病毒修改的注册表恢复回来
HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: "rundll32.exe appwiz.cpl,NewLinkHere %1"
HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" %1"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome"
HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" %1"
HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: "rundll32.exe shdocvw.dll,OpenURL %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "rundll32.exe desk.cpl,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "rundll32.exe desk.cpl,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "rundll32.exe url.dll,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "rundll32.exe url.dll,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\Explorer.exe"
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\iexplore.exe""
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\Explorer.exe"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: "rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1""
HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

删除HKLM\SOFTWARE\Classes\winfiles整个子键
修改HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
   的{shell}值为Explorer.exe