文件名称:explorer.exe
文件大小:20400 Bytes
AV命名:TrojanDownloader:Win32/Small.gen!N-- Microsoft
加壳方式:NsPack
文件MD5:eccd9d6ce0766d1fc2b75287ed1908df
行为:
1、释放文件:
%systemroot%\system32\ wuauc1t.exe 20400 Bytes
2、查找可用磁盘,生成:explorer.exe、autorun.inf。
3、尝试下载木马: http://2.trojan8.com/dd/gz.exe http://2.trojan8.com/dd/do.exe http://2.trojan8.com/dd/ar.exe http://2.trojan8.com/dd/3.exe http://2.trojan8.com/dd/4.exe http://2.trojan8.com/dd/5.exe http://2.trojan8.com/dd/6.exe http://2.trojan8.com/dd/7.exe http://2.trojan8.com/dd/8.exe http://2.trojan8.com/dd/9.exe http://2.trojan8.com/dd/10.exe http://2.trojan8.com/dd/11.exe http://2.trojan8.com/dd/12.exe http://2.trojan8.com/dd/13.exe http://2.trojan8.com/dd/14.exe http://2.trojan8.com/dd/15.exe http://2.trojan8.com/dd/16.exe http://2.trojan8.com/dd/17.exe http://2.trojan8.com/dd/2.exe http://2.trojan8.com/dd/1.exe
4、Ifeo重定向劫持:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE
5、尝试关闭: 360Safe.exe 360tray.exe VsTskMgr.exe runiep.exe UpdaterUI.exe TBMon.exe KASARP.exe scan32.exe VPC32.exe VPTRAY.exe ANTIARP.exe KRegEx.exe kvsrvxp.exe KVWSC.EXE Iparmor.exe AST.EXE
6、修改:
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\advanced\folder\hidden\showall\ CheckedValue
破坏显示隐藏文件功能。
7、停止相关的服务:
cmd /c net stop McShield cmd /c net stop KWhatchsvc cmd /c net stop KPfwSvc cmd /c net stop "Norton AntiVirus Server"
8、设置权限,为完全控制:
\pthreadVC.dll /e /p everyone:f \wpcap.dll /e /p everyone:f \drivers\npf.sys /e /p everyone:f \npptools.dll /e /p everyone:f \drivers\acpidisk.sys /e /p everyone:f \wanpacket.dll /e /p everyone:f
都是ARP相关的文件。
解决方法:
1、下载SREng(可到down.45it.com下载),删除IFEO劫持项目(详细的项目看上文)。
2、删除病毒文件:
%systemroot%\system32\ wuauc1t.exe 20400 Bytes
还有每个分区下的explorer.exe、autorun.inf。如遇提示无法删除文件,到down.45it.com下载费尔木马强制删除器工具进行强制删除 |