文件名称：rxjh_2.exe

文件大小：283140 bytes

AV命名：AdWare.Win32.Ejik.en Kaspersky

加壳方式：未

编写语言：Microsoft Visual C++ 6.0

文件MD5：63e7e8d3ed98a8f4f7ee3bc7455024b9

病毒类型：广告程序

1、释放文件：

C:\WINDOWS\system32

(+)(文件) izwybfpzviqqi.dll, 222720 字节

(+)(文件) resiifers.ini, 123 字节

(+)(文件) rxjh_2.exe, 41984 字节

(+)(文件) shells32.ini, 20 字节

C:\WINDOWS\system32\conime

(+)(文件) conime.dll, 81920 字节

(+)(文件) conime.ls 86016 字节

2、注册系统服务，开机启动：

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime]

"Type"=dword:00000110

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"DisplayName"="conime"

"ObjectName"="LocalSystem"

"Description"="用于支持windows网络服务程序的除错。如果禁止此项服务，依赖此服务的其他服务将无法启动。"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

63,00,6f,00,6e,00,69,00,6d,00,65,00,5c,00,63,00,6f,00,6e,00,69,00,6d,00,65,\

00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Enum]

"0"="Root\\LEGACY_CONIME\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

3、注册组件：izwybfpzviqqi.dll，并注入explorer。

4、通信外部，访问：

http://www.info3344.cn/upsite.txt

http://b.mobile567.cn/dodolook636.exe

http://up1.hate163.cn/ver.txt

http://b.mobile567.cn/downnow.txt

http://up6.hate163.cn/ver.txt

http://www.info3344.cn/zl.txt

http://www.info3344.cn/upsite.txt

可能检测病毒版本进行升级和下载其他广告、病毒程序

解决方法：

1、下载SREng(可到down.45it.com下载)，然后断开网络连接。

2、打开SREng的win32系统服务，删除服务项：conime

如图：

然后在出现的提示框中选“否”确认删除。

3、重启计算机，最后删除文件：

C:\WINDOWS\system32

(+)(文件) izwybfpzviqqi.dll, 222720 字节

(+)(文件) resiifers.ini, 123 字节

(+)(文件) rxjh_2.exe, 41984 字节

(+)(文件) shells32.ini, 20 字节

C:\WINDOWS\system32\conime

(+)(文件) conime.dll, 81920 字节(+)(文件) conime.ls 86016 字节