文件名称:rxjh_2.exe
文件大小:283140 bytes
AV命名:AdWare.Win32.Ejik.en Kaspersky
加壳方式:未
编写语言:Microsoft Visual C++ 6.0
文件MD5:63e7e8d3ed98a8f4f7ee3bc7455024b9
病毒类型:广告程序
1、释放文件:
C:\WINDOWS\system32 (+)(文件) izwybfpzviqqi.dll, 222720 字节 (+)(文件) resiifers.ini, 123 字节 (+)(文件) rxjh_2.exe, 41984 字节 (+)(文件) shells32.ini, 20 字节
C:\WINDOWS\system32\conime (+)(文件) conime.dll, 81920 字节 (+)(文件) conime.ls 86016 字节
2、注册系统服务,开机启动:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime] "Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "DisplayName"="conime" "ObjectName"="LocalSystem" "Description"="用于支持windows网络服务程序的除错。如果禁止此项服务,依赖此服务的其他服务将无法启动。"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,6f,00,6e,00,69,00,6d,00,65,00,5c,00,63,00,6f,00,6e,00,69,00,6d,00,65,\ 00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\conime\Enum] "0"="Root\\LEGACY_CONIME\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001
3、注册组件:izwybfpzviqqi.dll,并注入explorer。
4、通信外部,访问:
http://www.info3344.cn/upsite.txt http://b.mobile567.cn/dodolook636.exe http://up1.hate163.cn/ver.txt http://b.mobile567.cn/downnow.txt http://up6.hate163.cn/ver.txt http://www.info3344.cn/zl.txt http://www.info3344.cn/upsite.txt
可能检测病毒版本进行升级和下载其他广告、病毒程序
解决方法:
1、下载SREng(可到down.45it.com下载),然后断开网络连接。
2、打开SREng的win32系统服务,删除服务项:conime
如图:
然后在出现的提示框中选“否”确认删除。
3、重启计算机,最后删除文件:
C:\WINDOWS\system32 (+)(文件) izwybfpzviqqi.dll, 222720 字节 (+)(文件) resiifers.ini, 123 字节 (+)(文件) rxjh_2.exe, 41984 字节 (+)(文件) shells32.ini, 20 字节
C:\WINDOWS\system32\conime (+)(文件) conime.dll, 81920 字节(+)(文件) conime.ls 86016 字节 |