文件名称：WinNt32.dll

文件大小：33,792 bytes

AV命名：Trojan.DL.Wigon.Gen.6

编写语言：VC++

文件MD5：9B2F70D0C4793164633D006B8145E8EA

病毒类型：后门

1．释放文件：

C:\Windows\System32\drivers\Afm74.sys  14,976 bytes

C:\Windows\System32\WinNt32.dll  10,240 bytes

2．添加启动项：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32]

DLLName = "WinNt32.dll"

StartShell = "WLEventStartShell"

Impersonate = 0x00000000

Asynchronous = 0x00000000

ID = 0x00000016

每次开机注入Winlogon进程

3．修改注册表，保证安全模式也加载驱动：

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Afm74.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Afm74.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74\0000\Control]

*NewlyCreated* = 0x00000000

ActiveService = "Afm74"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74\0000]

Service = "Afm74"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "Afm74"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AFM74]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74\Enum]

0 = "Root\LEGACY_AFM74\0000"

Count = 0x00000001

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afm74]

Type = 0x00000001

Start = 0x00000000

ErrorControl = 0x00000000

ImagePath = "%System%\Drivers\Afm74.sys"

Group = "SCSI Class"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afm74]

Type = 0x00000001

Start = 0x00000000

ImagePath = "%System%\Drivers\Afm74.sys"

Group = "SCSI Class"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afm74.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Afm74.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74\0000\Control]

*NewlyCreated* = 0x00000000

ActiveService = "Afm74"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74\0000]

Service = "Afm74"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "Afm74"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFM74]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74\Enum]

0 = "Root\LEGACY_AFM74\0000"

Count = 0x00000001

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afm74]

Type = 0x00000001

Start = 0x00000000

ErrorControl = 0x00000000

ImagePath = "%System%\Drivers\Afm74.sys"

Group = "SCSI Class"

4．连接网络208.66.195.**尝试下载其他木马。

解决方法：

1、删除文件(如遇提示无法删除文件，到down.45it.com下载费尔木马强制删除器工具进行强制删除)：

C:\Windows\System32\drivers\Afm74.sys  14,976 bytes

C:\Windows\System32\WinNt32.dll  10,240 bytes

2、查找删除注册表并删除有关于Afm74的项(开始菜单－运行－输入“regedit”进入注册表依次找到说明选项并按提示操作,详细的项见上文)！

3、重启计算机，升级杀毒软件，全盘扫描。