Filesize:18593bytes

MD5:c595bc161e1d64b4d8f4d84139ef02b0

SHA1:100e8a9ae7034b41443e4ddaa46f175adb70eb06

病毒名称:未知

测试时间:2007-3-10

更新时间:明晚将更新此分析日志,

运行后病毒样本,自动删除病毒本身,自动释放病毒到%system%目录下

%system%del.bat

%system%msgcom.dll

%system%1.exe

%system%2.exe

%system%3.exe

%system%4.exe

%system%5.exe

%system%6.exe

创建启动项:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant

<WinlogonNotify:cmdmant><msgcom.dll>

修改Explorer.exe其内存,Explorer.exe尝试获取网络存取权限.202.88.90.186,试图启动%system%1.exe

%system%2.exe

%system%3.exe

%system%4.exe

%system%5.exe

%system%6.exe

%system%1.exe分析如下:

Explorer.exe启动1.EXE后,自动删除本身

释放病毒文件

%system%wsvbs.dll

%windows%wsvbs.exe

创建启动项

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

<wsttrs><%windows%wsvbs.exe>

%system%2.exe分析如下

Explorer.exe启动2.EXE后,

释放病毒文件

%system%mppds.dll

%windows%mppds.exe

创建启动项

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

<mppds><%windows%mppds.exe>

%system%3.exe分析如下

Explorer.exe启动3.EXE后,

释放病毒文件

%ProgramFiles%InternetExplorerPLUGINSsystem2.jmp

%ProgramFiles%InternetExplorerPLUGINSSystemKb.sys

%system%4.exe分析如下:

Explorer.exe启动4.EXE后,自动删除本身

释放病毒文件

%system%wsttrs.dll

%windows%wsttrs.exe

创建启动项

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

<wsttrs><%windows%wsttrs.exe>

%system%5.exe分析如下:

Explorer.exe启动5.EXE后,自动删除本身

释放病毒文件,并插入各进程.

%windows%608769.bmp

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows

<AppInit_DLLs><608769M.BMP>

%system%6.exe分析如下:

Explorer.exe启动6.EXE后,

释放病毒文件

c:DocumentsandSettings你的用户名LocalSettingsTempie888.exe

c:DocumentsandSettings你的用户名LocalSettingsTempiim.dll

c:DocumentsandSettings你的用户名LocalSettingsTemppacket.dll

c:DocumentsandSettings你的用户名LocalSettingsTempwanpacket.dll

%ProgramFiles%InternetExplorerPLUGINSSystemKb.bak

%system%driversnpf.sys

修改hosts内容,添加以下内容

58.215.65.136hyap98.com

58.215.65.136www.hyap98.com

60.169.1.178www.82087871.com

60.169.1.17847555.cn

60.169.1.178nc.47555.cn

60.169.1.178cn.47555.cn

60.169.1.178crsky.47555.cn

60.169.1.178www.47555.cn

60.169.1.178baibu.com

60.169.1.178www.baidu.com

60.169.1.178dgufida.com.cn

60.169.1.17888.our2000.com

60.169.1.178new.eyliao.com

60.169.1.178sybaby.a78.zgsj.com

附SRENG日志,

启动项目

注册表

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]

<svc><C:DOCUME~1MIBLOCALS~1Tempie888.exe>

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

<wsvbs><C:windowswsvbs.exe>

<mppds><C:windowsmppds.exe>

<wsttrs><C:windowswsttrs.exe>

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows]

<AppInit_DLLs><608769M.BMP>

<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:ProgramFilesInternetExplorerPLUGINSSystemKb.sys>[N/A]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant]

<WinlogonNotify:cmdmant><msgcom.dll>

正在运行的进程

[PID:700][??C:WINDOWSsystem32winlogon.exe]

[C:windows608769M.BMP][N/A,N/A]

[C:WINDOWSsystem32msgcom.dll][N/A,N/A]

[PID:752][C:windowssystem32services.exe

[C:windows608769M.BMP]

[PID:764][C:windowssystem32lsass.exe]

[C:windows608769M.BMP][N/A,N/A]

[PID:932][C:windowssystem32svchost.exe]

[C:windows608769M.BMP][N/A,N/A]

[PID:1020][C:windowssystem32svchost.exe

[C:windows608769M.BMP][N/A,N/A]

[PID:1116][C:windowsSystem32svchost.exe]

[C:windows608769M.BMP][N/A,N/A]

[PID:1408][C:windowssystem32svchost.exe]

[C:windows608769M.BMP][N/A,N/A]

[PID:1456][C:windowssystem32svchost.exe]

[C:windows608769M.BMP][N/A,N/A]

解决方法如下:

1.开始---运行---输入---regedit---依次展开

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

删除

<svc>

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

删除

<wsvbs>

<mppds>

<wsttrs>

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindows

删除

<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>

删除

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonNotifycmdmant]

<WinlogonNotify:cmdmant>

2.重启计算机

3.删除以下文件

%system%del.bat

%system%msgcom.dll

%system%wsvbs.dll

%windows%wsvbs.exe

%system%mppds.dll

%windows%mppds.exe

%ProgramFiles%InternetExplorerPLUGINSsystem2.jmp

%ProgramFiles%InternetExplorerPLUGINSSystemKb.sys

%system%wsttrs.dll

%windows%wsttrs.exe

c:DocumentsandSettings你的用户名LocalSettingsTempie888.exe

c:DocumentsandSettings你的用户名LocalSettingsTempiim.dll

c:DocumentsandSettings你的用户名LocalSettingsTemppacket.dll

c:DocumentsandSettings你的用户名LocalSettingsTempwanpacket.dll

%ProgramFiles%InternetExplorerPLUGINSSystemKb.bak

%system%driversnpf.sys

%system%3.exe

%system%6.exe

system32driversetchosts

用记事打开HOSTS文件,删除以下内容

58.215.65.136hyap98.com

58.215.65.136www.hyap98.com

60.169.1.178www.82087871.com

60.169.1.17847555.cn

60.169.1.178nc.47555.cn

60.169.1.178cn.47555.cn

60.169.1.178crsky.47555.cn

60.169.1.178www47555cn

60.169.1.178baibu.com

60.169.1.178www.baidu.com

60.169.1.178dgufida.com.cn

60.169.1.17888.our2000.com

60.169.1.178new.eyliao.com

60.169.1.178sybaby.a78.zgsj.com

%windows%608769M.BMP

到我的E盘下载专杀.

http://free5.ys168.com/?ufwihgu168

(<因为对SSM监控到的桌面进程不是很懂,对这个网络连接分析存在有问题,将于明晚进行更新,也请高手指正,内容如下,谢谢)

进程：

路径：C:WINDOWSexplorer.exe

PID:1988

信息：WindowsExplorer(MicrosoftCorporation)

网络信息：

IP地址：222.88.90.186

信任的区域：否

协议：TCP