病毒指纹:
SHA-160:DA14DDB10D14C568B62176AAB738B0C479A06863
MD5:C505733FFDDA0394D404BD5BB652C1A6
RIPEMD-160:410EF9736AD4966094C096E57B477B7572B7ED9C
CRC-32:FF6E4568
病毒大小:43,900字节
连接网络下载病毒:
输入地址:61.152.255.252
对应地址:上海市电信IDC
在本机随机生成如下病毒文件:
meex.com、rmwaccq.exe、wojhadp.exe、nqgphqd.exe、autorun.inf
下载运行如下文件:
1A11.exe、2B12.exe、3C13.exe、2B12.exe
随机生成hiv文件进行进程互守
破坏安全模式;
.Upack:00408184s_SystemControldb'SYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:00408184;DATAXREF:sub_407CF4+6Bo
.Upack:004081D9align4
.Upack:004081DCs_Tdb0FFh,0FFh,0FFh,0FFh,'T',0
.Upack:004081E2align4
.Upack:004081E4s_SystemContr_0db'SYSTEMControlSet001ControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:004081E4;DATAXREF:sub_407CF4+7Ao
.Upack:00408239align4
.Upack:0040823Cs_Xdb0FFh,0FFh,0FFh,0FFh,'X',0
.Upack:00408242align4
.Upack:00408244s_SystemCurrentdb'SYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:00408244;DATAXREF:sub_407CF4+89o
.Upack:0040829Dalign10h
.Upack:004082A0s_X_0db0FFh,0FFh,0FFh,0FFh,'X',0
.Upack:004082A6align4
.Upack:004082A8s_SystemCurre_0db'SYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}',0
.Upack:004082A8;DATAXREF:sub_407CF4+98o
.Upack:00408301align4
.Upack:00408304dd0FFFFFFFFh,0Ch
破坏隐藏文件选项:
.Upack:0040830Cs_Checkedvaluedb'CheckedValue',0;DATAXREF:sub_407CF4+A7o
.Upack:00408319align4
.Upack:0040831Cs_Qdb0FFh,0FFh,0FFh,0FFh,'Q',0
.Upack:00408322align4
.Upack:00408324s_SoftwareMicrodb'softwaremicrosoftwindowscurrentversionexploreradvancedfolderhiddenshowall',0
开启自动播放;
.Upack:00408524s_SoftwareMic_4db'SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer',0
.Upack:00408524;DATAXREF:sub_407CF4+201o
.Upack:00408560;chars_Nodrivetypeau[]
.Upack:00408560s_Nodrivetypeaudb'NoDriveTypeAutoRun',0;DATAXREF:sub_407CF4+21Ao
关闭并禁用AVP、wuauserv、wscsvc'、RsRavMon、RsCCenter、RSPPSYS服务
.Upack:004085CC;chars_SystemCurre_5[]
.Upack:00408600s_SystemCurre_6db'SYSTEMCurrentControlSetServicesRSPPSYS',0
.Upack:00408600;DATAXREF:sub_407CF4+2D9o
.Upack:0040862Aalign4
.Upack:0040862C;chars_SystemCurre_7[]
.Upack:0040862Cs_SystemCurre_7db'SYSTEMCurrentControlSetServicesRsCCenter',0
.Upack:0040862C;DATAXREF:sub_407CF4+30Fo
.Upack:00408658;chars_SystemContr_1[]
.Upack:00408658s_SystemContr_1db'SYSTEMControlSet001ServicesRsCCenter',0
.Upack:00408658;DATAXREF:sub_407CF4+345o
.Upack:00408680;chars_SystemContr_2[]
.Upack:00408680s_SystemContr_2db'SYSTEMControlSet001ServicesRsRavMon',0
.Upack:00408680;DATAXREF:sub_407CF4+37Bo
.Upack:004086A7align4
.Upack:004086A8;chars_SystemContr_5[]
.Upack:004086A8s_SystemContr_5db'SYSTEMControlSet001Serviceswscsvc',0
.Upack:004086A8;DATAXREF:sub_407CF4+3B1o
.Upack:004086CDalign10h
.Upack:004086D0;chars_SystemContr_3[]
.Upack:004086D0s_SystemContr_3db'SYSTEMControlSet001Serviceswuauserv',0
.Upack:004086D0;DATAXREF:sub_407CF4+3E7o
.Upack:004086F7align4
.Upack:004086F8;chars_SystemContr_4[]
.Upack:004086F8s_SystemContr_4db'SYSTEMControlSet002ServicesAVP',0
.Upack:004086F8;DATAXREF:sub_407CF4+41Do
对N多的安全工具、系统程序以及杀毒软件做映像劫持(IFEO)
由于太多就不列出了,和以前的病毒样本劫持的一样,具体可以参见好友余弦函数的文章。
解决方法
使用procexp.exe暂停病毒两个进程,运行里面键入“system32”后按时间排列图标找到病毒文件后删除:
重命名autoruns打开找到映像劫持项只保留Your Image File Name Here without a path项其他全部删除
打开acdsee删除每个盘符下的病毒文件和autorun.inf脚本,切忌不要使用右键的打开和资源管理器,
[AutoRun]
open=nqgphqd.exe
shellopen=打开(&O)
shellopenCommand=nqgphqd.exe
shellopenDefault=1
shellexplore=资源管理器(&X)
shellexploreCommand=nqgphqd.exe
修复安全模式和隐藏文件的注册表如下(将如下文件保存为reg文件双击导入注册表):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL]
"RegPath"="SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced"
"Type"="radio"
"CheckedValue"=dword:00000001
病毒用脚本插入了这两个常规命令,由于病毒生成的文件名随机,而且进程标识符(PID)也是随机变化的,所以只能够贴图来写解决方法了。