此病毒为之前的梦中情人(暗号)病毒的最新变种
1.病毒运行后,释放如下文件或副本
%systemroot%system32configsystemprofilevista.exe
%systemroot%system32a.jpg
%systemroot%system32Flower.dll
%systemroot%system32vista.exe
各个分区下面释放test.exe和autorun.inf
2.通过查找softwareMicrosoftWindowsCurrentVersionAppPathsIEXPLORE.EXE的键值获得IEXPLORE.EXE路径,之后调用IE连接http://www.3940*.cn/tj.asp进行感染统计
3.提升自身权限,关闭如下进程
360tray.exe
360safe.exe
关闭如下进程的句柄
avp.exe
4.启动一个spoolsv.exe进程,把Flower.dll注入进去,并调用urlmon.dll进行下载操作
下载http://www.*/muma935474/q.exe
http://www.*/muma935474/w.exe
http://www.*/muma935474/e.exe
http://www.*/muma935474/r.exe
http://www.*/muma935474/t.exe
http://www.*/muma935474/y.exe
http://www.*/muma935474/u.exe
http://www.*/muma935474/i.exe
http://www.*/muma935474/o.exe
http://www.*/muma935474/10.exe~http://www.*/muma935474/36.exe
http://www.*/muma.exe
http://www.*/muma1.exe
http://www.*/muma2.exe
http://www.*/muma3.exe
到C:DocumentsandSettings下面分别命名为taga.exe~tagg.exetagaa.exe~taggg.exetagaaa.exe~tagggg.exetagaaaa.exe~tagcccc.exemd5a.exe~md5g.exemd5aa.exe~md5gg.exemd5aaa.exe~md5bbb.exe
下载间隔2000ms
但下载链接几乎都已失效,几个下载来的病毒也都是鸽子
5.关闭带有如下字样的窗口
防火墙
杀毒
江民
金山
木马
超级巡警
NOD32
安全
主线程
微点
6.添加映像劫持项目劫持某些杀毒软件,安全工具和某些流行病毒指向%systemroot%system32vista.exe
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
appdllman.exe
AppSvc32.exe
auto.exe
AutoRun.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
guangd.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
kernelwind32.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.COM
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
logogo.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
nod32krn.exe
nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
rfwProxy.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
sos.exe
SREng.exe
symlcsvc.exe
SysSafe.exe
taskmgr.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UFO.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE
WoptiClean.exe
XP.exe
zxsweep.exe
7.破坏显示隐藏文件
HKUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden的值修改为0x00000002
木马病毒植入完毕以后的sreng日志如下:
启动项目
注册表
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionImageFileExecutionOptions360rpt.exe]
<IFEO[360rpt.exe]><C:WINDOWSsystem32vista.exe>[MicrosoftCorporation]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionImageFileExecutionOptions360Safe.exe]
<IFEO[360Safe.exe]><C:WINDOWSsystem32vista.exe>[MicrosoftCorporation]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionImageFileExecutionOptions360tray.exe]
<IFEO[360tray.exe]><C:WINDOWSsystem32vista.exe>[MicrosoftCorporation]...
==================================
服务
[windows/windows][Running/Disabled]
<C:WINDOWSwindows.exe><N/A>
解决方法:
下载srengIcesword:可到down.45it.com下载
1.解压Icesword,把Icesword改名1.com运行
点击左下角文件按钮
删除如下文件%systemroot%system32configsystemprofilevista.exe
%systemroot%system32a.jpg
%systemroot%system32Flower.dll
%systemroot%system32vista.exe
%systemroot%windows.exe
以及各个分区下的test.exe和autorun.inf
2.打开sreng
启动项目注册表
删除所有红色的IFEO项目
系统修复-WindowsShell/IE全选修复