病毒行為:
這是AV終結者的壹個變種。它會恢復系統SSDT表,關閉殺軟進程或映像劫持殺軟的進程。該毒會將自己註入到系統進程中運行,以防止被刪除,同時會建立大量的AUTO文件,實現自動傳播。
1)搜索當進程中是否含有PID為4的進程,沒有退出。判斷是否為NT系統。
2)判斷當前目錄下AUTORUN.INF是否存在,存在,獲取當前文件路徑的前3個字節,並打開。判斷是否從autorun.inf打開。
3)創建SHALONG互斥體,並判斷是否存在,存在則退出。
4)將當前文件設置為隱藏和系統。
5)刪除以下文件
c:\windows\system32\mfc71.dll
C:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
d:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
f:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
c:\windows\system32\drivers\etc\hosts、
c:\winnt\system32\drivers\etc\hosts。
6)搜索當前進程中是否含有safeboxTray.exe(360保險箱),有了將其進程關閉。
7)將系統時間設置為2004年。
8)運行cacls.exec:\windows\system32\packet.dll/e/peveryone:f
cacls.exec:\windows\system32\pthreadVC.dll/e/peveryone:f
cacls.exec:\windows\system32\wpcap.dll/e/peveryone:f
cacls.exec:\windows\system32\drivers\npf.sys/e/peveryone:f
cacls.exec:\windows\system32\npptools.dll/e/peveryone:f
cacls.exec:\windows\system32\drivers\acpidisk.sys/e/peveryone:f
cacls.exec:\windows\system32\wanpacket.dll/e/peveryone:f
cacls.exec:\DocumentsandSettings\AllUsers\「開始」菜單\程序\啟動/e/peveryone:f
cacls.exec:\windows\system32\drivers\etc\hosts/e/peveryone:f
cacls.exec:\windows\system32\ftp.exe/e/peveryone:f
將這些文件設置為everyone完全控制。
9)調用sfc_os.dll的第五個導出函數,將%sys32dir%\drivers\beep.sys、%sys32dir%\spoolsv.exe、%sys32dir%\dllcache\spoolsv.exe的文件保護關閉。
10)將beep.sys的服務設置為SERVICE_CONTROL_STOP,並將其文件屬性設置為Normal。
11)解密數據段的數據,將其寫入beep.sys,並開啟beep服務,其功能為恢復ssdt.
12)搜索當前進程中是否含有以下進程,有了關閉。
wuauclt.exeEsuSafeguard.exeVsTskMgr.exeAvp.EXEIparmor.exeKVWSC.ExEkvsrvxp.exekvsrvxp.kxpKvXP.kxpKRegEx.exeAntiArp.exeVPTRAY.exeVPC32.exescan32.exeFrameworkService.exeKASARP.exenod32krn.exenod32kui.exeTBMon.exerfwmain.exeRavStub.exerfwstub.exerfwProxy.exerfwsrv.exeUpdaterUI.exekissvc.exekav32.exekwatch.exeKAVPFW.EXEkavstart.exekmailmon.exeGFUpd.exeRavxp.exeGuardField.exeRAVMOND.EXERAVMON.EXECenter.EXERSTray.exeRAv.exeRuniep.exe360rpt.EXE360tray.exe360Safe.exe
13)關閉以下殺毒軟件的服務。
NortonAntiVirusServerMcAfeeFramework服務SymantecAntiVirus
DefinitionWatcherSymantecAntiVirusDriversServicesSymantecAntiVirusKingsoftInternetSecurityCommonServiceKPfwSvcKWhatchsvcMcShieldsharedaccess
14)比較當前運行路徑是否為%sys32dir%\spoolsv.exe,不是的話,將%sys32dir%\spoolsv.exe移到c:\ttmm.tep,並將自己復制到%sys32dir%\spoolsv.exe和%sys32dir%\dllcache\spoolsv.exe
15)調用cmd.exe/cnet1startserver,開啟server服務。
16)隱藏方式打開IE,並將自己下載函數註入到其進程中。
⑴將%sys32dir%\urlmon.dll復制到%sys32dir%\aktwkss.dll
⑵獲取函數UrldownloadtofileA,下載以下文件,並運行。
/dd/x.gif到C:\ProgramFiles\ccd.pif
/dd/1.gif到C:\ProgramFiles\11.pif
/dd/2.gif到C:\ProgramFiles\22.pif
/dd/3.gif到C:\ProgramFiles\33.pif
/dd/4.gif到C:\ProgramFiles\44.pif
/dd/5.gif到C:\ProgramFiles\55pif
/dd/6.gif到C:\ProgramFiles\66.pif
/dd/7.gif到C:\ProgramFiles\77.pif
/dd/8.gif到C:\ProgramFiles\88.pif
/dd/9.gif到C:\ProgramFiles\99.pif
/dd/10.gif到C:\ProgramFiles\1010.pif
17)添加註冊表啟動鍵值
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\internetnet:"C:\WINDOWS\system32\spoolsv.exe"
18)添加映像劫持
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360rpt.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360safe.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360safebox.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360tray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\ANTIARP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\ArSwp.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Ast.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AutoRun.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AutoRunKiller.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AvMonitor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AVP.COM\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AVP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\CCenter.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Frameworkservice.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\GFUpd.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\GuardField.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\HijackThis.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\IceSword.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Iparmor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KASARP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kav32.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KAVPFW.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kavstart.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kissvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kmailmon.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KPfwSvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KRegEx.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVMonxp.KXP\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVSrvXP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVWSC.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kwatch.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Mmsk.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\msconfig.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Navapsvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\nod32krn.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Nod32kui.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\PFW.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\QQDoctor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RAV.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RavStub.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Regedit.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwmain.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwProxy.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwsrv.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwstub.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RSTray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Runiep.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\safeboxTray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\SREngLdr.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\TrojanDetector.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Trojanwall.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\TrojDie.KXP\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\VPC32.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\VPTRAY.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\WOPTILITIES.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
19)修改隱藏顯示
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL下鍵值CheckedValue改為0x1(0x2為顯示)
20)刪除以下鍵值破壞安全模式。
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"
21)遍歷c到z的盤符,發現該驅動器為Fixed,將自己復制到其根目錄命名HGZP.PIF,並創建對應的autorun.inf,將文件設置為系統,隱藏。
22)搜索窗口,發現以下字符串的窗口則發送wm_close消息。
殺毒清理 srengworm 卡巴斯基 超級巡警 江民金山
Antivirusfirewall
檢測 mcafee 病毒防火墻 主動防禦
微點防禦 綠鷹木馬 瑞星進程 processnod32
專殺安全衛士