Email-Worm.Win32.Zhelatin.bb

該病毒屬蠕蟲類,病毒運行後衍生大量病毒檔案,修改註冊表,添加啟動項,以達到隨機啟動的目的,連線網路,下載病毒檔案,採用 Ring0環技術,該病毒會搜尋計算機中的 E-mail 地址,自動傳送郵件,並在郵件附屬檔案中添加病毒為附屬檔案。

病毒介紹

病毒名稱: Email-Worm.Win32.Zhelatin.bb
病毒類型: 蠕蟲
檔案 MD5: 89ABF35C87A2E20E63CA484364E055C8
公開範圍: 完全公開
危害等級: 4
檔案長度: 9,310 位元組
感染系統: Win98 以上系統
開發工具: Microsoft Visual C++ 6.0 - 7.0
加殼類型: 未知殼
命名對照: 驅逐艦 [Trojan.Packed.46]
AntiVir [TR/Small.DBY.BE]
病毒描述:
該病毒屬蠕蟲類,病毒運行後衍生大量病毒檔案,修改註冊表,添加啟動項,以達到隨機啟動的目的,連線網路,下載病毒檔案,採用 Ring0 環技術,該病毒會搜尋計算機中的 E-mail 地址,自動傳送郵件,並在郵件附屬檔案中添加病毒為附屬檔案。
行為分析:
1 、 病毒運行後衍生大量病毒檔案:
%WINDIR%\pp.exe
%WINDIR%\via.exe
%WINDIR%\xpupdate.exe
%WINDIR%\comdlg64.dll
%sYSTem32%\adirka.dll
%system32%\adirka.exe
%system32%\adirss.exe
%system32%\dd.exe so.bitsCN.com網管資料庫任你搜
%system32%\dlh9jkd1q1.exe
%system32%\dlh9jkd1q2.exe
%system32%\dlh9jkd1q5.exe
%system32%\dlh9jkd1q6.exe
%system32%\dlh9jkd1q7.exe
%system32%\dlh9jkd1q8.exe
%system32%\drivers\etc\hosts
%system32%\kernels32.exe
%system32%\lnwin.exe
%system32%\ma.exe.exe
%system32%\max1d641.exe
%system32%\naduhm.dll
%system32%\pfxzmtaim.dll
%system32%\pfxzmtforum.dll
%system32%\pfxzmtgtal.dll
%system32%\pfxzmticq.dll
%system32%\pfxzmtsmt.dll
%system32%\pfxzmtsmtspm.dll
%system32%\pfxzmtwbmail.dll
%system32%\pfxzmtymsg.dll
%system32%\pkfy.dll
%system32%\pp.exe.exe
%system32%\qvx5gamet2.exe
%system32%\qvxga6met3.exe
%system32%\qvxga7met4.exe
%system32%\rsvp32_2.dll www.bitsCN.net中國網管部落格
%system32%\sfxzmtforum.dll
%system32%\sfxzmtsmt.dll
%system32%\sfxzmtsmtspm.dll
%system32%\sfxzmtwbmail.dll
%system32%\sm.exe
%system32%\spoolsvv.exe
%system32%\sporder.dll
%system32%\vexg4am1et2.exe
%system32%\vexg6ame4.exe
%system32%\vexga1me4t1.exe
%system32%\vexga3me2.exe
%system32%\vexga4m1et4.exe
%system32%\vexga4me1.exe
%system32%\vexga5me3.exe
%system32%\wincom32.ini
%system32%\zlbw.dll
%system32%\zu.exe.exe
%Documents and Settings%\\commander\Local Settings\Temp\31.tmp
%Documents and Settings%\\commander\Local Settings\Temp\33.tmp
%Documents and Settings%\\commander\Local Settings\Temp\tmkeylfa.exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\ma[1].exe blog.bitsCN.com網管部落格等你來搏
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\sm[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\GHAR4PU3\60787[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\dd[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[2].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\20509[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\via[1].exe
%Documents and Settings%\\commander\Local Settings\ so.bitsCN.com網管資料庫任你搜
Temporary Internet Files\ Content.IE5\REFBTNJN\zu[1].exe
2 、連線網路,下載病毒檔案並自動運行:
http://8*.9*.1*8.1*8/20509.exe
http://8*.9*.1*8.1*8/60787.exe
http://8*.9*.1*8.1*8/soft/1.exe
http://2*8.6*.2*.1*0/test1.exe
http://2*8.6*.2*.1*0/soft/2.exe
http://8*.9*.1*8.1*8/20509.exe
http://2*8.6*.2*.1*0/soft/3.exe
http://www.g*yst*g*y.com/task/taskmgr32.exe
3 、修改註冊表:
修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drwatson\NumberOfCrashes
新 : DWORD: 2 (0x2)
舊 : DWORD: 1 (0x1)
新建的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
bitsCN全力打造網管學習平台
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "Windows update loader"="C:\Windows\xpupdate.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime\
鍵值 : 字串: "ImagePath"="\??\C:\WINDOWS\System32\drivers\runtime.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Startup"="Startup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ dl.bitsCN.com網管軟體下載
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "impersonate"=1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
鍵值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)
HKEY_CURRENT_USER\
鍵值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\
鍵值 : 字串: "c"=0 (0)
4 、採用 Ring0 技術,載入核心驅動模組:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime\
鍵值 : 字串: "ImagePath"="\??\C:\WINDOWS\System32\drivers\runtime.sys"
5 、該病毒搜尋計算機中的 E-mail 地址,自動傳送郵件,在郵件附屬檔案中包含病毒體。
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
需要什麼來搜一搜吧so.bitsCN.com

清除方法

清除方案:
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用 安天木馬防線 “進程管理”關閉病毒進程
(2) 刪除病毒檔案
%WINDIR%\pp.exe
%WINDIR%\via.exe
%WINDIR%\xpupdate.exe
%WINDIR%\comdlg64.dll
%system32%\adirka.dll
%system32%\adirka.exe
%system32%\adirss.exe
%system32%\dd.exe
%system32%\dlh9jkd1q1.exe
%system32%\dlh9jkd1q2.exe
%system32%\dlh9jkd1q5.exe
%system32%\dlh9jkd1q6.exe
%system32%\dlh9jkd1q7.exe
%system32%\dlh9jkd1q8.exe
%system32%\drivers\etc\hosts
%system32%\kernels32.exe play.bitsCN.com累了嗎玩一下吧
%system32%\lnwin.exe
%system32%\ma.exe.exe
%system32%\max1d641.exe
%system32%\naduhm.dll
%system32%\pfxzmtaim.dll
%system32%\pfxzmtforum.dll
%system32%\pfxzmtgtal.dll
%system32%\pfxzmticq.dll
%system32%\pfxzmtsmt.dll
%system32%\pfxzmtsmtspm.dll
%system32%\pfxzmtwbmail.dll
%system32%\pfxzmtymsg.dll
%system32%\pkfy.dll
%system32%\pp.exe.exe
%system32%\qvx5gamet2.exe
%system32%\qvxga6met3.exe
%system32%\qvxga7met4.exe
%system32%\rsvp32_2.dll
%system32%\sfxzmtforum.dll
%system32%\sfxzmtsmt.dll
%system32%\sfxzmtsmtspm.dll
%system32%\sfxzmtwbmail.dll
%system32%\sm.exe
%system32%\spoolsvv.exe feedom.net關注網管是我們的使命
%system32%\sporder.dll
%system32%\vexg4am1et2.exe
%system32%\vexg6ame4.exe
%system32%\vexga1me4t1.exe
%system32%\vexga3me2.exe
%system32%\vexga4m1et4.exe
%system32%\vexga4me1.exe
%system32%\vexga5me3.exe
%system32%\wincom32.ini
%system32%\zlbw.dll
%system32%\zu.exe.exe
%Documents and Settings%\\commander\
Local Settings\Temp\31.tmp
%Documents and Settings%\\commander\
Local Settings\Temp\33.tmp
%Documents and Settings%\\commander\
Local Settings\Temp\tmkeylfa.exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\ma[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\sm[1].exe
blog.bitsCN.com網管部落格等你來搏
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\GHAR4PU3\60787[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\dd[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[2].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\20509[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\via[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\zu[1].exe
feedom.net國內最早的網管網站
(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\
NumberOfCrashes
新 : DWORD: 2 (0x2)
舊 : DWORD: 1 (0x1)
新建的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "Windows update loader"=
"C:\Windows\xpupdate.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
bitsCN全力打造網管學習平台
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Runtime\
鍵值 : 字串: "ImagePath"=
"\??\C:\WINDOWS\System32\drivers\ runtime.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Startup"="Startup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Impersonate"=1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\
so.bitsCN.com網管資料庫任你搜
CurrentVersion\Explorer\
鍵值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)
HKEY_CURRENT_USER\
鍵值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\
鍵值 : 字串: "c"=0 (0)

相關詞條

相關搜尋

熱門詞條

聯絡我們