Worm.Win32.Fujack.b

該病毒運行後,病毒衍生檔案到系統目錄下,添加註冊表自動運行項以隨機引導病毒體。在各邏輯盤創建autorun.inf檔案,誘使用戶雙擊從而運行病毒體。插入病毒執行緒到系統進程中,運行病毒進程spcolsv.exe,攔截進程調用API,關閉“任務管理器”等應用程式。該病毒可能過區域網路傳播。

詳細介紹

檔案 MD5:5635121EEFE47333D00FFF1FD4A5021F

公開範圍:完全公開

危害等級:高

檔案長度:57,344 位元組

感染系統:Win98以上系統

開發工具:Borland Delphi 6.0 - 7.0 [Overlay]

加殼工具:ARVID's TDR file

命名對照:驅逐艦[Win32.HLLP.Whboy]

瑞星[Worm.Nimaya.av]

行為分析

1、衍生下列副本與檔案

C:\autorun.inf

C:\setup.exe

C:\ALASTART.EXE

%Program Files%\Desktop_.ini

%Windir%\zaq2.exe

%Windir%\zaq4.exe

%Windir%\zaq5.exe

%Windir%\zaq6.exe

%Windir%\zaq10.exe

%System32%\XpIcfOpt.dll

%System32%\WSD_SOCK32.dll

%System32%\windhcp.ocx

%System32%\shse.dll

%System32%\kava.dll

%System32%\cmd1.dll

%System32%\dirvers\ws2ifsl.sys

%System32%\dirvers\spcolsv.exe

%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll

%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat

%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.exe

%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.dll

2、新建註冊表鍵值:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\svcshare

Value: String: "%WinDir%\system32\drivers\spcolsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\

Value: String: "%WinDir%\zaq10.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\dat

Value: String: "%WinDir%\zaq4.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\msccrt

Value: String: "%WinDir%\zaq2.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\RavMonHelp

Value: String: "%WinDir%\zaq5.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\upxdn

Value: String: "%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc

\Description

Value: String: "為遠程計算機註冊並更新 IP 地址。"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc

\DisplayName

Value: String: "Windows DHCP Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc

\ImagePath

Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes

%WINDOWS%\system32\\rundll32.exe windhcp.ocx,start.

3、更改註冊表鍵值:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Advanced\Folder\Hidden\SHOWALL\CheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters

\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

%WINDir%\syste m32\WSD_SOCK32.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\ShellExecuteHooks\{11017031-7031-1012-3110-031010311012}

Value: String: ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11017031-7031-1012-3110-031010311012}\InProcServer32\@

Value: String: "C:\ProgramFiles\CommonFiles\MicrosoftShared\MSINFO\70311012.dll"

\system32\mswsock.dl

3、訪問http://wan**a.9966.org//down.txt頁面獲得下載病毒體地址:

wan**a.9966.org(60.19*.1*4.219)

http://wan**a.9966.org/zaq4.exe

http://wan**a.9966.org/zaq1.exe

http://wan**a.9966.org/zaq2.exe

http://wan**a.9966.org/zaq3.exe

http://wan**a.9966.org/zaq5.exe

http://wan**a.9966.org/zaq6.exe

http://wan**a.9966.org/zaq9.exe

http://wan**a.9966.org/zaq10.exe

http://wan**a.9966.org/zaq7.exe

註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。

--------------------------------------------------------------------------------

清除方案

1、使用安天木馬防線可徹底清除此病毒(推薦)

2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。

(1) 使用安天木馬防線“進程管理”關閉病毒進程

spcolsv.exe

zaq5.exe

(2) 刪除病毒釋放檔案

C:\autorun.inf

C:\setup.exe

C:\ALASTART.EXE

%Program Files%\Desktop_.ini

%Windir%\zaq2.exe

%Windir%\zaq4.exe

%Windir%\zaq5.exe

%Windir%\zaq6.exe

%Windir%\zaq10.exe

%System32%\XpIcfOpt.dll

%System32%\WSD_SOCK32.dll

%System32%\windhcp.ocx

%System32%\shse.dll

%System32%\kava.dll

%System32%\cmd1.dll

%System32%\dirvers\ws2ifsl.sys

%System32%\dirvers\spcolsv.exe

%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll

%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat

%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.exe

%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.dll

(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\svcshare

Value: String: "%WinDir%\system32\drivers\spcolsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\

Value: String: "%WinDir%\zaq10.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Run\dat

Value: String: "%WinDir%\zaq4.exe"HKEY_LOCAL_MACHINE\SOFTWARE

\Microsoft

\Windows\CurrentVersion\Run\msccrt

Value: String: "%WinDir%\zaq2.exe"HKEY_LOCAL_MACHINE\SOFTWARE

\Microsoft

\Windows\CurrentVersion\Run\RavMonHelp

Value: String: "%WinDir%\zaq5.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\upxdn

Value:String:"%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\Explorer

\Advanced\Folder\Hidden\SHOWALL\CheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2

\Parameters\

Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

%WINDir%\syste m32\WSD_SOCK32.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%

相關詞條

相關搜尋

熱門詞條

聯絡我們