病毒来源:某网友提供;自己虚拟机里木马下载器也曾下载到,最近的求救已经呈现逐渐增多趋势
详细分析:
File: 1.1
Size: 43543 bytes
MD5: 9139FD02F496B0F8205E13F55D6814A0
SHA1: 2F1DE9E0B851FDB9B7FC8EA368B7A87B38A13E4C
CRC32: F564476E
1.1是个dll 用rundll32.exe加载后
生成如下文件
C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50(随机文件名)
病毒采用独占技术 无法删除 复制或者重命名
删除键
HKLM\SYSTEM\ControlSet001\Control\SafeBoot 破坏安全模式
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下面 添加
键值C:\WINDOWS\system32\rundll32.exe 1.1 s
达到开机启动的目的
在
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System下面添加
键值项Disabecmd 数据为0x00000001 屏蔽cmd
监控如下进程或者阻止如下dll加载,如果发现立即结束并将其删除
mmskskin.dll
kkclean.dll
VirUnk.def
AntiActi.dll
Rsaupd.exe
Iereset.dll
Libclsid.dat
KnetWch.sys
CleanHis.dll
WoptiClean.sys
kakaliv.def
libdll.dat
kkinst.ini
Ras.exe
ishelp.exe
trojandetector.exe
KAConfig.dll
KAVPassp.dll
hsfw.dll
wopticlean.exe
360safe.exe
并且通过监控子窗口查找如下字符,如果找到则将其进程结束并删除文件
Smallfrogs
Kingsoft
Antivirus
Antispyware
TrojanDetector
Micropoint
后来研究发现文件并未被完全删除而是被移到了%temp%文件夹下 并且命名为_*.TMP
*代表数字
修改hosts文件屏蔽常见杀毒软件的升级
61.152.244.167 114.vnet.cn
61.152.244.167 auto.search.msn.com
61.152.244.167
www.hao123.com
61.152.244.167 hao123.com
61.152.244.167
www.360safe.com
61.152.244.167 360safe.com
222.73.126.115 update.360safe.com
61.152.244.167 dl.360safe.com
61.152.244.167 bbs.360safe.com
61.152.244.167
www.btbaicai.com
61.152.244.167 btbaicai.com
61.152.244.167
www.pctutu.com
61.152.244.167
www.7322.com
61.152.244.167
www.5566.net
61.152.244.167
www.9991.com
61.152.244.167 9991.com
61.152.244.167 forum.ikaka.com
61.152.244.167
www.ikaka.com
222.73.126.115 update.ikaka.com
61.152.244.167 forum.jiangmin.com
222.73.126.115 update.jiangmin.com
61.152.244.167 post.baidu.com
222.73.126.115 update.rising.com.cn
61.152.244.167 online.rising.com.cn
222.73.126.115 center.rising.com.cn
61.152.244.167 up.duba.net
61.152.244.167 shadu.baidu.com
61.152.244.167 security.symantec.com
61.152.244.167 shadu.duba.net
61.152.244.167 online.jiangmin.com
61.152.244.167 cn.mcafee.com
61.152.244.167
www.ahn.com.cn
61.152.244.167
www.kaspersky.com.cn
61.152.244.167
www.pcav.cn
61.152.244.167 mopery.hits.io
61.152.244.167
www.luosoft.com
61.152.244.167 luosoft.com
61.152.244.167
www.im286.com
61.152.244.167 bbs.htmlman.net
61.152.244.167 10000.286er.com
61.152.244.167 im286.net
61.152.244.167 cool.47555.com
61.152.244.167 ju.qihoo.com
61.152.244.167 bbs.chinaz.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
...(卡巴斯基升级网站几乎都被屏蔽)
61.152.244.167 ishare.sina.com.cn
61.152.244.167
www.google.com
61.152.244.167 google.com
61.152.244.167
www.google.cn
61.152.244.167
www.sogou.com
61.152.244.167
www.yahoo.com.cn
61.152.244.167 cn.yahoo.com
222.73.210.148
www.comewz.com
61.152.244.167
www.iask.com
61.152.244.167 iask.com
61.152.244.167 search.tom.com
61.152.244.167 page.so.163.com
61.152.244.167
www.soso.com
61.152.244.167 sou.china.com
61.152.244.167 toolsbar.kuaiso.com
61.152.244.167
www.kuaiso.com
61.152.244.167 m2126.com
连接网络下载木马
并生成如下文件
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123
C:\WINDOWS\system32\VOHATM.dll
解决方法:
1.使用Icesword(冰刃)找到C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50(随机文件名)
文件
右键 强制删除
2.打开sreng
启动项目 注册表 删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<A><C:\WINDOWS\system32\rundll32.exe 1.1 s> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{B852FC96-B852-30DA-1EB8-FC9630DA741E}><C:\WINDOWS\system32\VOHATM.dll> []
重启计算机 删除
C:\WINDOWS\system32\VOHATM.dll
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123
3.开始 运行 输入regedit 展开
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
将Disabecmd 的键值项删除
该病毒是一个恶性的类似AV终结者的病毒 由于他常由一些木马下载器下载,下载后他主要执行破坏计算机安全软件的作用,之后其他一些木马和病毒会纷至踏来,所以及时升级杀毒软件和防火墙,打全系统补丁,提防此类病毒的入侵
