东方微点-ag旗舰厅首页

  ag旗舰厅首页  
ag旗舰厅首页-ag亚洲国际厅  |  微点新闻  |  业界动态  |  安全资讯  |   |   |  网络版ag旗舰厅首页
 |   |   |   |   |   |  各地代理商
 

网络蠕虫worm.win32.autorun.j
来源:  2010-03-05 16:07:08

网络蠕虫

worm.win32.autorun.j

捕获时间

2010-3-5

危害等级



病毒症状

  该样本是使用“visual c /c"编写的网络蠕虫程序,由微点主动防御软件自动捕获,采用“upack”加壳方式,企图躲避特征码扫描,加壳后长度为“14,364字节”,图标为“
”,病毒扩展名为“exe”,主要通过“文件捆绑”、“下载器下载”、“移动存储介质”等方式传播,病毒主要目的为是下载大量木马,恶意程序。
  用户中毒后,会出现安全软件无故关闭,网络运行缓慢,windows系统无故报错等现象。

感染对象

windows 2000/windows xp/windows 2003/windows vista

传播途径

网页挂马、文件捆绑、下载器下载

防范措施

已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知木马“,请直接选择删除处理(如图1);


图1 微点主动防御软件自动捕获未知病毒(未升级)




如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现木马"worm.win32.autorun.j”,请直接选择删除(如图2)。


图2   微点主动防御软件升级后截获已知病毒




未安装微点主动防御软件的手动解决办法:

1、手动删除以下文件:

%temp%\nsb15.tmp
%systemroot%system32\fonts\irret.ini
x:\gril.pif
x:\autorun.inf   (x:为任意盘符)

2、手动替换一下文件:

%systemroot%\system32\dllcache\linkinfo.dll替换%systemroot%\system32\linkinfo.dll

3、病毒修改注册表:

hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\

folder\hidden\showall\checkedvalue
键值:checkedvalue  为1

4、手动删除以下注册表值:

[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safeup.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360upp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\antiarp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\arpfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\arswp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ast.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autorunkiller.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ccevtmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\frameworkservice.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\gfupd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\guardfield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kasarp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\krnl360svc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kswebshield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\liveupdate360.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\naprdmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rav.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravservice.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravtray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsmain.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\srengldr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vpc32.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vptray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\woptilities.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe]

变量声明:

  %systemdriver%       系统所在分区,通常为“c:\”
  %systemroot%        windodws所在目录,通常为“c:\windows”
  %documents and settings%  用户文档目录,通常为“c:\documents and settings”
  %temp%           临时文件夹,通常为“c:\documents and settings\当前用户名称\local settings\temp”
  %programfiles%       系统程序默认安装目录,通常为:“c:\programfiles”

病毒分析

(1)病毒运行后,查找%systemroot%\system32\taskmgr.exe是否存在,如果不存在退出当前程序;
(2)病毒设置自己的属性为系统隐藏;
(3)创建名为 "gau"互斥体,只允许一个实例运行;
(4)设置自己的为"sedebugprivilege",以提升自己的权限;
(5)释放动态库文件"%programfiles%\netmeeting\iz.dll",并设置为隐藏属性;
(6)创建线程,枚举并关闭杀毒软件窗口。
(7)调用rundll32.exe以bob为参数加载%programfiles%\netmeeting\iz.dll ",最后删除此文件。
(8)在iz.dll中,释放驱动文件"%systemroot%\fonts\pci.sys",创建名称为"pci"的服务,向名称为"\\.\bob"的设备发送控制码,查找并结束360tray.exe、360safe.exe、safebox.exe、krnl360svc.exe、rstray.exe、mcshield.exe等进程,并遍历磁盘删除360和卡巴斯基的安装目录,恢复ssdt。
(9)创建线程,释放动态链接库文件%\temp%\nsb15.tmp"并加载动态链接库,并提升自己的权限。
(10)下载木马列表到到本地保存为irret.ini,然后读取列表下载大量木马等未知程序,并且结束掉大部分安全软件进程和服务和窗口,删除安全软件的文件,映像劫持安全软件;
(11)创建线程,查找类名为"afxcontrolbar42s"的窗口,关闭icesword软件;
(12)查看是否存在 %systemroot%\system32\dllcache\linkinfo.dll,如果不存在复制%systemroot%\system32\linkinfo.dll为%systemroot%\system32\dllcache\linkinfo.dll,释放驱动文件best.sys,并创建服务启动驱动,修改%systemroot%\system32\linkinfo.dll文件,删除驱动文件;
(13)对avp进行映像劫持,释放驱动%systemroot%\fonts\ttqule.sys,用来结束avp进程,然后删除驱动;
(14)遍历磁盘,释放autorun.inf和gril.pif,以达到自动运行病毒的功能。

病毒创建文件

%programfiles%\netmeeting\iz.dll
%temp%\temp\nsb15.tmp
%systemroot%\fonts\pci.sys
%systemroot%system32\ fonts\irret.ini
%systemroot%\system32\dllcache\linkinfo.dll
%systemroot%\fonts\best.sys
%systemroot%\fonts\ttqule.sys
x:\gril.pif
x:\autorun.inf   (x:为任意盘符)

病毒修改文件:

%systemroot%\system32\linkinfo.dll

病毒删除文件

%programfiles%\netmeeting\iz.dll
%systemroot%\fonts\pci.sys
%systemroot%\fonts\best.sys
%systemroot%\fonts\ttqule.sys

病毒创建注册表

hkey_local_machine\system\currentcontrolset\services\best
hkey_local_machine\system\currentcontrolset\services\pci   
hkey_local_machine\system\currentcontrolset\services\ttqule
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safeup.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360upp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\antiarp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\arpfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\arswp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ast.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autorunkiller.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ccevtmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\frameworkservice.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\gfupd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\guardfield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kasarp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\krnl360svc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kswebshield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\liveupdate360.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\naprdmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rav.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravservice.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravtray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rsmain.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\srengldr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vpc32.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vptray.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\woptilities.exe]
[hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe]

病毒修改注册表

hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\

folder\hidden\showall\checkedvalue

病毒连接网络

http://h.****.com/s.txt

免费体验
下  载

网站地图