论坛帖子内容              Thread Content
Worm.Win32.AutoRun.bem分析
作者 开开   查看 120   发表时间 2008/10/27 15:54  【论坛浏览】
病毒标签ylruouye
病毒名称: Worm.Win32.AutoRun.bemylruouye
中文名称: ani寄生虫ylruouye
病毒类型: 蠕虫类ylruouye
文件 MD5: A08D91C12844A20171211E7A74B5752Bylruouye
公开范围: 完全公开ylruouye
危害等级: 4ylruouye
文件长度: 28,000字节ylruouye
感染系统: Windows98以上版本ylruouye
开发工具: Borland Delphi 6.0 - 7.0ylruouye
加壳类型: Upack 0.3.9 beta2sylruouye
ylruouye
病毒描述ylruouye
该病毒为蠕虫类,病毒运行后复制自身到系统目录,衍生病毒文件,并删除自身。修改注册表,添加启动项,以达到随机启动的目的。添加映像劫持项,劫持众多计算机安全相关软件。感染非系统盘符下的大部分exe文件,感染方式是在文件尾部加一个.ani节,将病毒信息写入其中,入口点改为病毒运行入口点等。连接网络下载病毒文件并回传收集到的计算机MAC、系统版本等信息。 ylruouye
行为分析ylruouye
本地行为ylruouye
1、文件运行后会衍生以下文件ylruouye
(1)%WinDir%\Fonts\system\ati2evxx.exe 28,000字节ylruouye
(2)在各个逻辑驱动器根目录下衍生autorun.inf及其对应的执行文件ntldr.exeylruouye
%DriveLetter%\autorun.infylruouye
%DriveLetter%\ntldr.exeylruouye
2、新建注册表ylruouye
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ylruouye
注册表值:"TBMonEx"ylruouye
类型: REG_SZylruouye
值: " C:\WINDOWS\Fonts\system\ati2evxx.exe"ylruouye
描述:添加启动项,以达到随机启动的目的ylruouye
3、添加映像劫持项,劫持众多计算机安全相关软件,劫持到C:\WINDOWS\Fonts\system\ati2evxx.exeylruouye
  被劫持的文件:ylruouye
360rpt.exeylruouye
360Safe.exeylruouye
360tray.exeylruouye
_AVP32.EXEylruouye
_AVPCC.EXEylruouye
_AVPM.EXEylruouye
ACKWIN32.EXEylruouye
ANTI-TROJAN.EXEylruouye
APVXDWIN.EXEylruouye
AUTODOWN.EXEylruouye
AVCONSOL.EXEylruouye
AVE32.EXEylruouye
AVGCTRL.EXEylruouye
AVKSERV.EXEylruouye
AVNT.EXEylruouye
AVP.EXEylruouye
AVP32.EXEylruouye
AVPCC.EXEylruouye
AVPDOS32.EXEylruouye
AVPM.EXEylruouye
AVPTC32.EXEylruouye
AVPUPD.EXEylruouye
AVSCHED32.EXEylruouye
AVWIN95.EXEylruouye
AVWUPD32.EXEylruouye
BLACKD.EXEylruouye
BLACKICE.EXEylruouye
CFIADMIN.EXEylruouye
CFIAUDIT.EXEylruouye
CFINET.EXEylruouye
CFINET32.EXEylruouye
CLAW95.EXEylruouye
CLAW95CF.EXEylruouye
CLEANER.EXEylruouye
CLEANER3.EXEylruouye
DVP95.EXEylruouye
DVP95_0.EXEylruouye
ECENGINE.EXEylruouye
EGHOST.EXEylruouye
ESAFE.EXEylruouye
EXPWATCH.EXEylruouye
F-AGNT95.EXEylruouye
F-PROT.EXEylruouye
F-PROT95.EXEylruouye
F-STOPW.EXEylruouye
FESCUE.EXEylruouye
FINDVIRU.EXEylruouye
FP-WIN.EXEylruouye
FPROT.EXEylruouye
FRW.EXEylruouye
IAMAPP.EXEylruouye
IAMSERV.EXEylruouye
RAVmonD.exeylruouye
IBMASN.EXEylruouye
IBMAVSP.EXEylruouye
ICLOAD95.EXEylruouye
ICLOADNT.EXEylruouye
ICMON.EXEylruouye
ICSUPP95.EXEylruouye
ICSUPPNT.EXEylruouye
IFACE.EXEylruouye
IOMON98.EXEylruouye
Iparmor.exeylruouye
JEDI.EXEylruouye
KAV32.exeylruouye
KAVPFW.EXEylruouye
KAVsvc.exeylruouye
KAVSvcUI.exeylruouye
KVFW.EXEylruouye
KVMonXP.exeylruouye
KVMonXP.kxpylruouye
KVSrvXP.exeylruouye
KVwsc.exeylruouye
KvXP.kxpylruouye
KWatchUI.EXEylruouye
LOCKDOWN2000.EXEylruouye
Logo1_.exeylruouye
Logo_1.exeylruouye
LOOKOUT.EXEylruouye
LUALL.EXEylruouye
MAILMON.EXEylruouye
MOOLIVE.EXEylruouye
MPFTRAY.EXEylruouye
N32SCANW.EXEylruouye
Navapsvc.exeylruouye
Navapw32.exeylruouye
NAVLU32.EXEylruouye
NAVNT.EXEylruouye
navw32.EXEylruouye
NAVWNT.EXEylruouye
NISUM.EXEylruouye
NMain.exeylruouye
NORMIST.EXEylruouye
NUPGRADE.EXEylruouye
NVC95.EXEylruouye
PAVCL.EXEylruouye
PAVSCHED.EXEylruouye
PAVW.EXEylruouye
PCCWIN98.EXEylruouye
PCFWALLICON.EXEylruouye
PERSFW.EXEylruouye
PFW.EXEylruouye
Rav.exeylruouye
RAV7.EXEylruouye
RAV7WIN.EXEylruouye
RAVmon.exeylruouye
RAVtimer.exeylruouye
Rising.exeylruouye
SAFEWEB.EXEylruouye
SCAN32.EXEylruouye
SCAN95.EXEylruouye
SCANPM.EXEylruouye
SCRSCAN.EXEylruouye
SERV95.EXEylruouye
SMC.EXEylruouye
SPHINX.EXEylruouye
SWEEP95.EXEylruouye
TBSCAN.EXEylruouye
TCA.EXEylruouye
TDS2-98.EXEylruouye
TDS2-NT.EXEylruouye
THGUARD.EXEylruouye
TrojanHunter.exeylruouye
VET95.EXEylruouye
VETTRAY.EXEylruouye
VSCAN40.EXEylruouye
VSECOMR.EXEylruouye
VSHWIN32.EXEylruouye
VSSTAT.EXEylruouye
WEBSCANX.EXEylruouye
WFINDV32.EXEylruouye
ZONEALARM.EXEylruouye
修复工具.exeylruouye
4、感染非系统盘符下的大部分exe文件,感染方式:在文件尾部加一个.ani节,将病毒信息写入其中,原入口点写入.ani节中进行保存,入口点改为病毒运行入口,修改节表与映像大小等信息。ylruouye
网络行为 以进程ati2evxx.exe连接网络:69.64.147.*:666,下载病毒文件并回传信息。ylruouye
注释:ylruouye
%Windir%             WINDODWS所在目录ylruouye
%DriveLetter%          逻辑驱动器根目录ylruouye
%ProgramFiles%         系统程序默认安装目录ylruouye
%HomeDrive%           当前启动系统所在分区ylruouye
%Documents and Settings%    当前用户文档根目录ylruouye
%Temp%              当前用户TEMP缓存变量;路径为:ylruouye
                  %Documents and Settings%\当前用户\Local Settings\Tempylruouye
%System32%            是一个可变路径;ylruouye
                  病毒通过查询操作系统来决定当前System32文件夹的位置;ylruouye
Windows2000/NT中默认的安装路径是 C:\Winnt\System32;ylruouye
Windows95/98/Me中默认的安装路径是 C:\Windows\System;ylruouye
WindowsXP中默认的安装路径是 C:\Windows\System32。ylruouye
ylruouye
清除方案ylruouye
1、使用安天防线可彻底清除此病毒(推荐)。ylruouye
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。推荐使用ATool管理工具。ylruouye
(1)使用安天木马防线或ATool中的“进程管理”关闭病毒进程ylruouye
C:\WINDOWS\Fonts\system\ati2evxx.exeylruouye
(2)强行删除病毒文件ylruouye
%WinDir%\Fonts\system\ati2evxx.exe 28,000字节ylruouye
%DriveLetter%\autorun.infylruouye
%DriveLetter%\ntldr.exeylruouye
(3)删除病毒添加的注册表项ylruouye
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ylruouye
注册表值:"TBMonEx"ylruouye
类型: REG_SZylruouye
值: " C:\WINDOWS\Fonts\system\ati2evxx.exe"ylruouye
(4)清除映像劫持下病毒添加的注册表项。ylruouye
(5)使用AVLPK安天终级专杀工具可彻底清除该病毒及修复其感染的正常文件。

序号 评论者 共有评论 0   【论坛浏览】  【发表评论】 评论时间
当前无任何评论,或评论已被禁止显示
 共有评论数 0  每页显示 10
页码 1/0  |<  <<     >>  >| 
论坛登录信息  
本版热门  
  紧急求救!!!!!
  [图文] 反病毒木马辅助工具...
  [求助] 无法进入系统
  [讨论] 为什么系统的时间老...
  [求助]系统核心服务程序6和...
  [求助] 开机后瑞星杀毒软件...
  [已解决] [求助]跪求如何清...
  每次开机都弹出三个网页对...
  [求助] 帮看下扫描
  反病毒可能需要用到的方法...
Powered by DiY-Page 5.3.0 © 2005-2009