捕獲時間
2009-2-20
病毒摘要
該樣本是使用“VC”編寫的蠕蟲程序,由微點主動防御軟件自動捕獲,采用“WinUpack”加殼方式,企圖躲避特征碼掃描,加殼后長度為“26,856 字節(jié)”,圖標為“
”,病毒擴展名為“exe”,主要通過“網(wǎng)頁掛馬”、“文件捆綁”、“下載器下載”、“移動存儲介質(zhì)”等方式傳播,病毒主要目的為下載大量病毒木馬至用戶主機運行。
用戶中毒后,會發(fā)現(xiàn)系統(tǒng)運行及網(wǎng)絡(luò)響應(yīng)緩慢,無法進入系統(tǒng)安全模式,大量安全軟件無法正常運行,各本地磁盤根目錄與可移動磁盤發(fā)現(xiàn)Autorun.ini與ZTZ.PIF文件。
感染對象
Windows 2000/Windows XP/Windows 2003
傳播途徑
網(wǎng)頁掛馬、文件捆綁、下載器下載、移動存儲介質(zhì)
防范措施
已安裝使用微點主動防御軟件的用戶,無須任何設(shè)置,微點主動防御將自動保護您的系統(tǒng)免受該病毒的入侵和破壞。無論您是否已經(jīng)升級到最新版本,微點主動防御都能夠有效清除該病毒。如果您沒有將微點主動防御軟件升級到最新版,微點主動防御軟件在發(fā)現(xiàn)該病毒后將報警提示您發(fā)現(xiàn)“未知木馬”,請直接選擇刪除處理(如圖1);
圖1 微點主動防御軟件自動捕獲未知病毒(未升級)
如果您已經(jīng)將微點主動防御軟件升級到最新版本,微點將報警提示您發(fā)現(xiàn)"Worm.Win32.AutoRun.kqk”,請直接選擇刪除(如圖2)。
圖2 微點主動防御軟件升級后截獲已知病毒
對于未使用微點主動防御軟件的用戶,微點反病毒專家建議:
1、不要在不明站點下載非官方版本的軟件進行安裝,避免病毒通過捆綁的方式進入您的系統(tǒng)。
2、建議關(guān)閉U盤自動播放,具體操作步驟:開始->運行->gpedit.msc->計算機配置->管理模板->系統(tǒng)->在右側(cè)找到"關(guān)閉自動播放"->雙擊->選擇"已啟用"。
3、盡快將您的殺毒軟件特征庫升級到最新版本進行查殺,并開啟防火墻攔截網(wǎng)絡(luò)異常訪問,如依然有異常情況請注意及時與專業(yè)的安全軟件廠商聯(lián)系獲取技術(shù)支持。
4、開啟windows自動更新,及時打好漏洞補丁。
未安裝微點主動防御軟件的手動解決辦法:
1、手動刪除以下文件:
%SystemRoot%\system32\dllcache\linkinfo.dll
%SystemRoot%\system32\sbbsk.ini,
%Program Files%\bccd.pif
2、手動刪除以下注冊表值:
鍵:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
值:全部
鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\naks
鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fangdapp
3、修改下列注冊表項修改為以下值:
鍵:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
值:CheckedValue
數(shù)據(jù):1
鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
值:PendingFileRenameOperations
數(shù)據(jù):空
3、修復安全模式。
變量聲明:
%SystemDriver% 系統(tǒng)所在分區(qū),通常為“C:\”
%SystemRoot% WINDODWS所在目錄,通常為“C:\Windows”
%Documents and Settings% 用戶文檔目錄,通常為“C:\Documents and Settings”
%Temp% 臨時文件夾,通常為“C:\Documents and Settings\當前用戶名稱\Local Settings\Temp”
%ProgramFiles% 系統(tǒng)程序默認安裝目錄,通常為:“C:\ProgramFiles”
病毒分析
(1)、申請內(nèi)存空間,啟動線程,注入CMD.exe,利用CMD.exe加載動態(tài)庫;
(2)、注入rundll32.exe,利用rundll32.exe加載動態(tài)庫;
(3)、嘗試關(guān)閉各類安全軟件;
(4)、修改注冊表,映像劫持各類安全軟件,均指向“%SystemRoot%\system32\dllcache\spoolsv.exe”;
(5)、修改注冊表,破壞系統(tǒng)安全模式;
(6)、修改注冊表,刪除常見安全軟件啟動項;
(7)、釋放驅(qū)動,恢復SSDT表;
(8)、注入net1.exe,利用net1.exe檢測服務(wù);
(9)、注入sc.exe,利用sc.exe刪除部分安全軟件服務(wù);
(10)、設(shè)立Autorun.ini至各本地磁盤與可移動磁盤;
(11)、連接網(wǎng)絡(luò),下載自身升級文件并執(zhí)行;
(12)、下載病毒列表,讀取后下載病毒并執(zhí)行;
病毒創(chuàng)建文件:
%Program Files%\avpp.pif
%SystemDriver%\Runt.dll
%SystemRoot%\system32\dllcache\linkinfo.dll
%SystemRoot%\Fonts\fangdapp.sys
%SystemRoot%\system32\sbbsk.ini,
%Program Files%\bccd.pif
%SystemRoot%\Fonts\naks.sys
在本地磁盤和可移動磁盤根目錄生成以下文件:
AUTORUN.INF
ZTZ.PIF
病毒修改文件:
%SystemRoot%\system32\mfc71.dll
病毒刪除文件:
%Program Files%\avpp.pif
%SystemDriver%\Runt.dll
%SystemRoot%\Fonts\fangdapp.sys
%SystemRoot%\Fonts\naks.sys
病毒創(chuàng)建注冊表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\naks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fangdapp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.exe
病毒修改注冊表:
鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
值:PendingFileRenameOperations
數(shù)據(jù):\??\C:\Sample.exe
鍵:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
值:CheckedValue
數(shù)據(jù):2
病毒刪除注冊表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360Safetray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360Safebox
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KavStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vptray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTray
病毒創(chuàng)建進程:
%Program Files%\avpp.pif
病毒訪問網(wǎng)絡(luò):
http://m.w**8.com/dd/x.gif
http://m.w**8.com/tt.txt
http://d.w**8.com/dd/1.exe
http://d.w**8.com/dd/2.exe
http://d.w**8.com/dd/6.exe
http://d.w**8.com/dd/9.exe
http://d.w**8.com/dd/10.exe
