科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网安全频道蠕虫后门的判断解决思路

蠕虫后门的判断解决思路

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

本文以一个本周爆发的一个典型的蠕虫后门程序为例,简述用户遇到此类病毒的处理思路该病毒在sysytem32目录下随机释放多个病毒文件: firewall.exe、winIogon.exe等。

作者:zdnet安全频道 来源:论坛整理 2008年6月18日

关键字: 后门 蠕虫

  • 评论
  • 分享微博
  • 分享邮件

蠕虫后门的判断解决思路

本文以一个本周爆发的一个典型的蠕虫后门程序为例,简述用户遇到此类病毒的处理思路。

(注:winIogon.exe、spooIsv.exe文件名中容易混淆的字母L实际是i)

仿冒安全软件写入run键值,以图随机加载。
如下面示例的键值名称Windows Network Firewall、Windows Logon Application、Local Security Authority Service。



病毒运行后防火墙会有类似如下提示(推荐选择禁止):



如果用户当时错误的选择了允许的话,可以在金山网镖网络活动状态中的结束进程功能结束进程。如图所示:

如果没有网镖一类的防火墙保护的话,可以在命令行下查看网络状态。如图所示:

 



其中黄线标识的PID信息为病毒创建的进程的PID,红线标识的是本机与远程主机的连接状态。高级用户可以在命令行下通过PID值将病毒进程结束。初级用户建议使用清理专家的进程管理器,选择【找出存在风险的进程】后将相关进程批量结束即可。



结束进程后再清理专家在线全面诊断的启动项管理中清除病毒的启动项,且最后删除对应文件即可。


最后病毒利用hosts文件劫持如下安全软件的域名(使用附件中的脚本重置hosts文件即可):

127.0.0.1       localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 vncsvr.com
127.0.0.1 secdreg.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.jotti.org
127.0.0.1 cdn.atwola.com
127.0.0.1 www.atwola.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
127.0.0.1 www.advancedcleaner.com
127.0.0.1 advancedcleaner.com
127.0.0.1 secure.advancedcleaner.com
127.0.0.1 protect.advancedcleaner.com
127.0.0.1 jsp.advancedcleaner.com
127.0.0.1 liveupdatesnet.com
127.0.0.1 www.liveupdatesnet.com
127.0.0.1 theinstalls.com
127.0.0.1 www.theinstalls.com
127.0.0.1 allofyouwant.com
127.0.0.1 www.here4search.biz
127.0.0.1 here4search.biz
127.0.0.1 www.smart-security.biz
127.0.0.1 smart-security.biz
127.0.0.1 www.searchmeup.biz
127.0.0.1 searchmeup.biz
127.0.0.1 www.iwantsearch.net
127.0.0.1 iwantsearch.net
127.0.0.1 www.wideportal.net
127.0.0.1 wideportal.net
127.0.0.1 calc.avsystemcare.com
127.0.0.1 avsystemcare.com
127.0.0.1 content.onerateld.com
127.0.0.1 www.onerateld.com
127.0.0.1 protect.trustedantivirus.com
127.0.0.1 www.trustedantivirus.com
127.0.0.1 iwantsearch.net
127.0.0.1 www.iwantsearch.net
127.0.0.1 mediacount.net
127.0.0.1 www.mediacount.net
127.0.0.1 bin.errorprotector.com
127.0.0.1 www.errorprotector.com
127.0.0.1 br.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 br.winantivirus.com
127.0.0.1 www.winantivirus.com
127.0.0.1 br.winfixer.com
127.0.0.1 www.winfixer.com
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 www.drivecleaner.com
127.0.0.1 cdn.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 cdn.winsoftware.com
127.0.0.1 www.winsoftware.com
127.0.0.1 de.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 de.winantivirus.com
127.0.0.1 www.winantivirus.com
127.0.0.1 download.cdn.drivecleaner.com
127.0.0.1 download.cdn.errorsafe.com
127.0.0.1 download.cdn.winsoftware.com
127.0.0.1 download.errorsafe.com
127.0.0.1 download.systemdoctor.com
127.0.0.1 download.winantispyware.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 download.winfixer.com
127.0.0.1 drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 errorprotector.com
127.0.0.1 errorsafe.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 fr.winfixer.com
127.0.0.1 go.drivecleaner.com
127.0.0.1 go.errorsafe.com
127.0.0.1 go.winantispyware.com
127.0.0.1 go.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.errorsafe.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 instlog.winfixer.com
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 secure.errorsafe.com
127.0.0.1 secure.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 secure.winantivirus.com
127.0.0.1 support.winantivirus.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.errorsafe.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 utils.winfixer.com
127.0.0.1 winantispyware.com
127.0.0.1 winantivirus.com
127.0.0.1 winfixer.com
127.0.0.1 winfixer2006.com
127.0.0.1 winsoftware.com
127.0.0.1 www.drivecleaner.com
127.0.0.1 www.errorprotector.com
127.0.0.1 www.errorsafe.com
127.0.0.1 www.systemdoctor.com
127.0.0.1 www.utils.winfixer.com
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 www.winantispam.com
127.0.0.1 www.winantispy.com
127.0.0.1 www.winantispyware.com
127.0.0.1 www.winantivirus.com
127.0.0.1 www.winantiviruspro.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 www.winfixer.com
127.0.0.1 www.winfixer2006.com
127.0.0.1 www.winsoftware.com
127.0.0.1 www.usagc.org
127.0.0.1 www.prospywareremover.com
127.0.0.1 prospywareremover.com
127.0.0.1 www.noadware.com--e.com
127.0.0.1 noadware.com--e.com
127.0.0.1 www.wwwadawear.com
127.0.0.1 wwwadawear.com
127.0.0.1 www.free-spyware-scan.org
127.0.0.1 free-spyware-scan.org
127.0.0.1 www.spybotfinder.com
127.0.0.1 spybotfinder.com
127.0.0.1 www.the-spyware-zone.com
127.0.0.1 the-spyware-zone.com
127.0.0.1 www.digitalreservoir.com
127.0.0.1 digitalreservoir.com
127.0.0.1 www.free-spyware.net
127.0.0.1 free-spyware.net
127.0.0.1 www.spyware-control.com
127.0.0.1 spyware-control.com
127.0.0.1 www.computerspywarecheck.com
127.0.0.1 computerspywarecheck.com
127.0.0.1 www.compare-spyware.com
127.0.0.1 compare-spyware.com
127.0.0.1 www.spywareremoval.ws
127.0.0.1 spywareremoval.ws
127.0.0.1 www.ridadware.org
127.0.0.1 ridadware.org
127.0.0.1 www.elimiware.com
127.0.0.1 elimiware.com
127.0.0.1 www.nomorespyware.net
127.0.0.1 nomorespyware.net
127.0.0.1 www.123-spyware-remover.com
127.0.0.1 123-spyware-remover.com
127.0.0.1 www.spyware-adware-removal.net
127.0.0.1 spyware-adware-removal.net
127.0.0.1 www.spytoaster.com
127.0.0.1 spytoaster.com
127.0.0.1 www.spywareno.com
127.0.0.1 spywareno.com
127.0.0.1 www.3bsoftware.com
127.0.0.1 3bsoftware.com
127.0.0.1 www.softwaredoctor.com
127.0.0.1 softwaredoctor.com
127.0.0.1 doubleclick.net
127.0.0.1 doubleclick.com
127.0.0.1 adhostcenter.com
127.0.0.1 adtrade.net
127.0.0.1 www.adcycle.com
127.0.0.1 advertising.com
127.0.0.1 servedby.advertising.com
127.0.0.1 commission-junction.com
127.0.0.1 dayrates.com
127.0.0.1 ad-flow.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 popuptraffic.com
127.0.0.1 fastclick.com
127.0.0.1 fastclick.net
127.0.0.1 adserving.cpxinteractive.com
127.0.0.1 www.usafis.org
127.0.0.1 brazauskas.info
127.0.0.1 centralgate.biz
127.0.0.1 clickfast.biz
127.0.0.1 code.jcash.biz
127.0.0.1 code.trasferimento.biz
127.0.0.1 cyber-search.biz
127.0.0.1 download.accessmedia.tv
127.0.0.1 download.jupitersatellites.biz
127.0.0.1 exeloads.info
127.0.0.1 forlink.biz
127.0.0.1 game4all.biz
127.0.0.1 get-access.host.sk
127.0.0.1 musah.info
127.0.0.1 picshunter.us
127.0.0.1 prevedtraf.biz
127.0.0.1 search-biz.biz
127.0.0.1 searchx.cc
127.0.0.1 s-pics.biz
127.0.0.1 snow410.info
127.0.0.1 sp2admin.biz
127.0.0.1 traff5all.biz
127.0.0.1 traffbest.biz
127.0.0.1 traffbucks.biz
127.0.0.1 traffmoney.biz
127.0.0.1 ultra-search.biz
127.0.0.1 www.lattefresco.biz
127.0.0.1 www.picshunter.us
127.0.0.1 www.procounter.biz
127.0.0.1 www.searchx.cc
127.0.0.1 www.s-pics.biz
127.0.0.1 www.sp2admin.biz
127.0.0.1 www.spamcatchero.biz
127.0.0.1 www.traff4ppc.biz
127.0.0.1 www.zgallery.us
127.0.0.1 ybbwxlxytz.biz
127.0.0.1 yepjnddqpq.biz
127.0.0.1 yhvoo.eseconsult.info
127.0.0.1 zchxsikpgz.biz
127.0.0.1 zgallery.us
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
127.0.0.1 inetpc.net
127.0.0.1 mp0.inetpc.net
127.0.0.1 m.proxyisp.info
127.0.0.1 proxyisp.info
127.0.0.1 vncsvr.com
127.0.0.1 ns2.darksheekz.info
127.0.0.1 darksheekz.info
127.0.0.1 pcsecuritylab.com
127.0.0.1 liveupdatesnet.com
127.0.0.1 rhythmswing.org
127.0.0.1 www.rhythmswing.org
127.0.0.1 pool.hybridtx.com
127.0.0.1 hybridtx.com
127.0.0.1 in1.smtp.messagingengine.com
127.0.0.1 messagingengine.com
127.0.0.1 h.gtld-servers.net
127.0.0.1 gtld-servers.net
127.0.0.1 mail7.digitalwaves.co.nz
127.0.0.1 netau.dk
127.0.0.1 www.netau.dk
127.0.0.1 eircd.zief.pl
127.0.0.1 zief.pl
127.0.0.1 proxim.ircgalaxy.pl
127.0.0.1 proxima.ircgalaxy.pl
127.0.0.1 ircgalaxy.pl
127.0.0.1 proxim.ntkrnlpa.info
127.0.0.1 ntkrnlpa.info
127.0.0.1 dep.mvl0an7.com
127.0.0.1 mvl0an7.com
127.0.0.1 dhcp.vncsvr.com

小结:
目前防火墙程序对于网络蠕虫、后门程序等安全威胁会起到纯粹意义的反病毒程序无法替代的防护作用。

    • 评论
    • 分享微博
    • 分享邮件
    VIP专区
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章

    业界热点:

    北京第二十六维信息技术有限公司(至顶网)版权所有. 京ICP备15039648号-7 京ICP证161336号 京公网安备 11010802021500号