病毒名称:Virus.Win32.AutoRun.bk [exe](Kaspersky)
病毒别名:PWS-OnlineGames.a(McAfee)
Trojan.PSW.Win32.OnlineGames.uaw(瑞星)
Win32.Troj.Romdrivers.x.73775 [exe](毒霸), Win32.Troj.Romdrivers.z.57344 [dll](毒霸)
病毒大小:22,575 字节
加壳方式:PE_Patch.UPX UPX
样本MD5:550ad3a14d272b9d4ba7a019f714bff5
样本SHA1:69ac64704ea1faf21f31b97473b3f57ccfcca88f
发现时间:2007.7.10
更新时间:2007.8.6
关联病毒:
传播方式:通过恶意网页传播,其它木马或病毒下载
技术分析
==========
变种:
http://www.cisrt.org/bbs/viewthread.php?tid=1358 :木马 romdrivers.dll romdrivers.bak 解决方案
http://www.cisrt.org/bbs/viewthread.php?tid=1486 :木马 msvcrt.dll Relive.dll msvcrt.bak解决方案
http://www.cisrt.org/bbs/viewthread.php?tid=1531 :木马 msvcrt.dll Relive.dll msvcrt.bak 解决方案
木马运行后复制自身到:
%ProgramFiles%/Internet Explorer/rksldk.bak
释放dll注入Explorer.exe进程:
%ProgramFiles%/Internet Explorer/rksldk.dll
同时还创建rksldk.dll的副本:
%ProgramFiles%/Common Files/goskdl.dll
创建ShellExecuteHooks启动方式:[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
@={DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}
[HKEY_CLASSES_ROOT/CLSID/{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}/InProcServer32];
%ProgramFiles%/Internet Explorer/rksldk.dll创建浏览器加载项(BHO):
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}]
[HKEY_CLASSES_ROOT/CLSID/{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}/InProcServer32]
%ProgramFiles%/Common Files/goskdl.dll创建ContextMenuHandlers项目:[HKEY_CLASSES_ROOT/*/shellex/ContextMenuHandlers/ReliveHookDLL]
@={5C7596CB-51CC-5BA3-BE52-6EEA62F9C51C}
[HKEY_CLASSES_ROOT/CLSID/{5C7596CB-51CC-5BA3-BE52-6EEA62F9C51C}/InProcServer32]
@=%ProgramFiles%/Common Files/goskdl.dll删除注册表ShellExecuteHooks位置下其它木马创建的信息:[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}
{BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}
{AEB6717E-7E19-11d0-97EE-00C04FD91972}
{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
{42A612A4-4334-4424-4234-42261A31A236}
{DE35052A-9E37-4827-A1EC-79BF400D27A4}
{DD7D4640-4464-48C0-82FD-21338366D2D2}
{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
{131AB311-16F1-F13B-1E43-11A24B51AFD1}
{274B93C2-A6DF-485F-8576-AB0653134A76}
{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
{0CB68AD9-FF66-3E63-636B-B693E62F6236}
{09B68AD9-FF66-3E63-636B-B693E62F6236}
{754FB7D8-B8FE-4810-B363-A788CD060F1F}
{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
{06A68AD9-FF56-6E73-937B-B893E72F6226}
{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
*{AEB6717E-7E19-11d0-97EE-00C04FD91972}
删除目录:
%ProgramFiles%/Internet Explorer/rksldk.dll
%ProgramFiles%/Internet Explorer/rksldk.bak
%ProgramFiles%/Internet Explorer/rksldk.ebk
删除文件:
%System%/drivers/etc/hosts尝试访问网络下载其它木马程序保存到%temp%目录并运行。
通过注册表找到反病毒软件的安装目录,并在这些反病毒软件的安装目录下创建名为ws2_32.dll的目录使反病毒软件不能正常运行。木马在ws2_32.dll目录中还建立了不规则命名的目录I1!O!0.,使得ws2_32.dll目录不能被删除。例如:
C:/Program Files/Rising/Rav/ws2_32.dll/I1!O!0.
C:/KAV2007/ws2_32.dll/I1!O!0.
清除步骤
1. 删除木马创建的注册表信息:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}
[HKEY_CLASSES_ROOT/CLSID/{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}]
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}]
[HKEY_CLASSES_ROOT/CLSID/{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}]
[HKEY_CLASSES_ROOT/*/shellex/ContextMenuHandlers/ReliveHookDLL]
[HKEY_CLASSES_ROOT/CLSID/{5C7596CB-51CC-5BA3-BE52-6EEA62F9C51C}]
2. 重新启动计算机
3. 删除木马相关文件:
%ProgramFiles%/Internet Explorer/rksldk.dll
%ProgramFiles%/Internet Explorer/rksldk.bak
%ProgramFiles%/Common Files/goskdl.dll
4. 删除反病毒软件安装目录下的ws2_32.dll目录,可以使用rd /s命令,比如:
rd /s C:/KAV2007/ws2_32.dll
rd /s C:/Program Files/Rising/Rav/ws2_32.dll5.
创建%System%/drivers/etc/hosts文件:
内容为一行即可:
127.0.0.1 localhost