“IGM.EXE”病毒紧急公告及解决方案

近日发现IGM.EXE病毒大范围传播，很多网吧深受其害；大家务必引起重视。

目前发现该病毒不能够穿透还原，但是如果局域网内一有台中该病毒的话（如网游服务器）；整个局域网就会受到影响；甚至瘫痪

该病毒利用MAC地址欺骗进行局域网传播。木马程序发作的时候会发出大量的数据包导致局域网通讯拥塞，用户会感觉上网速度越来越慢，掉线；甚至无法上网，同时造成整个局域网的不稳定。拦截局域网用户打开的网页。加载hxxp://ask.35832.com/main.js(为了防止点击http改成hxxp)从上面的网站下载木马盗号器，然后打开的网页会自动关闭。

病毒症状

1．MSconfig的启动项里发现IGM.EXE

2．会生存以下文件

  c:/WINDOWS/IGW.exe（新变种）

c:/WINDOWS/AVPSrv.exe

c:/WINDOWS/DiskMan32.exe

c:/WINDOWS/IGM.exe

c:/WINDOWS/Kvsc3.exe

c:/WINDOWS/lqvytv.exe

c:/WINDOWS/MsIMMs32.exe

c:/WINDOWS/system32/3CEBCAF.EXE

c:/WINDOWS/system32/drivers/svchost.exe

c:/WINDOWS/system32/a.exe

c:/WINDOWS/upxdnd.exe

c:/WINDOWS/WinForm.exe

c:/WINDOWS/system32/rsjzbpm.dll

c:/WINDOWS/system32/racvsvc.exe

c:/WINDOWS/dbghlp32.exe

c:/WINDOWS/nvdispdrv.exe

c:/WINDOWS/system32/cmdbcs.dll

c:/WINDOWS/system32/dbghlp32.dll

c:/WINDOWS/system32/upxdnd.dll

c:/WINDOWS/system32/yfmtdiouaf.dll

    C:/WINDOWS/49400MM.DLL
    C:/WINDOWS/338448WO.DLL
    C:/windows/235780mm.dll
    c:/windows/235780WO.dll

4. 启动项目
  －－
  注册表之如下项删除：
[WinSys]    <C://WINDOWS//IGW.exe>
[WinSysM]    <C://WINDOWS//IGM.exe>

盘符下生存：Pegefile.pif; autorun.inf;

 

 

解决方案

1.先结束掉IGM.EXE 进程

2.禁用IGM.EXE

在运行里输入: reg add "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IGM.EXE" /v debugger /t reg_sz /d debugfile.exe /f

3．将以下文件使用XDELBOX删除一次确保完全清除！

c://windows//igw.exe
c://windows//igm.exe
c://windows//system32//ser2vet.exe
C://WINDOWS//system32//serdst.exe
C://WINDOWS//system32//sedrsvedt.exe
C://WINDOWS//49400MM.DLL
C://WINDOWS//338448WO.DLL
C://windows//235780mm.dll
c://windows//235780WO.dll
c://windows//system32//0.exe
c://windows//system32//1.exe
c://windows//system32//2.exe
c://windows//system32//3.exe
c://windows//system32//4.exe
c://windows//system32//5.exe
c://windows//system32//6.exe
c://windows//system32//7.exe
c://windows//system32//8.exe
c://windows//system32//9.exe
c://windows//system32//10.exe
c://windows//system32//11.exe
c://windows//system32//12.exe
c://windows//system32//13.exe
c://windows//system32//14.exe
c://windows//system32//15.exe
c://windows//system32//16.exe
c://windows//system32//17.exe
c://windows//system32//18.exe
c://windows//system32//19.exe

4．“免疫”把下面的内容另存为BAT文件运行

md c:/WINDOWS/AVPSrv.exe  >nul 2>nul

md c:/WINDOWS/DiskMan32.exe  >nul 2>nul

md c:/WINDOWS/IGM.exe  >nul 2>nul

md c:/WINDOWS/Kvsc3.exe  >nul 2>nul

md c:/WINDOWS/lqvytv.exe  >nul 2>nul

md c:/WINDOWS/MsIMMs32.exe  >nul 2>nul

md c:/WINDOWS/system32/3CEBCAF.EXE  >nul 2>nul

md %windir%/system32/drivers/svchost.exe >nul 2>nul

md c:/WINDOWS/system32/a.exe  >nul 2>nul

md c:/WINDOWS/upxdnd.exe  >nul 2>nul

md c:/WINDOWS/WinForm.exe  >nul 2>nul

md c:/WINDOWS/system32/rsjzbpm.dll  >nul 2>nul

md c:/WINDOWS/system32/racvsvc.exe  >nul 2>nul

md c:/WINDOWS/cmdbcs.exe  >nul 2>nul

md c:/WINDOWS/dbghlp32.exe  >nul 2>nul

md c:/WINDOWS/nvdispdrv.exe  >nul 2>nul

md c:/WINDOWS/system32/cmdbcs.dll  >nul 2>nul

md c:/WINDOWS/system32/dbghlp32.dll  >nul 2>nul

md c:/WINDOWS/system32/upxdnd.dll  >nul 2>nul

md c:/WINDOWS/system32/yfmtdiouaf.dll  >nul 2>nul

echo y|cacls.exe c:/WINDOWS/AVPSrv.exe /d everyone >nul 1>nul

echo y|cacls.exe %windir%/system32/drivers/svchost.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/DiskMan32.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/IGM.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/Kvsc3.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/lqvytv.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/MsIMMs32.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/3CEBCAF.EXE /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/a.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/upxdnd.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/WinForm.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/rsjzbpm.dll /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/racvsvc.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/cmdbcs.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/dbghlp32.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/nvdispdrv.exe /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/cmdbcs.dll /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/dbghlp32.dll /d everyone >nul 1>nul

echo y|cacls.exe c:/WINDOWS/system32/upxdnd.dll /d everyone >nul 1>nul

echo y|cacls.exe  c:/WINDOWS/system32/yfmtdiouaf.dll /d everyone >nul 1>nul

echo reg add "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IGM.EXE" /v debugger /t reg_sz /d debugfile.exe /f

echo gpupdate

exit

5．在路由上把下面的域名和IP封锁

t.11se.com

www.94ak.com

www.99mmm.com

ask.35832.com

www.35832.com 

212.22.225.82

203.174.87.210

64.233.167.99

58.211.79.107

219.153.42.98

221.130.191.207

   

在这病毒横行的年代，网络没有绝对的安全；因为总是先有“魔”后有“道”，安全一定是“适度的”。但是，我们并不能因此放任自流，维持“适度”安全离不开建立一套完整的管理和技术保障体系。