星星电脑技术论坛's Archiver

vista 发表于 2007-8-24 20:52

通过MSN传播的img317.zip winsyshp.exe病毒的清除

通过MSN传播的img317.zip winsyshp.exe病毒的清除7u$YgWd;o-C"l]'h
9OX ]0N'y`
文章出处:C.I.S.R.T "~#m\HcYZ!B8aC
!Lcf)?&i
病毒名称:Backdoor.Win32.SdBot.blt(Kaspersky)6E%@g6d by7Q
病毒别名:Trojan.Win32.Agent.vrw(瑞星)
z s d]0X-~ 病毒大小:138,752 字节
6|F$g^"K~tz 样本MD5:5101877e880eae72419d17cef84ee9b9
#gy'`;bm5h*^n 样本SHA1:adf5fb136ab1d6e150d1162affcadeb9f648e917
\Z rpSB7K0_m d 传播方式:通过MSN传播T @1U O"ZF(A'?-`&fO
2o"_Tp(^

Ne(tF^+]O$I2F 技术分析:V&@zZ!e7P
==========%R)_ w-vxl Xw Ey

J p;G9k-h/o lk Q y RUu5P*ta)DMy F
MSN蠕虫变种,带有伪装JPG图标,向MSN联系人发送欺骗文字消息和带毒压缩包,当联系人接收并打开带毒压缩包中的病毒文件时系统受到感染。y)qD3b cZ fx!_B
qsI,vNk
病毒运行后在系统目录生成包含自身的带毒ZIP压缩包:
1I3s2vW1z*H a %Windows%\img317.zip_A*MG:]_;s*u5N#cE;I
其中包含病毒文件名为:img317.jpg-[url]www.imagehosting.com[/url]R5h!~$PDB4G
ck6{7F`[*~
创建副本:
` g%V el m %Windows%\winsyshp.exe
'_)AF7X]$RE(fw
8O[:uqwE_5p:S 创建启动项: o&_[/o8lS6m
O/? p]6D U

v jg1^L'bq Jnoowk!A)N&|R H
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
v8K;XXS0X(j "Microsoft Visual Application"="winsyshp.exe"Y6A1x?:s

&\jbAxU 使用批处理c:\a.bat停止“安全中心”和“WINVNC”服务:x_ua0_0D,ErQb
'pZB UZ&TVl(| \

#G[5M ]1kP@qZ7ad F.pQ"F/H ^x/h5Q
@echo off
H(p+ueOj W{m net stop "Security Center",Qf)yB9M7yh4N+fK
net stop winvnc4+k2TU;d_:fV8w_4M5e
del c:\a.bat
4j8u6y;@7u5\b8?j g@p3J3_~a!N
向MSN联系人发送以下文字,同时发送带毒压缩包imgac157.zip:
;W7e9RKf0Az
[4gJC S "j8Z3jy7G0\'B
Why is this picture blurry?
M!tg(|@P2p/bk Look @ my new car?;h%_6bS+{n {_\L%uc
Where did you find this picture?,s R OL4S W:`R/v-S
why did you show me this picture?CS+es Ak%B
look at my baby picture
\ vM-sESP? N Did you see this?
/B)wfB\"nl Where is this picture taken?,c2H-s l H6j
Did you take this picture?.x#?e0]Z4af/V([-c
you drunk 2 much in this pictureH;M!_+_ H`7@ Y.X
Why are you naked in this picture?#lSp#[I7\jVQ0d
look @ this
\'Ak#@6{AM accept this picture
%U*~"k1mAF ]:eg hey, mom my just told me 2 show this 2 you
p'V2hRet ]m T`b+n4t dY
尝试连接远程IRC:pwn.basecore.infopb1i'K}'_rY3q
YXY pn

vnRH}Wq-e 清除步骤k x5S4m\X0S0Cf+b"Q
=========='Ufp8S(PI4@
U}^oD*QA%J
1. 删除病毒创建的启动项(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作): w!gm:R)IE

$|+pY$K!CH$b/m/Ra
:^ u5j E6] Mx
PEN.g W:B [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATo)D S-u*C*qD*B "Microsoft Visual Application"="winsyshp.exe"A/ut3U%q3q

[9w%uT b0? 2. 重新启动计算机
f5?$p qmq RmFb Y['B0E`2Ki!J#T
3. 删除病毒文件(如遇提示无法删除文件,到down.45it.com下载费尔木马强制删除器工具进行强制删除):O b!d^1c&a
%Windows%\img317.zip;j IC1~m bj
%Windows%\winsyshp.exe
x[/y N%a8S,U,JQK
ln,KeZY p PS:其它变种也可以同上对比解决。

页: [1]
手机号码所在地查询:
Google
IP地址:

Powered by Discuz! Archiver 6.1.0  © 2001-2007 Comsenz Inc.