Re: [求救] 連上網路就會中毒

作者miamodo ()

看板AntiVirus

標題Re: [求救] 連上網路就會中毒

時間Wed Apr 28 19:01:56 2010

在劍盟找到樣本: http://bbs.janmeng.com/thread-910006-1-1.html 以下是自已在沙盤(降權,阻止連網)中運行後的一些資訊,僅供參考。 1.創建、修改文件: + C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl .exe ~ C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe + C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe ~ C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe + C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg .exe ~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg .exe + C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg .exe ~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg .exe + C:\Program Files\Common Files\Real\Update_OB\realsched .exe ~ C:\Program Files\Common Files\Real\Update_OB\realsched.exe + C:\Program Files\internet explorer\wmpscfgs.exe + C:\Program Files\Sandboxie\sbiectrl .exe ~ C:\Program Files\Sandboxie\sbiectrl.exe + C:\WINDOWS\ime\IMJP8_1\imjpmig .exe ~ C:\WINDOWS\ime\IMJP8_1\imjpmig.exe + C:\WINDOWS\system32\ctfmon .exe ~ C:\WINDOWS\system32\ctfmon.exe + E:\VirusTest\091222345\alcmtr .exe + E:\VirusTest\091222345\alcmtr.exe ......................省略 + C:\Documents and Settings\user\Local Settings\temp\wmpscfgs.exe + C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat + C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\51VPBOHG\httpErrorPagesScripts[1] .......................省略 2.注冊表部分創建啟動項:machine\software\microsoft\Windows\CurrentVersion\Run = 修改一些ie相關數據....省略 3.Detailed report of suspicious malware actions: Defined file type modified or overwritten: C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg.exe Defined file type modified or overwritten: C:\Program Files\Common Files\Real\Update_OB\realsched.exe Defined file type modified or overwritten: C:\Program Files\Sandboxie\sbiectrl.exe Defined file type copied to Windows folder: C:\WINDOWS\ime\IMJP8_1\imjpmig .exe Defined file type modified or overwritten: C:\WINDOWS\ime\IMJP8_1\imjpmig.exe Defined file type copied to Windows folder: C:\WINDOWS\system32\ctfmon .exe Defined file type modified or overwritten: C:\WINDOWS\system32\ctfmon.exe Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run = created registry key IE settings change: software\microsoft\internet explorer\main IE settings change: software\microsoft\internet explorer\main -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 220.137.139.183

推 junorn:真兇的毒...果然是替換啟動登陸值裡面的所有檔案 04/28 19:14

→ miamodo:雖兇,但j大一定可以輕易解決的,辛苦了... 04/28 19:28

推 ms16140864:應該還有一些連網的部份會下載一些有的沒的,會更精采吧 04/28 20:45

推 mattmatt:我上面的文章18029篇中的應該也是同款的病毒 04/28 22:11

→ mattmatt:而且順便攻擊小紅傘開機後無法成功啟動小紅傘 04/28 22:11

→ mattmatt:以Prevx掃毒掃到的幾乎都是啟動程序裡面的項目 04/28 22:12

→ mattmatt:看樣子重灌會比較快修復.. 04/28 22:12

→ mattmatt:但我想請問m大與j大...這種病毒是透過何種方式傳播?usb? 04/28 22:13

→ mattmatt:還是email? 還有他們會不會複製到非系統碟裡面@@? 04/28 22:14

→ mattmatt:這已經在系上傳播開來...再下去就要全滅了.. 04/28 22:15

→ mattmatt:目前我們這好像還沒有win7與vista被感染的案例.. 04/28 22:16

→ miamodo:http://ppt.cc/WR~o,這不需劍盟id也可看"九尾.."的分析 04/28 22:31

→ matea:我是email中的@@ 只有點到郵件沒有開啟任何附檔 04/28 23:40

→ matea:要點選上一頁的時候就死掉了 >"< 04/28 23:40