作者miamodo ()
看板AntiVirus
標題Re: [求救] 連上網路就會中毒
時間Wed Apr 28 19:01:56 2010
在劍盟找到樣本:
http://bbs.janmeng.com/thread-910006-1-1.html
以下是自已在沙盤(降權,阻止連網)中運行後的一些資訊,僅供參考。
1.創建、修改文件:
+ C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl .exe
~ C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
+ C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe
~ C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe
+ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg
.exe
~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg
.exe
+ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg
.exe
~ C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg
.exe
+ C:\Program Files\Common Files\Real\Update_OB\realsched .exe
~ C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+ C:\Program Files\internet explorer\wmpscfgs.exe
+ C:\Program Files\Sandboxie\sbiectrl .exe
~ C:\Program Files\Sandboxie\sbiectrl.exe
+ C:\WINDOWS\ime\IMJP8_1\imjpmig .exe
~ C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
+ C:\WINDOWS\system32\ctfmon .exe
~ C:\WINDOWS\system32\ctfmon.exe
+ E:\VirusTest\091222345\alcmtr .exe
+ E:\VirusTest\091222345\alcmtr.exe
......................省略
+ C:\Documents and Settings\user\Local Settings\temp\wmpscfgs.exe
+ C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat
+ C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\51VPBOHG\httpErrorPagesScripts[1]
.......................省略
2.注冊表部分
創建啟動項:machine\software\microsoft\Windows\CurrentVersion\Run =
修改一些ie相關數據....省略
3.Detailed report of suspicious malware actions:
Defined file type modified or overwritten: C:\Program Files\Adobe\Reader
9.0\Reader\reader_sl.exe
Defined file type modified or overwritten: C:\Program Files\Common
Files\Adobe\ARM\1.0\adobearm.exe
Defined file type modified or overwritten: C:\Program Files\Common
Files\Microsoft Shared\IME\IMTC65\CHANGJIE\cintlcfg.exe
Defined file type modified or overwritten: C:\Program Files\Common
Files\Microsoft Shared\IME\IMTC65\PHONETIC\tintlcfg.exe
Defined file type modified or overwritten: C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
Defined file type modified or overwritten: C:\Program
Files\Sandboxie\sbiectrl.exe
Defined file type copied to Windows folder: C:\WINDOWS\ime\IMJP8_1\imjpmig
.exe
Defined file type modified or overwritten: C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
Defined file type copied to Windows folder: C:\WINDOWS\system32\ctfmon .exe
Defined file type modified or overwritten: C:\WINDOWS\system32\ctfmon.exe
Defined registry AutoStart location added or modified:
machine\software\microsoft\Windows\CurrentVersion\Run = created registry key
IE settings change: software\microsoft\internet explorer\main
IE settings change: software\microsoft\internet explorer\main
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 220.137.139.183
推 junorn:真兇的毒...果然是替換啟動登陸值裡面的所有檔案 04/28 19:14
→ miamodo:雖兇,但j大一定可以輕易解決的,辛苦了... 04/28 19:28
推 ms16140864:應該還有一些連網的部份會下載一些有的沒的,會更精采吧 04/28 20:45
推 mattmatt:我上面的文章18029篇 中的應該也是同款的病毒 04/28 22:11
→ mattmatt:而且順便攻擊小紅傘 開機後無法成功啟動小紅傘 04/28 22:11
→ mattmatt:以Prevx掃毒 掃到的幾乎都是啟動程序裡面的項目 04/28 22:12
→ mattmatt:看樣子重灌會比較快修復.. 04/28 22:12
→ mattmatt:但我想請問m大與j大...這種病毒是透過何種方式傳播?usb? 04/28 22:13
→ mattmatt:還是email? 還有他們會不會複製到非系統碟裡面@@? 04/28 22:14
→ mattmatt:這已經在系上傳播開來...再下去就要全滅了.. 04/28 22:15
→ mattmatt:目前我們這好像還沒有win7與vista被感染的案例.. 04/28 22:16
→ matea:我是email中的@@ 只有點到郵件 沒有開啟任何附檔 04/28 23:40
→ matea:要點選上一頁的時候就死掉了 >"< 04/28 23:40