chenzi.exe的分析及解决方法
File size: 18593 bytes
MD5: c595bc161e1d64b4d8f4d84139ef02b0
SHA1: 100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名称:未知
测试时间:2007-3-10
更新时间:明晚将更新此分析日志,
运行后病毒样本,自动删除病毒本身,自动释放病毒到%system%目录下
%system%\del.bat
%system%\msgcom.dll
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
创建启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
<WinlogonNotify: cmdmant><msgcom.dll>
修改Explorer.exe其内存,Explorer.exe尝试获取网络存取权限.202.88.90.186,试图启动%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
%system%\1.exe 分析如下:
Explorer.exe启动1.EXE后,自动删除本身
释放病毒文件
%system%\wsvbs.dll
%windows%\wsvbs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsvbs.exe>
%system%\2.exe 分析如下
Explorer.exe启动2.EXE后,
释放病毒文件
%system%\mppds.dll
%windows%\mppds.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<mppds><%windows%\mppds.exe>
%system%\3.exe 分析如下
Explorer.exe启动3.EXE后,
释放病毒文件
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\4.exe 分析如下:
Explorer.exe启动4.EXE后,自动删除本身
释放病毒文件
%system%\wsttrs.dll
%windows%\wsttrs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsttrs.exe>
%system%\5.exe 分析如下:
Explorer.exe启动5.EXE后,自动删除本身
释放病毒文件,并插入各进程.
%windows%\608769.bmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
<AppInit_DLLs><608769M.BMP>
%system%\6.exe 分析如下:
Explorer.exe启动6.EXE后,
释放病毒文件
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
修改hosts内容,添加以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www.47555.cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
附SRENG日志,
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\MIB\LOCALS~1\Temp\ie888.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsvbs><C:\windows\wsvbs.exe>
<mppds><C:\windows\mppds.exe>
<wsttrs><C:\windows\wsttrs.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant><msgcom.dll>
正在运行的进程
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[C:\WINDOWS\system32\msgcom.dll] [N/A, N/A]
[PID: 752][C:\windows\system32\services.exe
[C:\windows\608769M.BMP]
[PID: 764][C:\windows\system32\lsass.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 932][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1020][C:\windows\system32\svchost.exe
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1116][C:\windows\System32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1408][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1456][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
解决方法如下:
1.开始---运行---输入---regedit---依次展开
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
删除
<svc>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
删除
<wsvbs>
<mppds>
<wsttrs>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
删除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>
删除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant>
2.重启计算机
3.删除以下文件
%system%\del.bat
%system%\msgcom.dll
%system%\wsvbs.dll
%windows%\wsvbs.exe
%system%\mppds.dll
%windows%\mppds.exe
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\wsttrs.dll
%windows%\wsttrs.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
%system%\3.exe
%system%\6.exe
system32\drivers\etc\hosts
用记事打开HOSTS文件,删除以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www47555cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
%windows%\608769M.BMP
到我的E盘下载专杀.
http://free5.ys168.com/?ufwihgu168
(<因为对SSM监控到的桌面进程不是很懂,对这个网络连接分析存在有问题,将于明晚进行更新,也请高手指正,内容如下,谢谢)
进程:
路径: C:\WINDOWS\explorer.exe
PID: 1988
信息: Windows Explorer (Microsoft Corporation)
网络信息:
IP 地址: 222.88.90.186
信任的区域: 否
协议: TCP