病毒名称:Worm.Win32.Fujack.b
中文名称:熊猫烧香变种
病毒类型:蠕虫类
文件 MD5:5635121EEFE47333D00FFF1FD4A5021F
公开范围:完全公开
危害等级:高
文件长度:57,344 字节
感染系统:Win98以上系统
开发工具:Borland Delphi 6.0 - 7.0 [Overlay]
加壳工具:ARVID's TDR file
命名对照:驱逐舰[Win32.HLLP.Whboy]
瑞星[Worm.Nimaya.av]
病毒描述:
该病毒运行后,病毒衍生文件到系统目录下,添加注册表自动运行项以随机引导病毒体。在各逻辑盘创建autorun.inf文件,诱使用户双击从而运行病毒体。插入病毒线程到系统进程中,运行病毒进程spcolsv.exe,拦截进程调用API,关闭“任务管理器”等应用程序。该病毒可能过局域网传播。
行为分析:
1、衍生下列副本与文件
C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.dll
2、新建注册表键值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\upxdn
Value: String: "%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\Description
Value: String: "为远程计算机注册并更新 IP 地址。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\DisplayName
Value: String: "Windows DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WINDOWS%\system32\\rundll32.exe windhcp.ocx,start.
3、更改注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ShellExecuteHooks\{11017031-7031-1012-3110-031010311012}
Value: String: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11017031-7031-1012-3110-031010311012}\InProcServer32\@
Value: String: "C:\ProgramFiles\CommonFiles\MicrosoftShared\MSINFO\70311012.dll"
\system32\mswsock.dl
3、访问http://wangma.9966.org//down.txt页面获得下载病毒体地址:
wangma.9966.org(60.190.114.219) 浙江省温州市电信
http://wangma.9966.org/zaq4.exe
http://wangma.9966.org/zaq1.exe
http://wangma.9966.org/zaq2.exe
http://wangma.9966.org/zaq3.exe
http://wangma.9966.org/zaq5.exe
http://wangma.9966.org/zaq6.exe
http://wangma.9966.org/zaq9.exe
http://wangma.9966.org/zaq10.exe
http://wangma.9966.org/zaq7.exe
注:% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
--------------------------------------------------------------------------------
清除方案:
1、使用安天木马防线可彻底清除此病毒(推荐)
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1) 使用安天木马防线“进程管理”关闭病毒进程
spcolsv.exe
zaq5.exe
(2) 删除病毒释放文件
C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.dll
(3) 恢复病毒修改的注册表项目,删除病毒添加的注册表项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\upxdn
Value:String:"%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%
|
