词条 | Trojan-Downloader.Win32.Small.elo |
释义 | 该病毒运行后,衍生病毒文件到多个目录下,添加注册表自动运行项与系统服务项以跟随 系统引导病毒体。修改用户 host文件以重定向到不良网址,进而造成链式反应。下载的病毒体 多为网络游戏盗号程序。 病毒标签病毒名称: Trojan-Downloader.Win32.Small.elo 中文名称: 下载者变种 病毒类型: 蠕虫类 文件 MD5: 49225E04EF3CC90B9B96AB6C9AC0CD9D 公开范围: 完全公开 危害等级: 4 文件长度: 1,097,736 字节 感染系统: Win9X以上系统 开发工具: Microsoft Visual C++ 5.0 行为分析衍生副本与文件%WinDir%\\upxdnd.exe %System32%\\msdebug.dll %System32%\etsrvcs.dll %System32%\wizAsktao.dll %System32%\wizAsktao.exe %System32%\wiztlbb.dll %System32%\wiztlbu.exe %System32%\\RemoteDbg.dll %System32%\\upxdnd.dll %System32%\\windds32.dll %System32%\\WMIApiSrv.dll %System32%\\xpdhcp.dll 新建注册表键值HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ActiveSetup\\Installed Components\\ \\StubPath Value: String: "%WINdir\\System32\wiztlbu.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ActiveSetup\\Installed Components\\ \\StubPath Value: String: "%WINdir\\System32\wiztlbu.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Upxdnd Value: String: "%\\WinDir%\\upxdnd.exe" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WZCSRVC\\Description Value: String: " 启用 IEEE 802.11 适配器的自动配置 ." HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WZCSRVC\\DisplayName Value: String: "Wireless Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WZCSRVC\\ImagePath Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes %WinDir%\\Syste|m32\\rundll32.exenetsrvcs.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WMIApiSrv\\Description Value: String: " 为 Windows Management Instrumentation (WMI) 提供所需的系统函数。" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WMIApiSrv\\Displa yName Value: String: "WMI Performance API" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WMIApiSrv\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%\\System32\\rundll32.exe WMIApiSrv.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinXPDHCPsvc\\Description Value: String: " 为远程计算机注册并更新 IP 地址。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinXPDHCPsvc\\DisplayName Value: String: "WinXP DHCP Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinXPDHCPsvc\\ImagePath Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes %WinDir%\\System32\\rundll32.exexpdhcp.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Win32DDS\\Description Value: String: "Provides system and desktop level support to the display driver" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Win32DDS\\DisplayName Value: String: "Win32 Display Driver" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Win32DDS\\ImagePath Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes %WinDir\\System32\\rundll32.exe windds32.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\Description Value: String: " 允许 Administrators 组的成员进行远程调试。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\DisplayName Value: String: "Remote Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%\\System32\\rundll32.exeRemoteDbg.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSDebugsvc\\Description Value: String: " 为计算机系统提供 32 位调试服务。如果此服务被禁用, 所有明确依赖它的服务都将不能启动。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSDebugsvc\\DisplayName Value: String: "Win32 Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSDebugsvc\\ImagePath Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Hello Download\\DisplayName Value: String: "TCP/IP Check" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Hello Download\\ImagePath Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes %Program Files%\\Common Files\\System\\wab32res.exe. 修改host文件注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 , windows95/98/me 中默认的安装路径是 C:\\Windows\\System , windowsXP 中默认的安装路径是 C:\\Windows\\System32 。 清除方案1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。 (1)使用安天木马防线断开网络,结束病毒进程: %WinDir%\\upxdnd.exe %System32%\wizAsktao.exe (2)删除并恢复病毒添加与修改的注册表键值: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ ActiveSetup\\InstalledComponents\\ \\StubPath Value: String: "%WINdir\\System32\wiztlbu.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ ActiveSetup\\InstalledComponents\\ \\StubPath Value: String: "%WINdir\\System32\wiztlbu.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\Upxdnd Value: String: "%\\WinDir%\\upxdnd.exe" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WZCSRVC\\Description Value: String: " 启用 IEEE 802.11 适配器的自动配置 ." HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WZCSRVC\\DisplayName Value: String: "Wireless Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WZCSRVC\\ImagePath Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes %WinDir%\\Syste|m32\\rundll32.exenetsrvcs.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WMIApiSrv\\Description Value: String: " 为 Windows Management Instrumentation (WMI) 提供所需的系统函数。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WMIApiSrv\\DisplayName Value: String: "WMI Performance API" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WMIApiSrv\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%\\System32\\rundll32.exe WMIApiSrv.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WinXPDHCPsvc\\Description Value: String: " 为远程计算机注册并更新 IP 地址。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WinXPDHCPsvc\\DisplayName Value: String: "WinXP DHCP Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WinXPDHCPsvc\\ImagePath Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes %WinDir%\\System32\\rundll32.exexpdhcp.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\Win32DDS\\Description Value: String: "Provides system and desktop level support to the display driver" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\Win32DDS\\DisplayName Value: String: "Win32 Display Driver" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\Win32DDS\\ImagePath Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes %WinDir\\System32\\rundll32.exe windds32.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\Description Value: String: " 允许 Administrators 组的成员进行远程调试。" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\DisplayName Value: String: "Remote Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%\\System32\\rundll32.exeRemoteDbg.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\MSDebugsvc\\Description Value: String: " 为计算机系统提供 32 位调试服务。 如果此服务被禁用,所有明确依赖它的服务都将不能启动。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\MSDebugsvc\\DisplayName Value: String: "Win32 Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\MSDebugsvc\\ImagePath Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes %WinDir%\\System32\\rundll32.exe msdebug.dll,input. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ Hello Download\\DisplayName Value: String: "TCP/IP Check" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ Hello Download\\ImagePath Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes %Program Files%\\Common Files\\System\\wab32res.exe. (3)删除病毒衍生文件: %WinDir%\\upxdnd.exe %System32%\\msdebug.dll %System32%\etsrvcs.dll %System32%\wizAsktao.dll %System32%\wizAsktao.exe %System32%\wiztlbb.dll %System32%\wiztlbu.exe %System32%\\RemoteDbg.dll %System32%\\upxdnd.dll %System32%\\windds32.dll %System32%\\WMIApiSrv.dll %System32%\\xpdhcp.dll (4)恢复 %WinDir%\\system32\\drivers\\etc\\hosts 文件内容为: 127.0.0.1 localhost (5)使用安天木马防线扫描全盘。 |
随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。