“Email-Worm.Win32.Zhelatin.bl”的意思、由来-中文百科全书

基本资料

病毒名称： Email-Worm.Win32

中文名称：泽拉丁变种

病毒类型：蠕虫类

文件 MD5： 116C0F5BDC126CE5FE8DE20526DAD02F

公开范围：完全公开

危害等级： 5

文件长度：加壳后 6,789 字节，脱壳后 21,504 字节

感染系统： Win95以上系统

开发工具： Microsoft Visual C++ 6.0

加壳类型 : UPX变种壳，伪造为下列两层壳信息

FSG v1.10 (Eng) -> dulek/xt

LCC Win32 1.x -> Jacob Navia

行为分析：

1 、衍生下列副本与文件：

%WinDir%\\pp.exe infected: Email-Worm.Win32.Zhelatin.d

%WinDir%\\via.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\adirka.dll infected: Email-Worm.Win32.Banwarum.f 关注网管是我们的使命

%System32%\\adirka.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\adirss.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\dd.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\lnwin.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\ma.exe.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\pfxzmtaim.dll

%System32%\\pfxzmtforum.dll

%System32%\\pfxzmtgtal.dll

%System32%\\pfxzmticq.dll

%System32%\\pfxzmtsmt.dll

%System32%\\pfxzmtsmtspm.dll

%System32%\\pfxzmtwbmail.dll

%System32%\\pfxzmtymsg.dll

%System32%\\pp.exe.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\rsvp32_2.dll infected: Email-Worm.Win32

%System32%\\sfxzmtforum.dll

%System32%\\sfxzmtsmt.dll

%System32%\\sfxzmtsmtspm.dll

%System32%\\sfxzmtwbmail.dll 中国网管博客

%System32%\\sm.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%\\sporder.dll

%System32%\\svcp.csv

%System32%\\wincom32.ini

%System32%\\winsub.xml

%System32%\\zlbw.dll

%System32%\\zu.exe.exe　infected: Email-Worm.Win32.Zhelatin.d

2 、新建注册表键值：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\

Run\\lnwin.exe Value: String: "%System32%\\lnwin.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\

Run\\sysinter Value: String: "%System32%\\ adirss.exe"

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\

Run\\adirka Value: String: "%System32%\\adirka.exe"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\

DisplayName

Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境"

网管资料库任你搜

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ImagePath

Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes

%System32%\\drivers\\ws2ifsl.sys.

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000012\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000012\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000013\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000013\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000014\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000014\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000015\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000015\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000016\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000016\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000017\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000017\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000018\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000018\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000019\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000019\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000020\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000020\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000021\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ 命

Protocol_Catalog9\\Catalog_Entries\\000000000021\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000022\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000022\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000023\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000023\\PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

3 、修改下列注册表键值，破坏 LSP

并可实现随机启动：

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000001\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000002\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000003\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000004\\

PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000005\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\rsvpsp.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000006\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000007\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000008\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000009\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000010\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\

Protocol_Catalog9\\Catalog_Entries\\000000000011\\PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

bitsCN全力打造网管学习平台

rsvp32_2.dll.system32\\mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%\\system32\\mswsock.dll

4、下载病毒体并运行

从下列 URL 下载病毒体到本机 %Temporary Internet Files% 目录，并运行病毒体：

[url=http://2*5.2*9.1*9.1*/aff/dir/zu.exe]http://2*5.2*9.1*9.1*/aff/dir/zu.exe

[url=http://2*6.2*5.1*4.1*2/aff/dir/via.exe]http://2*6.2*5.1*4.1*2/aff/dir/via.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/sm.exe]http://2*5.2*9.1*9.1*/aff/dir/sm.exe

[url=http://2*6.2*5.1*4.1*2/aff/dir/pp.exe]http://2*6.2*5.1*4.1*2/aff/dir/pp.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/pp.exe]http://2*5.2*9.1*9.1*/aff/dir/pp.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/ma.exe]http://2*5.2*9.1*9.1*/aff/dir/ma.exe

5 、垃圾邮件

垃圾邮件可能为下列两种形式，并附有扩展名为 .gif 的附件。鉴于相关信息从互联网获得，极为繁杂，故不列出。

6 、利用下列搜索引擎获得邮件信息：

64.233.1**.1* 美国加利福尼亚州 Google 公司

注：% System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 ， windows95/98/me 中默认的安装路径是 C:\\Windows\\System ， windowsXP 中默认的安装路径是 C:\\Windows\\System32 。

清除方案：

1 、安天马防线

使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、手工清除

请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线 “进程管理”关闭病毒进程

adirka.exe

sm.exe

dd.exe

(2) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

删除下列新建项：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\lnwin.exe

Value: String: "%System32%\\lnwin.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\sysinter

Value: String: "%System32%\\ adirss.exe"

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\

CurrentVersion\\Run\\adirka

Value: String: "%System32%\\adirka.exe"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\WS2IFSL\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ 你搜

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\

…………..

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\

恢复下列修改项：

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\

PackedCatalogItem

…………..

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\0000000000011\\

PackedCatalogItem

恢复键值为：

%SystemRoot%\\system32\\mswsock.dll

(3) 删除病毒衍生文件：

%WinDir%\\pp.exe

%WinDir%\\via.exe

%System32%\\adirka.dll

%System32%\\adirka.exe

%System32%\\adirss.exe

%System32%\\dd.exe

%System32%\\lnwin.exe

%System32%\\ma.exe.exe

%System32%\\pfxzmtaim.dll

%System32%\\pfxzmtforum.dll

%System32%\\pfxzmtgtal.dll

%System32%\\pfxzmticq.dll

%System32%\\pfxzmtsmt.dll

%System32%\\pfxzmtsmtspm.dll

%System32%\\pfxzmtwbmail.dll

%System32%\\pfxzmtymsg.dll

%System32%\\pp.exe.exe

%System32%\\rsvp32_2.dll

%System32%\\sfxzmtforum.dll

%System32%\\sfxzmtsmt.dll

%System32%\\sfxzmtsmtspm.dll

%System32%\\sfxzmtwbmail.dll

%System32%\\sm.exe

%System32%\\sporder.dll

%System32%\\svcp.csv

%System32%\\wincom32.ini

%System32%\\winsub.xml

%System32%\\zlbw.dll

%System32%\\zu.exe.exe

%Temporary Internet Files%/zu.exe

%Temporary Internet Files%/via.exe

%Temporary Internet Files%/sm.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/ma.exe

%Temporary Internet Files%/dd.exe

概述

病毒名称： Email-Worm.Win32

中文名称：泽拉丁变种

病毒类型：蠕虫类

文件 MD5： 116C0F5BDC126CE5FE8DE20526DAD02F

公开范围：完全公开

危害等级： 5

文件长度：加壳后 6,789 字节，脱壳后 21,504 字节

感染系统： Win95以上系统

开发工具： Microsoft Visual C++ 6.0

加壳类型 : UPX变种壳，伪造为下列两层壳信息

FSG v1.10 (Eng) -> dulek/xt

LCC Win32 1.x -> Jacob Navia

手工清除

手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用进程管理关闭病毒进程

adirka.exe

sm.exe

dd.exe

(2)恢复注册表

恢复病毒修改的注册表项目，删除病毒添加的注册表项

删除下列新建项：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\lnwin.exe

Value: String: "%System32%\\lnwin.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\sysinter

Value: String: "%System32%\\ adirss.exe"

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\

CurrentVersion\\Run\\adirka

Value: String: "%System32%\\adirka.exe"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\WS2IFSL\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\

…………..

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\

恢复下列修改项：

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\

PackedCatalogItem

…………..

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\

Parameters\\Protocol_Catalog9\\Catalog_Entries\\0000000000011\\

PackedCatalogItem

恢复键值为：

%SystemRoot%\\system32\\mswsock.dll

(3) 删除病毒衍生文件：

%WinDir%\\pp.exe

%WinDir%\\via.exe

%System32%\\adirka.dll

%System32%\\adirka.exe

%System32%\\adirss.exe

%System32%\\dd.exe

%System32%\\lnwin.exe

%System32%\\ma.exe.exe

%System32%\\pfxzmtaim.dll

%System32%\\pfxzmtforum.dll

%System32%\\pfxzmtgtal.dll

%System32%\\pfxzmticq.dll

%System32%\\pfxzmtsmt.dll

%System32%\\pfxzmtsmtspm.dll

%System32%\\pfxzmtwbmail.dll

%System32%\\pfxzmtymsg.dll

%System32%\\pp.exe.exe

%System32%\\rsvp32_2.dll

%System32%\\sfxzmtforum.dll

%System32%\\sfxzmtsmt.dll

%System32%\\sfxzmtsmtspm.dll

%System32%\\sfxzmtwbmail.dll

%System32%\\sm.exe

%System32%\\sporder.dll

%System32%\\svcp.csv

%System32%\\wincom32.ini

%System32%\\winsub.xml

%System32%\\zlbw.dll

%System32%\\zu.exe.exe

%Temporary Internet Files%/zu.exe

%Temporary Internet Files%/via.exe

%Temporary Internet Files%/sm.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/ma.exe

%Temporary Internet Files%/dd.exe

词条	Email-Worm.Win32.Zhelatin.bl
释义	该病毒运行后，从某互联网地址下载病毒病毒体到本机运行，并添加注册表自动运行项与系统服务项、修改 LSP ，以达到随系统启动的目的。通过内建的 SMTP 蠕虫程序连接到互联网 SMTP 服务器，获得需要伪造的邮件信息，进而大量发送垃圾邮件，严重占用网络资源。基本资料行为分析：(1 、衍生下列副本与文件： 2 、新建注册表键值： 3 、修改下列注册表键值，破坏 LSP 4、下载病毒体并运行 5 、垃圾邮件 6 、利用下列搜索引擎获得邮件信息：) 清除方案：(1 、安天马防线 2 、手工清除) 概述手工清除((1) 使用进程管理关闭病毒进程 (2)恢复注册表 (3) 删除病毒衍生文件：) 基本资料病毒名称： Email-Worm.Win32 中文名称：泽拉丁变种病毒类型：蠕虫类文件 MD5： 116C0F5BDC126CE5FE8DE20526DAD02F 公开范围：完全公开危害等级： 5 文件长度：加壳后 6,789 字节，脱壳后 21,504 字节感染系统： Win95以上系统开发工具： Microsoft Visual C++ 6.0 加壳类型 : UPX变种壳，伪造为下列两层壳信息 FSG v1.10 (Eng) -> dulek/xt LCC Win32 1.x -> Jacob Navia 行为分析： 1 、衍生下列副本与文件： %WinDir%\\pp.exe infected: Email-Worm.Win32.Zhelatin.d %WinDir%\\via.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\adirka.dll infected: Email-Worm.Win32.Banwarum.f 关注网管是我们的使命 %System32%\\adirka.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\adirss.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\dd.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\lnwin.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\ma.exe.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\pfxzmtaim.dll %System32%\\pfxzmtforum.dll %System32%\\pfxzmtgtal.dll %System32%\\pfxzmticq.dll %System32%\\pfxzmtsmt.dll %System32%\\pfxzmtsmtspm.dll %System32%\\pfxzmtwbmail.dll %System32%\\pfxzmtymsg.dll %System32%\\pp.exe.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\rsvp32_2.dll infected: Email-Worm.Win32 %System32%\\sfxzmtforum.dll %System32%\\sfxzmtsmt.dll %System32%\\sfxzmtsmtspm.dll %System32%\\sfxzmtwbmail.dll 中国网管博客 %System32%\\sm.exe infected: Email-Worm.Win32.Zhelatin.d %System32%\\sporder.dll %System32%\\svcp.csv %System32%\\wincom32.ini %System32%\\winsub.xml %System32%\\zlbw.dll %System32%\\zu.exe.exe　infected: Email-Worm.Win32.Zhelatin.d 2 、新建注册表键值： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ Run\\lnwin.exe Value: String: "%System32%\\lnwin.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ Run\\sysinter Value: String: "%System32%\\ adirss.exe" HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\ Run\\adirka Value: String: "%System32%\\adirka.exe" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ DisplayName Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境" 网管资料库任你搜 HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ImagePath Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes %System32%\\drivers\\ws2ifsl.sys. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000012\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000012\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000013\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000013\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000014\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000014\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000015\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000015\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000016\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000016\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000017\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000017\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000018\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000018\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000019\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000019\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000020\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000020\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000021\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ 命 Protocol_Catalog9\\Catalog_Entries\\000000000021\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000022\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000022\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000023\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000023\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll 3 、修改下列注册表键值，破坏 LSP 并可实现随机启动： HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000001\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000002\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000003\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000004\\ PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000005\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000006\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000007\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000008\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000009\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000010\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000011\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes bitsCN全力打造网管学习平台 rsvp32_2.dll.system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll 4、下载病毒体并运行从下列 URL 下载病毒体到本机 %Temporary Internet Files% 目录，并运行病毒体： [url=http://25.29.19.1/aff/dir/zu.exe]http://25.29.19.1/aff/dir/zu.exe [url=http://26.25.14.12/aff/dir/via.exe]http://26.25.14.12/aff/dir/via.exe [url=http://25.29.19.1/aff/dir/sm.exe]http://25.29.19.1/aff/dir/sm.exe [url=http://26.25.14.12/aff/dir/pp.exe]http://26.25.14.12/aff/dir/pp.exe [url=http://25.29.19.1/aff/dir/pp.exe]http://25.29.19.1/aff/dir/pp.exe [url=http://25.29.19.1/aff/dir/ma.exe]http://25.29.19.1/aff/dir/ma.exe 5 、垃圾邮件垃圾邮件可能为下列两种形式，并附有扩展名为 .gif 的附件。鉴于相关信息从互联网获得，极为繁杂，故不列出。 6 、利用下列搜索引擎获得邮件信息： 64.233.1*.1 美国加利福尼亚州 Google 公司注：% System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 ， windows95/98/me 中默认的安装路径是 C:\\Windows\\System ， windowsXP 中默认的安装路径是 C:\\Windows\\System32 。清除方案： 1 、安天马防线使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、手工清除请按照行为分析删除对应文件，恢复相关系统设置。 (1) 使用安天木马防线 “进程管理”关闭病毒进程 adirka.exe sm.exe dd.exe (2) 恢复病毒修改的注册表项目，删除病毒添加的注册表项删除下列新建项： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\lnwin.exe Value: String: "%System32%\\lnwin.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\sysinter Value: String: "%System32%\\ adirss.exe" HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run\\adirka Value: String: "%System32%\\adirka.exe" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WS2IFSL\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ 你搜 Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\ ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\ 恢复下列修改项： HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\ PackedCatalogItem ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\0000000000011\\ PackedCatalogItem 恢复键值为： %SystemRoot%\\system32\\mswsock.dll (3) 删除病毒衍生文件： %WinDir%\\pp.exe %WinDir%\\via.exe %System32%\\adirka.dll %System32%\\adirka.exe %System32%\\adirss.exe %System32%\\dd.exe %System32%\\lnwin.exe %System32%\\ma.exe.exe %System32%\\pfxzmtaim.dll %System32%\\pfxzmtforum.dll %System32%\\pfxzmtgtal.dll %System32%\\pfxzmticq.dll %System32%\\pfxzmtsmt.dll %System32%\\pfxzmtsmtspm.dll %System32%\\pfxzmtwbmail.dll %System32%\\pfxzmtymsg.dll %System32%\\pp.exe.exe %System32%\\rsvp32_2.dll %System32%\\sfxzmtforum.dll %System32%\\sfxzmtsmt.dll %System32%\\sfxzmtsmtspm.dll %System32%\\sfxzmtwbmail.dll %System32%\\sm.exe %System32%\\sporder.dll %System32%\\svcp.csv %System32%\\wincom32.ini %System32%\\winsub.xml %System32%\\zlbw.dll %System32%\\zu.exe.exe %Temporary Internet Files%/zu.exe %Temporary Internet Files%/via.exe %Temporary Internet Files%/sm.exe %Temporary Internet Files%/pp.exe %Temporary Internet Files%/pp.exe %Temporary Internet Files%/ma.exe %Temporary Internet Files%/dd.exe 概述病毒名称： Email-Worm.Win32 中文名称：泽拉丁变种病毒类型：蠕虫类文件 MD5： 116C0F5BDC126CE5FE8DE20526DAD02F 公开范围：完全公开危害等级： 5 文件长度：加壳后 6,789 字节，脱壳后 21,504 字节感染系统： Win95以上系统开发工具： Microsoft Visual C++ 6.0 加壳类型 : UPX变种壳，伪造为下列两层壳信息 FSG v1.10 (Eng) -> dulek/xt LCC Win32 1.x -> Jacob Navia 手工清除手工清除请按照行为分析删除对应文件，恢复相关系统设置。 (1) 使用进程管理关闭病毒进程 adirka.exe sm.exe dd.exe (2)恢复注册表恢复病毒修改的注册表项目，删除病毒添加的注册表项删除下列新建项： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\lnwin.exe Value: String: "%System32%\\lnwin.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\sysinter Value: String: "%System32%\\ adirss.exe" HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run\\adirka Value: String: "%System32%\\adirka.exe" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\WS2IFSL\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\ ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000023\\ 恢复下列修改项： HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\ PackedCatalogItem ………….. ………….. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\0000000000011\\ PackedCatalogItem 恢复键值为： %SystemRoot%\\system32\\mswsock.dll (3) 删除病毒衍生文件： %WinDir%\\pp.exe %WinDir%\\via.exe %System32%\\adirka.dll %System32%\\adirka.exe %System32%\\adirss.exe %System32%\\dd.exe %System32%\\lnwin.exe %System32%\\ma.exe.exe %System32%\\pfxzmtaim.dll %System32%\\pfxzmtforum.dll %System32%\\pfxzmtgtal.dll %System32%\\pfxzmticq.dll %System32%\\pfxzmtsmt.dll %System32%\\pfxzmtsmtspm.dll %System32%\\pfxzmtwbmail.dll %System32%\\pfxzmtymsg.dll %System32%\\pp.exe.exe %System32%\\rsvp32_2.dll %System32%\\sfxzmtforum.dll %System32%\\sfxzmtsmt.dll %System32%\\sfxzmtsmtspm.dll %System32%\\sfxzmtwbmail.dll %System32%\\sm.exe %System32%\\sporder.dll %System32%\\svcp.csv %System32%\\wincom32.ini %System32%\\winsub.xml %System32%\\zlbw.dll %System32%\\zu.exe.exe %Temporary Internet Files%/zu.exe %Temporary Internet Files%/via.exe %Temporary Internet Files%/sm.exe %Temporary Internet Files%/pp.exe %Temporary Internet Files%/pp.exe %Temporary Internet Files%/ma.exe %Temporary Internet Files%/dd.exe
随便看	新天新地新天学校新天涯歌女新天涯明月刀新天翼之链新天宇布袋戏新天宇之龙啸九烽新天羽传奇新天域资本新天泽国际广场新天站新天镇新天宙国际贸易(上海)有限公司新天籁新天籁DVD导航仪新天籁车载DVD导航仪新添堡回族乡新添村新添润集团新添声杨柳枝词二首新添镇新填地街新田新田坝自然村新田冲村