详细资料:
文件变化:
释放文件
%Windows%\CMD32.exe
%System%\voice.cpl
%System%\timedate.cpl
各分区根目录释放
X:\autorun.inf
autorun.inf 内容
[autorun]
Open=EvilDay.exe
shellexecute=EvilDay.exe
shell\打开(&O)\command=EvilDay.exe
shell=打开(&O)
shell\2\=浏览(&B)
shell\2\Command=EvilDay.exe
shell\3\=资源管理器(&X)
shell\3\Command=EvilDay.exe |
修改注册表:
病毒创建启动项
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOTEPAD"="%Windows%\CMD32.exe" |
修改自动播放禁用设置
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:0000005b |
禁用"显示所有文件和文件夹"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000 |
禁用"注册表编辑器"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001 |
其他行为:
使用命令启动自动播放服务
net start ShellHWDetection
删除hips软件 GhostSecuritySuite 主程序
%ProgramFiles%\GhostSecuritySuite\gss.exe
修改系统时间
1937-07-07
12:00
创建 Image File Execution Options 劫持安全相关程序,当被劫持程序运行,实际运行的是病毒主程序.
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SNATask.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysWarn.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sloemnit.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gss.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RvaMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rva.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMain.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] |
结束安全软件相关进程,以及VMware tools
SysWarn.exe
snatry.exe
sloemnit.exe
SNATask.exe
VMwareUser.exe
snaregmn.exe
vmsrvc.exe
vmusrvc.exe
FilMsg.exe
Twister.exe
gss.exe
KAVStart.EXE
KWatch.EXE |
清除方法:
1.结束进程
%Windows%\CMD32.exe
2.删除病毒文件
%Windows%\CMD32.exe
%System%\voice.cpl
%System%\timedate.cpl
X:\autorun.inf
3. 修改回系统时间
4. 重启计算机
下载SREng
打开sreng-系统修复-windows shell/ie-全选-修复-
5.删除病毒创建的注册表
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOTEPAD"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" |
6.修改注册表,修复被禁用的"自动播放"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091 |
7.删除 Image File Execution Options 映像劫持项
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SNATask.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysWarn.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sloemnit.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gss.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RvaMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rva.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMain.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] |
|
