遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2
endurer 原创 2008-06-22 第1版
(继1)
到 http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。
用FileInfo 提取 pe_xscan 的 log 中红色标记的文件的信息;用 bat_do 打包备份,延时删除,改所选文件名,再延时删除。
下载并安装 瑞星卡卡安全助手,切换到[高级功能]->[系统启动项管理],
在左边点击[登录项],在右边找到 F2、O4 项对应的项目,右击,从弹出的菜单里选择删除。
在左边分别点击[服务项]和[驱动],找到 O23组的对应项, 右击,从弹出的菜单中选择删除。
另外检查发现
文件说明符 : c:/windows/system32/drivers/beep.sys 属性 : A--- 数字签名:否 PE文件:是 获取文件版本信息大小失败! 创建时间 : 2008-6-16 16:30:47 修改时间 : 2008-6-16 16:30:48 大小 : 2278 字节 2.230 KB MD5 : 57feb7a53fc0fc0d72460c79f6fe4a70 SHA1: 426C70291E57437C7F922055D6E9F780582CB6AD CRC32: b4f9768e
(卡巴斯基报为:Backdoor.Win32.Agent.krx[KLAB-5393973])
也用 bat_do处理了。
用WinRAR删除Windows临时文件夹,IE临时文件夹,c:/windows/prefetch 中可以删除的文件。
重启电脑~
这下电脑工作正常了。
附部分病毒文件信息:
文件 beep.sys 接收于 2008.06.17 11:48:14 (CET)
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | - |
AntiVir | 7.8.0.55 | 2008.06.17 | - |
Authentium | 5.1.0.4 | 2008.06.17 | - |
Avast | 4.8.1195.0 | 2008.06.16 | - |
AVG | 7.5.0.516 | 2008.06.16 | Worm/Agent.N |
BitDefender | 7.2 | 2008.06.17 | - |
CAT-QuickHeal | 9.50 | 2008.06.16 | - |
ClamAV | 0.93.1 | 2008.06.17 | - |
DrWeb | 4.44.0.09170 | 2008.06.17 | - |
eSafe | 7.0.15.0 | 2008.06.16 | - |
eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
Ewido | 4.0 | 2008.06.16 | - |
F-Prot | 4.4.4.56 | 2008.06.12 | - |
F-Secure | 7.60.13501.0 | 2008.06.17 | - |
Fortinet | 3.14.0.0 | 2008.06.17 | - |
GData | 2.0.7306.1023 | 2008.06.17 | - |
Ikarus | T3.1.1.26.0 | 2008.06.17 | - |
Kaspersky | 7.0.0.125 | 2008.06.17 | - |
McAfee | 5318 | 2008.06.16 | - |
Microsoft | 1.3604 | 2008.06.17 | - |
NOD32v2 | 3192 | 2008.06.17 | - |
Norman | 5.80.02 | 2008.06.16 | - |
Panda | 9.0.0.4 | 2008.06.16 | - |
Prevx1 | V2 | 2008.06.17 | - |
Rising | 20.49.11.00 | 2008.06.17 | - |
Sophos | 4.30.0 | 2008.06.17 | - |
Sunbelt | 3.0.1153.1 | 2008.06.15 | - |
Symantec | 10 | 2008.06.17 | - |
TheHacker | 6.2.92.352 | 2008.06.17 | - |
TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
VBA32 | 3.12.6.7 | 2008.06.17 | - |
VirusBuster | 4.3.26:9 | 2008.06.12 | - |
Webwasher-Gateway | 6.6.2 | 2008.06.17 | - |
附加信息 | |||
File size: 2278 bytes | |||
MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70 | |||
SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad | |||
SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a | |||
SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035<BR>834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da | |||
PEiD..: - | |||
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x102e6 timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851 .rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525 .data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51 INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161 .reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18 ( 1 imports ) > ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3 ( 0 exports ) |
文件说明符 : D:/test/myRAT.rmvb 属性 : -SH- 数字签名:否 PE文件:是 语言 : 中文(中国) 文件版本 : 1.0.0.500 说明 : 版权 : 备注 : 产品版本 : 1.0.0.0 产品名称 : 公司名称 : 合法商标 : 内部名称 : 源文件名 : 创建时间 : 2008-6-16 2:44:19 修改时间 : 2008-6-16 10:44:20 大小 : 135680 字节 132.512 KB MD5 : 2d12b069fe76521573f6c7335b5b4b3a SHA1: 4CCF4F2AE88DF6B28544AC5628EE5F87157EBB13 CRC32: 6a109c0d
卡巴斯基报为:Trojan-Downloader.Win32.Delf.jdo,瑞星报为:Trojan.Win32.Delf.fck
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | - |
AntiVir | 7.8.0.55 | 2008.06.17 | BDS/Backdoor.Gen |
Authentium | 5.1.0.4 | 2008.06.17 | W32/OnlineGames.A.gen!Eldorado |
Avast | 4.8.1195.0 | 2008.06.16 | - |
AVG | 7.5.0.516 | 2008.06.16 | - |
BitDefender | 7.2 | 2008.06.17 | - |
CAT-QuickHeal | 9.50 | 2008.06.16 | - |
ClamAV | 0.93.1 | 2008.06.17 | - |
DrWeb | 4.44.0.09170 | 2008.06.17 | BackDoor.Siggen.18 |
eSafe | 7.0.15.0 | 2008.06.16 | - |
eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
Ewido | 4.0 | 2008.06.16 | - |
F-Prot | 4.4.4.56 | 2008.06.12 | W32/OnlineGames.A.gen!Eldorado |
F-Secure | 7.60.13501.0 | 2008.06.17 | - |
Fortinet | 3.14.0.0 | 2008.06.17 | - |
GData | 2.0.7306.1023 | 2008.06.17 | Trojan-Downloader.Win32.Delf.jdo |
Ikarus | T3.1.1.26.0 | 2008.06.17 | Backdoor.Win32.Delf.RAN |
Kaspersky | 7.0.0.125 | 2008.06.17 | Trojan-Downloader.Win32.Delf.jdo |
McAfee | 5318 | 2008.06.16 | - |
Microsoft | 1.3604 | 2008.06.17 | Backdoor:Win32/Delf.RAN |
NOD32v2 | 3193 | 2008.06.17 | - |
Norman | 5.80.02 | 2008.06.16 | - |
Panda | 9.0.0.4 | 2008.06.16 | Suspicious file |
Prevx1 | V2 | 2008.06.17 | - |
Rising | 20.49.11.00 | 2008.06.17 | Trojan.Win32.Delf.fck |
Sophos | 4.30.0 | 2008.06.17 | Troj/Delf-FAH |
Sunbelt | 3.0.1153.1 | 2008.06.15 | - |
Symantec | 10 | 2008.06.17 | - |
TheHacker | 6.2.92.352 | 2008.06.17 | - |
TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
VBA32 | 3.12.6.7 | 2008.06.17 | - |
VirusBuster | 4.3.26:9 | 2008.06.12 | - |
Webwasher-Gateway | 6.6.2 | 2008.06.17 | Trojan.Backdoor.Backdoor.Gen |
附加信息 | |||
File size: 135680 bytes | |||
MD5...: 2d12b069fe76521573f6c7335b5b4b3a | |||
SHA1..: 4ccf4f2ae88df6b28544ac5628ee5f87157ebb13 | |||
SHA256: 48305730acf26f319facfa169e6eb8b07e1cdcb90e0cd34421e0f4d56422ff7b | |||
SHA512: 44ef829d1fc28f1412ca9d4b675e31bb255f35c45bd7d1bddb91955988e57ef3<BR>9be30e2d2db3488f5fb7f306ea95dda97d67078c39a85edd1f22d6f1af9ee24c | |||
PEiD..: - | |||
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x41c1b4 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5<BR>CODE 0x1000 0x1b208 0x1b400 6.50 1300615699205731585424971640e87b<BR>DATA 0x1d000 0x20f0 0x2200 4.12 711df5be86fe3c18b34b3d17bd67f542<BR>BSS 0x20000 0x1ab5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>.idata 0x22000 0x1a20 0x1c00 4.74 b0c33623819f6d387b0ad873910e4b82 .edata 0x24000 0x87 0x200 1.54 e547a716c28ead40f0a419a6f25e807f<BR>.reloc 0x25000 0x15c8 0x1600 6.70 a65c4f4337ad0f54873701703a63ff27 .rsrc 0x27000 0x2d8 0x400 2.39 7495ebf8c9de446dfdcdbb598f5522af<BR><BR>( 22 imports ) <BR>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, CreateDirectoryA, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle user32.dll: GetKeyboardType, MessageBoxA advapi32.dll: RegQueryvalueExA, RegOpenKeyExA, RegCloseKey oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen<BR>> kernel32.dll: TlsSetvalue, TlsGetvalue, TlsFree, TlsAlloc, LocalFree, LocalAlloc advapi32.dll: SetSecurityDescriptorDacl, RevertToSelf, RegSetvalueExA, RegQueryvalueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumvalueA, RegEnumKeyExA, RegDeletevalueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegevalueA, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, GetUserNameA, DuplicateTokenEx, CreateProcessAsUserA, AdjustTokenPrivileges kernel32.dll: lstrlenA, lstrcpyW, lstrcpyA, lstrcmpiA, lstrcmpW, WriteFile, WinExec, WaitForSingleObject, UnmapViewOfFile, TerminateProcess, Sleep, SetThreadPriority, SetFileTime, SetFilePointer, SetFileAttributesW, SetFileAttributesA, SetEvent, SetErrorMode, ResumeThread, ReleaseMutex, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MoveFileExA, MoveFileA, MapViewOfFile, LocalFileTimeToFileTime, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalAlloc, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTimeFormatW, GetTickCount, GetThreadPriority, GetTempPathA, GetSystemDirectoryA, GetSystemDefaultLangID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceExA, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetComputerNameA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileW, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingW, CreateFileA, CreateEventA, CloseHandle gdi32.dll: SelectObject, GetSystemPaletteEntries, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBColorTable, DeleteObject, DeleteDC, CreatePalette, CreateHalftonePalette, CreateDIBSection, CreateCompatibleDC, BitBlt<BR>> user32.dll: mouse_event, keybd_event, UnhookWindowsHookEx, TranslateMessage, ShowWindow, SetWindowsHookExA, SetCursorPos, SetClipboardData, SendMessageA, ReleaseDC, PostMessageA, PeekMessageA, OpenClipboard, OemToCharA, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, IsWindowVisible, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowLongA, GetSystemMetrics, GetProcessWindowStation, GetParent, GetMessageA, GetDesktopWindow, GetDC, GetCursorPos, GetClipboardData, GetClassNameA, ExitWindowsEx, EnumWindows, EmptyClipboard, DispatchMessageA, DestroyWindow, CloseWindow, CloseClipboard, CallNextHookEx kernel32.dll: Sleep shell32.dll: SHFileOperationA advapi32.dll: UnlockServiceDatabase, StartServiceA, SetServiceStatus, RegisterServiceCtrlHandlerA, QueryServiceStatus, QueryServiceConfigA, OpenServiceA, OpenSCManagerA, LockServiceDatabase, EnumServicesStatusA, DeleteService, CreateServiceA, ControlService, CloseServiceHandle, ChangeServiceConfigA<BR>> wininet.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle URLMON.DLL: URLDownloadToFileA shell32.dll: SHGetSpecialFolderPathA imm32.dll: ImmReleaseContext, ImmGetCompositionStringW, ImmGetContext<BR>> ws2_32.dll: WSAIoctl, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, shutdown, setsockopt, send, select, recv, ntohs, ntohl, ioctlsocket, inet_ntoa, inet_addr, htons, htonl, connect, closesocket MSVFW32.DLL: ICSeqCompressFrame, ICSeqCompressFrameEnd, ICSeqCompressFrameStart, ICSendMessage, ICClose, ICOpen, ICInstall AVICAP32.dll: capCreateCaptureWindowA, capGetDriverDescriptionA<BR>> Setupapi.dll: SetupDiClassNameFromGuidA, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA shell32.dll: ShellExecuteA wininet.dll: InternetGetConnectedStateEx ( 4 exports ) Install, InstallEx, ServerMain, ServiceMain |
文件说明符 : D:/test/DOVA 属性 : -SHR 数字签名:否 PE文件:是 获取文件版本信息大小失败! 创建时间 : 2008-6-16 2:44:38 修改时间 : 2008-6-16 16:30:50 大小 : 231729 字节 226.305 KB MD5 : 76d5a93a77a4b266ce590864fe2cdae4 SHA1: E9E2694515A8D0BEF74E5D4094E49DB4DC46E297 CRC32: 3c8f8c39
卡巴斯基报为:Backdoor.Win32.Hupigon.clpz
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | Win32/NSAnti.suspicious |
AntiVir | 7.8.0.55 | 2008.06.17 | BDS/Backdoor.Gen |
Authentium | 5.1.0.4 | 2008.06.17 | W32/Hupigon.A.gen!Eldorado |
Avast | 4.8.1195.0 | 2008.06.16 | Win32:Hupigon-ZA |
AVG | 7.5.0.516 | 2008.06.16 | Generic10.ANTC |
BitDefender | 7.2 | 2008.06.17 | MemScan:Backdoor.Hupigon.ZUW |
CAT-QuickHeal | 9.50 | 2008.06.16 | Win32.Packed.NSAnti.r |
ClamAV | 0.93.1 | 2008.06.17 | - |
DrWeb | 4.44.0.09170 | 2008.06.17 | BackDoor.Pigeon.2254 |
eSafe | 7.0.15.0 | 2008.06.16 | suspicious Trojan/Worm |
eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
Ewido | 4.0 | 2008.06.16 | Backdoor.GrayBird.kx |
F-Prot | 4.4.4.56 | 2008.06.12 | W32/Hupigon.A.gen!Eldorado |
Fortinet | 3.14.0.0 | 2008.06.17 | - |
GData | 2.0.7306.1023 | 2008.06.17 | Backdoor.Win32.Hupigon.clpz |
Ikarus | T3.1.1.26.0 | 2008.06.17 | Packed.Win32.Klone.af |
Kaspersky | 7.0.0.125 | 2008.06.17 | Backdoor.Win32.Hupigon.clpz |
McAfee | 5318 | 2008.06.16 | - |
Microsoft | 1.3604 | 2008.06.17 | VirTool:Win32/Obfuscator.A |
NOD32v2 | 3193 | 2008.06.17 | - |
Norman | 5.80.02 | 2008.06.16 | W32/Suspicious_N.gen |
Panda | 9.0.0.4 | 2008.06.16 | Suspicious file |
Prevx1 | V2 | 2008.06.17 | Suspicious |
Rising | 20.49.11.00 | 2008.06.17 | - |
Sophos | 4.30.0 | 2008.06.17 | Sus/UnkPacker |
Sunbelt | 3.0.1153.1 | 2008.06.15 | VIPRE.Suspicious |
Symantec | 10 | 2008.06.17 | - |
TheHacker | 6.2.92.352 | 2008.06.17 | - |
TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
VBA32 | 3.12.6.7 | 2008.06.17 | suspected of Backdoor.XiaoBird.1 |
VirusBuster | 4.3.26:9 | 2008.06.12 | Packed/NSPack |
Webwasher-Gateway | 6.6.2 | 2008.06.17 | Trojan.Backdoor.Backdoor.Gen |
附加信息 | |||
File size: 231729 bytes | |||
MD5...: 76d5a93a77a4b266ce590864fe2cdae4 | |||
SHA1..: e9e2694515a8d0bef74e5d4094e49db4dc46e297 | |||
SHA256: 56002d8d72834e91189ac226b809be2968ddcd199edf74486b8baa527ae64c81 | |||
SHA512: 8f414f7d1f035e621db966d760dbba76ff18aeb895c62398e1368522094f45f5<BR>7161dfe25018fca5aff40e881adb66169511403d931220017f334e0e1b8ca80f | |||
PEiD..: - | |||
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4df028 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0xde000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xdf000 0x39000 0x38531 8.00 15910b31c9cfb5449b6989cf64121b8e 0x118000 0x88a 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 25 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.DLL: GetKeyboardType > ADVAPI32.DLL: RegQueryvalueExA > OLEAUT32.DLL: SysFreeString > KERNEL32.DLL: TlsSetvalue > ADVAPI32.DLL: RegSetvalueExA > KERNEL32.DLL: lstrcpyA > MPR.DLL: WNetOpenEnumA > VERSION.DLL: VerQueryvalueA > GDI32.DLL: UnrealizeObject > USER32.DLL: CreateWindowExA > KERNEL32.DLL: Sleep > OLEAUT32.DLL: SafeArrayPtrOfIndex > COMCTL32.DLL: ImageList_SetIconSize > SHELL32.DLL: Shell_NotifyIconA > WININET.DLL: InternetReadFile > ADVAPI32.DLL: StartServiceA > WSOCK32.DLL: WSACleanup > IMAGEHLP.DLL: CheckSumMappedFile > WINMM.DLL: waveOutWrite > AVICAP32.DLL: capCreateCaptureWindowA > MSACM32.DLL: acmFormatChooseA > WS2_32.DLL: WSAIoctl > ADVAPI32.DLL: SetSecurityInfo > AVICAP32.DLL: capGetDriverDescriptionA ( 0 exports ) | |||
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E5A5604431A0EFF889FD0378A1F6E80097A6ED84 | |||
packers (Avast): NsPack, NsPack | |||
packers (F-Prot): NSPack | |||
packers (Authentium): NSPack |