超级BT木马的分析报告与查杀.

昨天载了一个代理猎手,然后中招了.按照以往的方法,结束进程,清注册表,折腾了一个晚上,实在痛苦.今儿早上,又折腾,7点到现在12点,终于把所有它加载与修改的程序和键值都找了出来.实在是BT啊,以下是我的分析报告.

如果中了还是建议重装系统吧,若要手动清除实在是麻烦,不信看下面,我只是说了直接清除方法,没有列出病毒修改的具体数值,因为实在太多了.

病毒会在系统分区根目录下生成如下文件,其他分区中可能也会同时生成:
autorun.inf(达到双击分区"自动运行"病毒的目的)

病毒生成如下文件:

%windir%/1.com
%windir%/CSRSS.exe
%windir%/ExERoute.exe
%windir%/explorer1.com
%windir%/finder.com
%windir%/MSWINSCK.OCX
%windir%/Debug/DebugProgram.exe
%system%/command.pif
%system%/dxdiag.com
%system%/finder.com
%system%/MSCONFIG.com
%system%/regedit.com
%system%/rundll32.com
%Program Files%/Common Files/iexplore.pif
%Program Files%/Internet Explorer/iexplore.com

病毒增加了太多注册表键值,超过100个,我不一一列举了,直接告诉你删除哪些主键:

HKEY_CLASSES_ROOT/MSWinsock.Winsock
HKEY_CLASSES_ROOT/winfiles
HKEY_CLASSES_ROOT/CLSID/{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT/CLSID/{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT/Interface/{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT/Interface/{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT/TypeLib/{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/MSWinsock.Winsock
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/winfiles
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/CLSID/{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/CLSID/{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/Interface/{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/Interface/{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE/SOFTWARE/Classes/TypeLib/{248DD890-BB45-11CF-9ABC-0080C7E7B78D}

以下是需要单独删除的键值:

HKEY_CURRENT_USER/Software/Microsoft/Windows/ShellNoRoam/MUICache >> "Welcome to Windows NT"="D:/CSRSS.exe"(注意这里是D盘)

HKEY_CURRENT_USER/Software/Microsoft/Windows/ShellNoRoam/MUICache >> "Welcome to Windows NT"="C:/Program Files/common~1/iexplore.pif"

HKEY_LOCAL_MACHINE/SOFTWARE/Clients/StartMenuInternet/iexplore.pif

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run >> "Trojan Program"="C:/windows/CSRSS.exe"

HKEY_USERS/S-1-5-21-2052111302-764733703-725345543-500/Software/Microsoft/Windows/ShellNoRoam/MUICache >> "Welcome to Windows NT"="D:/CSRSS.exe"(注意这里是D盘)

HKEY_USERS/S-1-5-21-2052111302-764733703-725345543-500/Software/Microsoft/Windows/ShellNoRoam/MUICache >> "Welcome to Windows NT"="C:/Program Files/common~1/iexplore.pif"

以下是被木马修改的健康键值,需要恢复的键值如下:

恢复HKEY_CLASSES_ROOT/.bfc/ShellNew >> Command的值为%SystemRoot%/system32/rundll32.exe %SystemRoot%/system32/syncui.dll,Briefcase_Create %2!d! %1

恢复HKEY_CLASSES_ROOT/.exe >> (默认)的值为exefile

恢复HKEY_CLASSES_ROOT/.lnk/ShellNew >> Command的值为rundll32.exe appwiz.cpl,NewLinkHere %1

恢复HKEY_CLASSES_ROOT/Applications/iexplore.exe/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_CLASSES_ROOT/CLSID/{871C5380-42A0-1069-A2EA-08002B30309D}/shell/OpenHomePage/Command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe"

恢复HKEY_CLASSES_ROOT/cplfile/shell/cplopen/command >> (默认)的值为rundll32.exe shell32.dll,Control_RunDLL "%1",%*

恢复HKEY_CLASSES_ROOT/Drive/shell/find/command >> (默认)的值为%SystemRoot%/Explorer.exe

恢复HKEY_CLASSES_ROOT/dunfile/shell/open/command >> (默认)的值为%SystemRoot%/system32/RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1

恢复HKEY_CLASSES_ROOT/ftp/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_CLASSES_ROOT/htmlfile/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_CLASSES_ROOT/htmlfile/shell/opennew/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_CLASSES_ROOT/htmlfile/shell/Print/command >> (默认)的值为"rundll32.exe %SystemRoot%/system32/mshtml.dll,PrintHTML "%1""

恢复HKEY_CLASSES_ROOT/HTTP/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_CLASSES_ROOT/inffile/shell/Install/command >> (默认)的值为%SystemRoot%/System32/rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1

恢复HKEY_CLASSES_ROOT/InternetShortcut/shell/open/command >> (默认)的值为rundll32.exe shdocvw.dll,OpenURL %l

恢复HKEY_CLASSES_ROOT/scrfile/shell/install/command >> (默认)的值为rundll32.exe desk.cpl,InstallScreenSaver %l

恢复HKEY_CLASSES_ROOT/scriptletfile/Shell/Generate Typelib/command >> (默认)的值为"C:/WINDOWS/system32/RUNDLL32.EXE" C:/WINDOWS/system32/scrobj.dll,GenerateTypeLib "%1"

恢复HKEY_CLASSES_ROOT/telnet/shell/open/command >> (默认)的值为rundll32.exe url.dll,TelnetProtocolHandler %l

恢复HKEY_CLASSES_ROOT/Unknown/shell/openas/command >> (默认)的值为%SystemRoot%/system32/rundll32.exe %SystemRoot%/system32/shell32.dll,OpenAs_RunDLL %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/.bfc/ShellNew >> Command的值为 %SystemRoot%/system32/syncui.dll,Briefcase_Create %2!d! %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/.exe >> (默认)的值为exefile

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/.lnk/ShellNew >> Command的值为rundll32.exe appwiz.cpl,NewLinkHere %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/Applications/iexplore.exe/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/CLSID/{871C5380-42A0-1069-A2EA-08002B30309D}/shell/OpenHomePage/Command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe"

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/cplfile/shell/cplopen/command >> (默认)的值为rundll32.exe shell32.dll,Control_RunDLL "%1",%*

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/Drive/shell/find/command >> (默认)的值为%SystemRoot%/Explorer.exe

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/dunfile/shell/open/command >> (默认)的值为%SystemRoot%/system32/RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/ftp/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/htmlfile/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/htmlfile/shell/Print/command >> (默认)的值为rundll32.exe %SystemRoot%/system32/mshtml.dll,PrintHTML "%1"

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/HTTP/shell/open/command >> (默认)的值为"C:/Program Files/Internet Explorer/iexplore.exe" %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/inffile/shell/Install/command >> (默认)的值为%SystemRoot%/System32/rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/InternetShortcut/shell/open/command >> (默认)的值为rundll32.exe shdocvw.dll,OpenURL %l

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/scrfile/shell/install/command >> (默认)的值为rundll32.exe desk.cpl,InstallScreenSaver %l

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/scriptletfile/Shell/Generate Typelib/command >> (默认)的值为"C:/WINDOWS/system32/RUNDLL32.EXE" C:/WINDOWS/system32/scrobj.dll,GenerateTypeLib "%1"

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/telnet/shell/open/command >> (默认)的值为rundll32.exe url.dll,TelnetProtocolHandler %l

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Classes/Unknown/shell/openas/command >> (默认)的值为%SystemRoot%/system32/rundll32.exe %SystemRoot%/system32/shell32.dll,OpenAs_RunDLL %1

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Clients/StartMenuInternet >> (默认)的值为IEXPLORE.EXE

恢复HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon >> Shell的值为Explorer.exe

删除如下快捷方式:

安全测试.lnk
系统信息管理器.lnk
计算机安全中心.lnk

一些清除过程需要注意的:

到这里,木马清理完毕,重起计算机即可.大家刚开始删除那几个文件的时候,一定会出现写保护无法删除的提示,因为木马伪装成cress.exe的系统文件.在system32里的cress才是健康的系统文件,所以推荐大家载个魔法兔子,用它的自动启动功能里的结束进程工具来终止.

大家在清除的过程中一定要小心谨慎,因为只要你双击某盘(染毒的盘),木马马上会被激活,或者打开IE等操作,只要是有关C盘或染毒盘的操作都会激活木马.真的很BT,要避免这种情况的发生,按一定顺序来,不时的用兔子来刷新监视木马的启动.总之,有条件的话,重新做系统吧.

最后再次痛骂木马作者.