![]() | |
病毒名称: Worm.Win32.Wogue.o
病毒类型: 蠕虫类 文件 MD5: 90C509FA6A6C2FA798DBE1CFD7F0E4F1 公开范围: 完全公开 危害等级: 4 文件长度: 19,456 字节 感染系统: Windows98以上版本 开发工具: Borland Delphi 5.0 加壳类型: PECompact 2.x | |
![]() | |
该病毒属蠕虫类,病毒运行后衍生病毒文件到系统驱动器根目录下,并复制自身到文件夹%ProgramFiles%\Common Files\Services下,重命名为svchost.exe;联接网络,下载大量***到本机运行;修改注册表,添加启动项,以达到随机启动的目的;关闭系统自动升级功能,并禁止修改其状态;在每个驱动器根目录下生成autorun.inf和IO.pif文件,以达到双击驱动器再次运行病毒的目的,并可以此通过U盘进行传播;通过CMD关闭部分杀毒软件的服务,结束部分反病毒软件的进程;检查指定列表中文件名在注册表中的键值,并将其启动,再将病毒衍生的文件DirectX10.dll插入到其进程中;病毒衍生的文件注入到系统进程explorer.exe中;该病毒通过系统盘共享文件进行传播;该蠕虫下载的***为盗号类病毒,可以盗取用户网络游戏的账号与密码。
|
![]() | |
本地行为: 1、病毒运行后衍生病毒文件: %DriveLetter%\IO.pif %DriveLetter%\autorun.inf %system32%\DirectX10.dll %ProgramFiles%\Common Files\Services\svchost.exe 2、病毒联接网络下载病毒到本机运行: %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\CHUFWD67\1[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\CHUFWD67\2[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\CHUFWD67\3[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\GHAR4PU3\4[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\GHAR4PU3\5[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\GHAR4PU3\6[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\L2B9958U\7[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\L2B9958U\8[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\L2B9958U\9[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\10[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\11[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\12[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\13[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\14[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\15[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\16[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\17[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\18[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\19[1].exe %Documents and Settings%\(用户名)\Local Settings \Temporary Internet Files\Content.IE5\REFBTNJN\20[1].exe 3、下载的病毒运行后衍生病毒文件: %Windir%\upxdnd.exe %Windir%\192896MM.DLL %Windir%\192896WL.DLL %Windir%\IGM.exe %Windir%\swchost.exe %System32%\avwlcin.dll %System32%\avwlcmn.dll %System32%\avwlcst.exe %System32%\avzxein.dll %System32%\avzxemn.dll %System32%\avzxest.exe %System32%\DirectX10.dll %System32%\kaqhfaz.exe %System32%\kaqhfcs.dll %System32%\kaqhfzy.dll %System32%\kawdcaz.exe %System32%\kawdccs.dll %System32%\kawdczy.dll %System32%\kvdxfcf.dll %System32%\kvdxfis.exe %System32%\kvdxfma.dll %System32%\LYLOADER.EXE %System32%\LYMANGR.DLL %System32%\msatl.dll %System32%\MSDEG32.DLL %System32%\ratbani.dll %System32%\ratbfpi.dll %System32%\ratbftl.exe %System32%\rsmyafg.dll %System32%\rsmyfpm.dll %System32%\rsmyfsp.exe %System32%\sidjaaz.exe %System32%\sidjacs.dll %System32%\sidjazy.dll %System32%\sqmapi32.dll %System32%\upxdnd.dll%ProgramFiles% \Internet Explorer\PLUGINS\bt6daK3k.exe %ProgramFiles%\Internet Explorer\PLUGINS\eeFY7m1N.exe %ProgramFiles%\Internet Explorer\PLUGINS\GI5B2YEE.exe %ProgramFiles%\Internet Explorer\PLUGINS\SysWin7s.Jmp %ProgramFiles%\Internet Explorer\PLUGINS\WinSys8s.Sys %Temp%\LYLOADER.EXE %Temp%\LYMANGR.DLL %Temp%\MSDEG32.DLL %DriveLetter%\RECYCLER\kulionrx.dll %DriveLetter%\RECYCLER\kulionrx.exe %DriveLetter%\RECYCLER\video.dll %DriveLetter%\RECYCLER\wmsj.exe 4、修改注册表,添加启动项,以达到随机启动的目的: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Windows\AppInit_DLLs 值: 字符串: "kawdczy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{18847374-8323-FADC-B443-4732ABCD3781}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\sidjazy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{38907901-1416-3389-9981-372178569983}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kawdczy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{3960356A-458E-DE24-BD50-268F589A56A3}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\avwlcmn.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{67D81718-1314-5200-2597-587901018076}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kaqhfzy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{6C87A354-ABC3-DEDE-FF33-3213FD7447C6}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kvdxfma.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{6E32FA58-3453-FA2D-BC49-F340348ACCE6}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\rsmyfpm.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{7671889D-CC99-4335-BAC8-48088F1045A4}\InProcServer32\@ 值: 字符串: "C:\Program Files\Internet Explorer\PLUGINS\WinSys8s.Sys" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDCG32 值: 字符串: "LYLeador.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDEG32 值: 字符串: "LYLoader.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDHG32 值: 字符串: "LYLoadhr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDMG32 值: 字符串: "LYLoadmr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDOG32 值: 字符串: "LYLoador.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDQG32 值: 字符串: "LYLoadqr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDSG32 值: 字符串: "LYLoadar.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer\Run\MSDWG32 值: 字符串: "LYLoadbr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run\@ 值: 字符串: "C:\Program Files\Common Files \Services\svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run\upxdnd 值: 字符串: "C:\WINDOWS\upxdnd.exe" 5、修改注册表,关闭系统自动升级功能,并禁止修改其状态: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft \Windows\WindowsUpdate\AU\AUOptions 值: DWORD: 1 (0x1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft \Windows\WindowsUpdate\AU\NoAutoUpdate 值: DWORD: 1 (0x1) 6、在每个驱动器根目录下生成autorun.inf和IO.pif文件,以达到双击驱动器再次 运行病毒的目的,并可以此通过U盘进行传播。 [AutoRun] open=IO.pif shellexecute=IO.pif shell\\Auto\\command=IO.pif7、通过CMD关闭部分杀毒软件的服务: Net Stop Norton Antivirus Auto Protect Service Net Stop mcshield net stop "Windows Firewall/Internet Connection Sharing (ICS)" net stop System Restore Service 8、结束指定列表中的进程: avp.exe regedit.exe msconfig.exe taskgmr.exe 360tray.exe 360safe.exe 噬菌体 ***克星 WoptiClean.exe EGHOST.EXE Iparmor.exe MAILMON.EXE KAVPFW.EXE RogueCleaner.exe 9、检查以下文件名在注册表中的键值,并将其启动,再将病毒衍生的文件DirectX10.dll 插入到其进程中: QQ.EXE MSMSGS.EXE FLASHGET.EXE THUNDER5.EXE IEXPLORE.EXE 10、病毒通过系统盘共享文件进行传播: C$\Setup.exe C$\AutoExec.bat C$\AutoExec.bat 11、病毒将衍生的文件插入到系统进行explorer.exe中: %System32%DirectX10.dll %System32%rsmyfpm.dll %System32%kvdxfma.dll %System32%upxdnd.dll %DriveLetter%\RECYCLER\video.dll %Program Files%\Internet Explorer\PLUGINS\WinSys8s.Sys %System32%avzxemn.dll %System32%ratbfpi.dll %System32%avwlcmn.dll %System32%kaqhfzy.dll %System32%sidjazy.dll %System32%sqmapi32.dll %System32%kawdczy.dll %DriveLetter%\RECYCLER\kulionrx.dll 12、病毒联接网络: 域名:[url]www.weby[/url]****.cn IP: 218.83.161.** 下载地址: weby****.cn/hz/1.exe weby****.cn/hz/2.exe … … Weby****.cn/hz/20.exe 13、该蠕虫下载的***为盗号类病毒,可以盗取用户网络游戏的账号与密码。 注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的 位置。 %Windir% WINDODWS所在目录 %DriveLetter% 逻辑驱动器根目录 %ProgramFiles% 系统程序默认安装目录 %HomeDrive% 当前启动的系统的所在分区 %Documents and Settings% 当前用户文档根目录 %Temp% \Documents and Settings \当前用户\Local Settings\Temp %System32% 系统的 System32文件夹 Windows2000/NT中默认的安装路径是C:\Winnt\System32 windows95/98/me中默认的安装路径是C:\Windows\System windowsXP中默认的安装路径是C:\Windows\System32 | |
![]() | |
手工清除请按照行为分析删除对应文件,恢复相关系统设置。 |
![]() |
转载于:https://blog.51cto.com/kingzoo/47693