卡卡论坛:baohe
这是个利用ANI漏洞传播的木马群,其“动态插入进程”的功能是导致中招后杀毒困难的原因之一。
另:中招后,系统分区以外的.exe全被感染。这也是中此毒后的麻烦之处。
我的手工查杀流程如下(用IceSword操作):
1、禁止进程创建。
2、根据SRENG日志,先结束病毒进程shualai.exe以及所有被病毒模块插入的进程(病毒插入了哪些进程,取决于你当时运行的程序。以下是我运行该样本后的例子。)
[PID: 484][C:/windows/Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Msxo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/fyzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Rav30.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Gjzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy1.dll] [N/A, N/A]
[C:/windows/system32/cmdbcs.dll] [N/A, N/A]
[PID: 2252][C:/Program Files/Tiny Firewall Pro/amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/fyzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Msxo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Gjzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Rav30.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy1.dll] [N/A, N/A]
[PID: 3880][C:/WINDOWS/system32/shadow/ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy1.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Gjzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Rav30.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/fyzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Msxo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy0.dll] [N/A, N/A]
[PID: 2760][C:/Program Files/SREng2/SREng.exe] [Smallfrogs Studio, 2.3.13.690]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy1.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Gjzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Rav30.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/fyzo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/Msxo0.dll] [N/A, N/A]
[C:/DOCUME~1/baohelin/LOCALS~1/Temp/LgSy0.dll] [N/A, N/A]
[PID: 2548][C:/windows/shualai.exe] [N/A, N/A]
3、删除病毒文件(图1);清空IE临时文件夹。
图1地址:http://images.rising.com.cn/uploadfiles/20074/17/1558472007417100851.jpg
4、删除病毒启动项(图2)。
图2地址:http://images.rising.com.cn/uploadfiles/20074/17/1558472007417100925.jpg
5、取消IceSword的“禁止进程创建”。
6、修复hosts文件。
注:系统分区以外的那些被病毒感染的.exe——估计是没救了。节哀。