chenzi.exe的分析及解决方法2008-01-01 21:29:44 楼主
chenzi.exe的分析及解决方法
File size: 18593 bytes
MD5: c595bc161e1d64b4d8f4d84139ef02b0
SHA1: 100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名称:未知
测试时间:2007-3-10
更新时间:2007-3-11<更新内容,该木马下载器的链接已失效,不会恶意下载病毒>
运行后病毒样本,自动删除病毒本身,自动释放病毒到%system%目录下
%system%\del.bat
%system%\msgcom.dll
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
创建启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
<WinlogonNotify: cmdmant><msgcom.dll>
病毒模块插入了explorer.exe进程,通过explorer.exe访问网络,下载文件或传送盗窃得手的有关信息,202.88.90.186,
试图启动
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
%system%\1.exe 分析如下:
Explorer.exe启动1.EXE后,自动删除本身
释放病毒文件
%system%\wsvbs.dll
%windows%\wsvbs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsvbs.exe>
%system%\2.exe 分析如下
Explorer.exe启动2.EXE后,
释放病毒文件
%system%\mppds.dll
%windows%\mppds.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<mppds><%windows%\mppds.exe>
%system%\3.exe 分析如下
Explorer.exe启动3.EXE后,
释放病毒文件
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\4.exe 分析如下:
Explorer.exe启动4.EXE后,自动删除本身
释放病毒文件
%system%\wsttrs.dll
%windows%\wsttrs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsttrs.exe>
%system%\5.exe 分析如下:
Explorer.exe启动5.EXE后,自动删除本身
释放病毒文件,并插入各进程.
%windows%\608769.bmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
<AppInit_DLLs><608769M.BMP>
%system%\6.exe 分析如下:
Explorer.exe启动6.EXE后,
释放病毒文件
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
修改hosts内容,添加以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www.47555.cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
附SRENG日志,
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\MIB\LOCALS~1\Temp\ie888.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsvbs><C:\windows\wsvbs.exe>
<mppds><C:\windows\mppds.exe>
<wsttrs><C:\windows\wsttrs.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant><msgcom.dll>
正在运行的进程
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[C:\WINDOWS\system32\msgcom.dll] [N/A, N/A]
[PID: 752][C:\windows\system32\services.exe
[C:\windows\608769M.BMP]
[PID: 764][C:\windows\system32\lsass.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 932][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1020][C:\windows\system32\svchost.exe
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1116][C:\windows\System32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1408][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1456][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
解决方法如下:
1.开始---运行---输入---regedit---依次展开
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
删除
<svc>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
删除
<wsvbs>
<mppds>
<wsttrs>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
删除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>
删除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant>
2.重启计算机
3.删除以下文件
%system%\del.bat
%system%\msgcom.dll
%system%\wsvbs.dll
%windows%\wsvbs.exe
%system%\mppds.dll
%windows%\mppds.exe
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\wsttrs.dll
%windows%\wsttrs.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
%system%\2.exe
%system%\3.exe
%system%\6.exe
system32\drivers\etc\hosts
用记事打开HOSTS文件,删除以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www47555cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
%windows%\608769M.BMP
File size: 18593 bytes
MD5: c595bc161e1d64b4d8f4d84139ef02b0
SHA1: 100e8a9ae7034b41443e4ddaa46f175adb70eb06
病毒名称:未知
测试时间:2007-3-10
更新时间:2007-3-11<更新内容,该木马下载器的链接已失效,不会恶意下载病毒>
运行后病毒样本,自动删除病毒本身,自动释放病毒到%system%目录下
%system%\del.bat
%system%\msgcom.dll
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
创建启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant
<WinlogonNotify: cmdmant><msgcom.dll>
病毒模块插入了explorer.exe进程,通过explorer.exe访问网络,下载文件或传送盗窃得手的有关信息,202.88.90.186,
试图启动
%system%\1.exe
%system%\2.exe
%system%\3.exe
%system%\4.exe
%system%\5.exe
%system%\6.exe
%system%\1.exe 分析如下:
Explorer.exe启动1.EXE后,自动删除本身
释放病毒文件
%system%\wsvbs.dll
%windows%\wsvbs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsvbs.exe>
%system%\2.exe 分析如下
Explorer.exe启动2.EXE后,
释放病毒文件
%system%\mppds.dll
%windows%\mppds.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<mppds><%windows%\mppds.exe>
%system%\3.exe 分析如下
Explorer.exe启动3.EXE后,
释放病毒文件
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\4.exe 分析如下:
Explorer.exe启动4.EXE后,自动删除本身
释放病毒文件
%system%\wsttrs.dll
%windows%\wsttrs.exe
创建启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsttrs><%windows%\wsttrs.exe>
%system%\5.exe 分析如下:
Explorer.exe启动5.EXE后,自动删除本身
释放病毒文件,并插入各进程.
%windows%\608769.bmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
<AppInit_DLLs><608769M.BMP>
%system%\6.exe 分析如下:
Explorer.exe启动6.EXE后,
释放病毒文件
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
修改hosts内容,添加以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www.47555.cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
附SRENG日志,
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<svc><C:\DOCUME~1\MIB\LOCALS~1\Temp\ie888.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
<wsvbs><C:\windows\wsvbs.exe>
<mppds><C:\windows\mppds.exe>
<wsttrs><C:\windows\wsttrs.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><608769M.BMP>
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant><msgcom.dll>
正在运行的进程
[PID: 700][\??\C:\WINDOWS\system32\winlogon.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[C:\WINDOWS\system32\msgcom.dll] [N/A, N/A]
[PID: 752][C:\windows\system32\services.exe
[C:\windows\608769M.BMP]
[PID: 764][C:\windows\system32\lsass.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 932][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1020][C:\windows\system32\svchost.exe
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1116][C:\windows\System32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1408][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
[PID: 1456][C:\windows\system32\svchost.exe]
[C:\windows\608769M.BMP] [N/A, N/A]
解决方法如下:
1.开始---运行---输入---regedit---依次展开
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
删除
<svc>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
删除
<wsvbs>
<mppds>
<wsttrs>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
删除
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}>
删除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cmdmant]
<WinlogonNotify: cmdmant>
2.重启计算机
3.删除以下文件
%system%\del.bat
%system%\msgcom.dll
%system%\wsvbs.dll
%windows%\wsvbs.exe
%system%\mppds.dll
%windows%\mppds.exe
%Program Files%\Internet Explorer\PLUGINS\system2.jmp
%Program Files%\Internet Explorer\PLUGINS\SystemKb.sys
%system%\wsttrs.dll
%windows%\wsttrs.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\ie888.exe
c:\Documents and Settings\你的用户名\Local Settings\Temp\iim.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\packet.dll
c:\Documents and Settings\你的用户名\Local Settings\Temp\wanpacket.dll
%Program Files%\Internet Explorer\PLUGINS\SystemKb.bak
%system%\drivers\npf.sys
%system%\2.exe
%system%\3.exe
%system%\6.exe
system32\drivers\etc\hosts
用记事打开HOSTS文件,删除以下内容
58.215.65.136 hyap98.com
58.215.65.136 www.hyap98.com
60.169.1.178 www.82087871.com
60.169.1.178 47555.cn
60.169.1.178 nc.47555.cn
60.169.1.178 cn.47555.cn
60.169.1.178 crsky.47555.cn
60.169.1.178 www47555cn
60.169.1.178 baibu.com
60.169.1.178 www.baidu.com
60.169.1.178 dgufida.com.cn
60.169.1.178 88.our2000.com
60.169.1.178 new.eyliao.com
60.169.1.178 sybaby.a78.zgsj.com
%windows%\608769M.BMP
