| 新版机器狗(AtiSrv.exe)本周暴发 |
| 作者/黑镜眼神 时间/2008-3-7 18:29:00 类别/硬件 查看/ |
 发表评论 |
| 标签:操作系统 |
|
本周一款融合机器狗、auto木马群、磁碟机特点的病毒大范围爆发。其主文件名为:AtiSrv.exe 该病毒会迫使杀毒软件失效,安全模式加载、下载大量盗号木马、劫持浏览器、写入rootkits驱动进行自保护。。。。。 释放自身到启动文件夹随机加载: %ALLUSERSPROFILE%\「开始」菜单\程序\启动\AtiSrv.exe 写入执行挂钩: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ffHADHAD1042.dll HKCR\CLSID\{1133c611-c3b1-4626-bd63-6605ea0d3486} c:\windows\system32\ffhadhad1042.dll Microsoft HKCR\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24} c:\windows\system32\zjydcx.dll Microsoft HKCR\CLSID\{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD} c:\windows\system32\zgxfdx.dll Microsoft HKCR\CLSID\{1DB3C525-5271-46F7-887A-D4E1ADAA7632} c:\windows\system32\hfrdzx.dll fJACJAC1041.dll HKCR\CLSID\{6b22d384-97ba-4c43-81ab-a6bb24e9d831} c:\windows\system32\fjacjac1041.dll fNNBNNB1032.dll HKCR\CLSID\{a6f28a4f-afc8-430e-9093-25083eb3aa77} c:\windows\system32\fnnbnnb1032.dll fSACSAC1016.dll HKCR\CLSID\{f93de3de-bc82-4f9a-a3fc-e49c4fe9c38d} c:\windows\system32\fsacsac1016.dll winsys8v.sys HKCR\CLSID\{6167F471-EF2B-41DD-A5E5-C26ACDB5C096} c:\program files\internet explorer\plugins\winsys8v.sys(该文件会同时写入BHO加载) 写入Appinit_dlls由于写入过多dll信息导致sreng无法检测到该项目。数据如下: bauhgnem.dll,eohsom.dll,fyom.dll,sauhad.dll,ijougiemnaw.dll,taijoad.dll,lnaixnauhqq.dll,idtj.dll,vhqq.dll,atgnehz.dll,rsqq.dll,tsqc.dll,vauyiqvlnaix.dll,wQ.dll,fmxh.dll,cty.dll,pahzij.dll,jz.dll,bz.dll,pyomielnux.dll,mhtd.dll,qnefnaib.dll,ej.dll,uixauh.dll,hjiq.dll,kiluw.dll,dsfg.dll,yqhs.dll,oaijihzeuyouhz.dll,jemnaw.dll,cuhad.dll,laixuhz.dll,rfhx.dll,mnauygniqaixnaij.dll,oqnauhc.dll,xjxr.dll,utiemnaw.dll,sve.dll,wininat.dll,gnolnait.dll,zadnew.dll,htwx.dll,knaixnauhuoyizqq.dll,duygnef.dll,gmx.dll,nadgnohiac.dll,agzg.dll,qlihzouhgnfe.dll,bchib.dll,tzm.dll,r2.dll,slcs.dll,xptyj.dll,xhtd.dll,QQ.dll,sfhx.dll,gnaixnauhqq.dll,3auhad.dll,oadnew.dll,iemnaw.dll,qcsct.dll,oadgnohiac.dll,iqnauhc.dll,aixauh.dll,ddtj.dll,nuygnef.dll,uohsom.dll,gnefnaib.dll,ijiq.dll,hjxr.dll,naijoad.dll,naixuhz.dll,nahzij.dll,fmxh.dll,zqhs.dll,jsfg.dll,utgnehz.dll,uyom.dll,wtiemnaw.dll,uyomielnux.dll,vlihzouhgnfe.dll,2ty.dll,nauhgnem.dll,auhad.dll,rj.dll,hz.dll,naijihzeuyouhz.dll,xhqq.dll,jmx.dll,dgzg.dll,gsqq.dll,fz.dll,gnaixnauhuoyizqq.dll,gnolnait.dll,jsqc.dll,dqncj.dll,eve.dll,2nauygniqaixnaij.dll,niluw.dll,ijougiemnaw.dll,wtwx.dll,jghf.dll,msd.dll,asj.dll,her.dll,awf.dll, 目的是为了安全模式也能加载,导致用户修复安全模式无效 后台联网下载木马程序: 1=http://iii.u***u.com/wm/1.exe 2=http://iii.u***u.com/wm/2.exe 3=http://iii.u***u.com/wm/3.exe 4=http://iii.u***u.com/wm/4.exe 5=http://iii.u***u.com/wm/5.exe 6=http://iii.u***u.com/wm/6.exe 7=http://iii.u***u.com/wm/7.exe 8=http://iii.u***u.com/wm/8.exe 9=http://iii.u***u.com/wm/9.exe 10=http://iii.u***u.com/wm/10.exe 11=http://iii.u***u.com/wm/11.exe 12=http://iii.u***u.com/wm/12.exe 13=http://iii.u***u.com/wm/13.exe 14=http://iii.u***u.com/wm/14.exe 15=http://iii.u***u.com/wm/15.exe 16=http://iii.u***u.com/wm/16.exe 17=http://iii.u***u.com/wm/17.exe 18=http://iii.u***u.com/wm/18.exe 19=http://iii.u***u.com/wm/19.exe 20=http://iii.u***u.com/wm/20.exe 21=http://iii.u***u.com/wm/21.exe 22=http://iii.u***u.com/wm/22.exe 23=http://iii.u***u.com/wm/23.exe 24=http://iii.u***u.com/wm/24.exe 25=http://iii.u***u.com/wm/25.exe 26=http://iii.u***u.com/wm/26.exe 27=http://iii.u***u.com/wm/27.exe 28=http://iii.u***u.com/wm/28.exe 与auto木马群勾结,写入盗号木马: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] 等 加载rootkits驱动进行自我保护: [iCafe Manager / iCafe Manager][Stopped/Manual Start] [Sc Manager / Sc Manager][Running/Manual Start] [dohs / dohs][Stopped/Auto Start] [fpids32 / fpids32][Running/Auto Start] [msertk / msertk][Running/Auto Start] [msert / msert][Running/Auto Start] 写入ntsd劫持与破坏安全模式,导致杀软失效 该病毒的处理方法: 该病毒融合了目前多种流行病毒木马技术,破坏杀毒程序导致普通用户很难进行清理操作。建议用户对该病毒以注意日常防范为主,保持杀毒软件的更新,配合最新机器狗专杀,顽固木马大全以及良好健康的上网习惯 下载顽固木马专杀大全:http://baike.360.cn/4005462/2979746.html 下载最新机器狗专杀地址:http://dl.360safe.com/killer_rodog.exe |
| 查看该用户更多文章>> |