病毒名称:Virus.Win32.AutoRun.bj
病毒类型:QQ尾巴
加壳信息:N/A
编写语言:Microsoft Visual Basic 5.0 / 6.0
病毒将从:h**p://www.sql2000server.cn/V-FILES/update_sendtext1.txt
下载文本信息,并将里面的内容通过QQ发给好友。
特征信息:
看看我的网友,杭州的,皮肤白皙,身材超正,我想让她成为恋人,征求您的建议,
她的视频 h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=2 @@@
真是太意外了,咱们的好友小刘办色情网站被抓了,好像还要判刑,很多媒体都报道了,
快去看视频报道 h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=1 @@@ Hi,快点帮个忙,
打开这个网址,然后随便点击下面的一个链接, h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=URL-movies.htm
一会在对你说为什么,万分感谢。 @@@ 我刚发现的 ,超刺激的**电影,速度巨快, 一个月免费,
h**p://4.mianzhu-jiudianyuding.cn/sunsun/v.asp?q=URL-free-movies.htm
||| h**p://www.sql2000server.cn/v-files/ALEXA.ASP?q=1 ||| 1.00 ||| 8 [OK-OK]
增加注册表项: 8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\UsbFlags\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\*PNP0501
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\o
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WS2IFSL\E
删除注册表项: 6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\H
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\L
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver\Shares\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WS2IFSL\
增加键值: 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache ""
Type: REG_SZ
Data: VM1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Akica"
Type: REG_SZ
Data: %windir%\system32\Akica.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "cacom"
Type: REG_SZ
Data: %windir%\cacom.exe
修改键值: 5
HKEY_CURRENT_USER\SessionInformation "ProgramCount"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 02, 00, 00, 00
New data: 03, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 3C, 00, 00, 00, B0, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 05, 00, 00, 00, 6C, 6F, 63, 61, 6C, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, 40, 03, 87, 3F, 92, A0, C6, 01, 01, 00, 00, 00, C0, A8, 9F, 80, 00, 00, 00, 00, 00, 00, 00, 00
New data: 3C, 00, 00, 00, B1, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 05, 00, 00, 00, 6C, 6F, 63, 61, 6C, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00, 40, 03, 87, 3F, 92, A0, C6, 01, 01, 00, 00, 00, C0, A8, 9F, 80, 00, 00, 00, 00, 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 8C, 31, 5C, 0A, 24, 76, 89, EF, 5A, 57, 1E, BC, 54, B5, 98, DC, 1A, 45, BB, A1, 00, F5, 75, EB, 84, 55, D0, 8B, 2C, 4B, B3, 63, 8C, A4, 63, 33, 76, 32, D1, 90, 84, 14, 1E, 79, 57, 4F, 18, 29, 6B, 90, A6, 8A, 02, AB, 77, 78, 46, 42, EA, B8, A4, 9E, 87, 8D, 65, ED, A3, 6C, 68, 3E, 3E, AA, E1, 99, 42, 14, F1, 86, 33, 3E
New data: DE, 91, 29, 45, 1D, F0, 9C, 60, A3, C5, 6E, 82, 1F, 8B, 1C, 3C, 7F, 0D, 91, 19, AB, BB, 12, A5, F9, 2A, 16, C3, 73, 79, 7C, B1, 90, 35, C8, 87, 27, F8, 4A, 5E, 42, BC, 30, D1, 08, FD, A9, 7C, E3, 39, CD, 36, E5, EB, F0, 34, C3, DA, 86, 40, BB, B2, 3D, 1B, 9E, 39, D8, 8F, 37, 1C, 88, BF, 72, 37, 55, 74, AB, 32, 76, A7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\0BEC468B1F48FC68ADF8AD51FBB60848E5A118AC "Blob"
Old type: REG_BINARY
New type: REG_BINARY
Old data: (data too large: 1533 bytes)
New data: (data too large: 1533 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher "TracesProcessed"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 14, 00, 00, 00
New data: 15, 00, 00, 00
创建病毒文件: 8
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8RSTUDWF\update_sendtext1[1].txt
Size: 664 bytes
%windir%\cacom.exe
Size: 36,864 bytes
%windir%\system32\Akica.exe
Size: 36,864 bytes
%windir%\system32\sol.EXE
Size: 36,864 bytes
%windir%\system32\dllcache\sol.EXE
Size: 36,864 bytes
%windir%\Temp\cch~11e74b516.htp
Size: 8,192 bytes
%windir%\Temp\cch~11e74bf2f.htp
Size: 8,192 bytes
解决办法:删除上述注册表添加项,以及生成的文件。注册表打开步骤:在[开始]-->[运行]-->键入[regedit]--> 打开注册表编辑器。文件手动删除时遇不能删除的情况时,到down.wd1x.com下载费尔木马强制删除器工具(删除时选抑制)删除即可。
|
