文件名称：explorer.exe

文件大小：20400 Bytes

AV命名：TrojanDownloader:Win32/Small.gen!N-- Microsoft

加壳方式：NsPack

文件MD5：eccd9d6ce0766d1fc2b75287ed1908df

行为：

1、释放文件：

%systemroot%\system32\ wuauc1t.exe 20400 Bytes

2、查找可用磁盘，生成：explorer.exe、autorun.inf。

3、尝试下载木马：

http://2.trojan8.com/dd/gz.exe

http://2.trojan8.com/dd/do.exe

http://2.trojan8.com/dd/ar.exe

http://2.trojan8.com/dd/3.exe

http://2.trojan8.com/dd/4.exe

http://2.trojan8.com/dd/5.exe

http://2.trojan8.com/dd/6.exe

http://2.trojan8.com/dd/7.exe

http://2.trojan8.com/dd/8.exe

http://2.trojan8.com/dd/9.exe

http://2.trojan8.com/dd/10.exe

http://2.trojan8.com/dd/11.exe

http://2.trojan8.com/dd/12.exe

http://2.trojan8.com/dd/13.exe

http://2.trojan8.com/dd/14.exe

http://2.trojan8.com/dd/15.exe

http://2.trojan8.com/dd/16.exe

http://2.trojan8.com/dd/17.exe

http://2.trojan8.com/dd/2.exe

http://2.trojan8.com/dd/1.exe

4、Ifeo重定向劫持：

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE

5、尝试关闭：

360Safe.exe

360tray.exe

VsTskMgr.exe

runiep.exe

UpdaterUI.exe

TBMon.exe

KASARP.exe

scan32.exe

VPC32.exe

VPTRAY.exe

ANTIARP.exe

KRegEx.exe

kvsrvxp.exe

KVWSC.EXE

Iparmor.exe

AST.EXE

6、修改：

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\advanced\folder\hidden\showall\

CheckedValue

破坏显示隐藏文件功能。

7、停止相关的服务：

cmd /c net stop McShield

cmd /c net stop KWhatchsvc

cmd /c net stop KPfwSvc

cmd /c net stop "Norton AntiVirus Server"

8、设置权限，为完全控制：

\pthreadVC.dll /e /p everyone:f

\wpcap.dll /e /p everyone:f

\drivers\npf.sys /e /p everyone:f

\npptools.dll /e /p everyone:f

\drivers\acpidisk.sys /e /p everyone:f

\wanpacket.dll /e /p everyone:f

都是ARP相关的文件。

解决方法：

1、下载SREng(可到down.wd1x.com下载)，删除IFEO劫持项目(详细的项目看上文)。

2、删除病毒文件：

%systemroot%\system32\ wuauc1t.exe 20400 Bytes

还有每个分区下的explorer.exe、autorun.inf。如遇提示无法删除文件，到down.wd1x.com下载费尔木马强制删除器工具进行强制删除