File:19.exe
Size:33495bytes
FileVersion:0.00.0204
Modified:2007年12月29日,21:23:18
MD5:4B2BE9775B6CA847FB2547DD75025625
SHA1:2660F88591AD4DA8849A3A56F357E7DFB9694D45
CRC32:2A485241
编写语言:VB
1.病毒运行后,衍生如下副本及文件:
Quote:
%systemroot%DebugDebugProgram.exe
%systemroot%system32command.pif
%systemroot%system32dxdiag.com
%systemroot%system32finder.com
%systemroot%system32MSCONFIG.COM
%systemroot%system32regedit.com
%systemroot%system32rundll32.com
%systemroot%1.com
%systemroot%ExERoute.exe
%systemroot%explorer.com
%systemroot%finder.com
%systemroot%SERVICES.EXE
D:autorun.inf
D:pagefile.pif
2.提升自身权限,试图结束带有如下关键字的进程
Quote:
360tray*
ravmon*
ccenter*
trojdie*
kpop*
ssistse*
agentsvr*
kv*
kreg*
iefind*
iparmor*
uphc*
rulewize*
fygt*
rfwsrv*
rfwma*
trojan*
svi.exe
3.篡改很多文件关联方式使得打开这些文件后会启动病毒
Quote:
HKLMSOFTWAREClasses.bfcShellNewCommand:"%SystemRoot%system32rundll32.com%SystemRoot%system32syncui.dll,Briefcase_Create%2!d!%1"
HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand:""C:ProgramFilesInternetExploreriexplore.com""
HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%explorer.com"
HKLMSOFTWAREClassesdunfileshellopencommand:"%SystemRoot%system32rundll32.comNETSHELL.DLL,InvokeDunFile%1"
HKLMSOFTWAREClasseshtmlfileshellprintcommand:"rundll32.com%SystemRoot%system32mshtml.dll,PrintHTML"%1""
HKLMSOFTWAREClassesinffileshellInstallcommand:"%SystemRoot%System32rundll32.comsetupapi,InstallHinfSectionDefaultInstall132%1"
HKLMSOFTWAREClassesUnknownshellopenascommand:"%SystemRoot%system32finder.com%SystemRoot%system32shell32.dll,OpenAs_RunDLL%1"(打开未知程序都能启动病毒,汗...)
HKLMSOFTWAREClientsStartMenuInternetiexplore.pifshellopencommand:""C:ProgramFilescommon~1iexplore.pif""
(修改开始程序上的IE的指向文件)
HKLMSOFTWAREClasses.lnkShellNewCommand:"rundll32.comappwiz.cpl,NewLinkHere%1"
HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"%1"
HKLMSOFTWAREClassescplfileshellcplopencommand:"rundll32.comshell32.dll,Control_RunDLL"%1",%*"
HKLMSOFTWAREClassesftpshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"%1"
HKLMSOFTWAREClasseshtmlfileshellopencommand:""C:ProgramFilesInternetExploreriexplore.com"-nohome"
HKLMSOFTWAREClasseshtmlfileshellopennewcommand:""C:ProgramFilescommon~1iexplore.pif"%1"
HKLMSOFTWAREClassesHTTPshellopencommand:""C:ProgramFilescommon~1iexplore.pif"-nohome"
HKLMSOFTWAREClassesInternetShortcutshellopencommand:"finder.comshdocvw.dll,OpenURL%l"
HKLMSOFTWAREClassesscrfileshellinstallcommand:"finder.comdesk.cpl,InstallScreenSaver%l"
HKLMSOFTWAREClassesscriptletfileShellGenerateTypelibcommand:""C:WINDOWSsystem32finder.com"C:WINDOWSsystem32scrobj.dll,GenerateTypeLib"%1""
HKLMSOFTWAREClassestelnetshellopencommand:"finder.comurl.dll,TelnetProtocolHandler%l"
HKLMSOFTWAREClientsStartMenuInternet:"iexplore.pif"
...
增加winfiles的新的文件关联指向C:WINDOWSExERoute.exe
并篡改exe文件关联HKLMSOFTWAREClasses.exe:"winfiles"
4.修改
Quote:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon
的{shell}值为Explorer.exe1
5.连接网络盗取传奇世界等游戏的帐号密码
清除方法:
1.解压缩Icesword把Icesword.exe改名为Icesword.com运行
进程一栏结束%systemroot%SERVICES.EXE
点击左下角的文件按钮删除如下文件
%systemroot%DebugDebugProgram.exe
%systemroot%system32command.pif
%systemroot%system32dxdiag.com
%systemroot%system32finder.com
%systemroot%system32MSCONFIG.COM
%systemroot%system32regedit.com
%systemroot%system32rundll32.com
%systemroot%1.com
%systemroot%ExERoute.exe
%systemroot%explorer.com
%systemroot%finder.com
%systemroot%SERVICES.EXE
D:autorun.inf
D:pagefile.pif
2.把sreng扩展名改为bat,运行
系统修复-文件关联修复
3.修复系统
打开系统盘直接运行%systemroot%system32regedit.exe
把被病毒修改的注册表恢复回来
Quote:
HKLMSOFTWAREClasses.lnkShellNewCommand:"rundll32.exeappwiz.cpl,NewLinkHere%1"
HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"%1"
HKLMSOFTWAREClassescplfileshellcplopencommand:"rundll32.exeshell32.dll,Control_RunDLL"%1",%*"
HKLMSOFTWAREClassescplfileshellcplopencommand:"rundll32.exeshell32.dll,Control_RunDLL"%1",%*"
HKLMSOFTWAREClasseshtmlfileshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"-nohome"
HKLMSOFTWAREClasseshtmlfileshellopennewcommand:""C:ProgramFilesInternetExploreriexplore.exe"%1"
HKLMSOFTWAREClassesHTTPshellopencommand:""C:ProgramFilesInternetExploreriexplore.exe"-nohome"
HKLMSOFTWAREClassesInternetShortcutshellopencommand:"rundll32.exeshdocvw.dll,OpenURL%l"
HKLMSOFTWAREClassesscrfileshellinstallcommand:"rundll32.exedesk.cpl,InstallScreenSaver%l"
HKLMSOFTWAREClassesscrfileshellinstallcommand:"rundll32.exedesk.cpl,InstallScreenSaver%l"
HKLMSOFTWAREClassestelnetshellopencommand:"rundll32.exeurl.dll,TelnetProtocolHandler%l"
HKLMSOFTWAREClassestelnetshellopencommand:"rundll32.exeurl.dll,TelnetProtocolHandler%l"
HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%Explorer.exe"
HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand:""C:ProgramFilesInternetExploreriexplore.exe""
HKLMSOFTWAREClassesDriveshellfindcommand:"%SystemRoot%Explorer.exe"
HKLMSOFTWAREClassesdunfileshellopencommand:"%SystemRoot%system32RUNDLL32.EXENETSHELL.DLL,InvokeDunFile%1"
HKLMSOFTWAREClasseshtmlfileshellprintcommand:"rundll32.exe%SystemRoot%system32mshtml.dll,PrintHTML"%1""
HKLMSOFTWAREClassesinffileshellInstallcommand:"%SystemRoot%System32rundll32.exesetupapi,InstallHinfSectionDefaultInstall132%1"
HKLMSOFTWAREClassesUnknownshellopenascommand:"%SystemRoot%system32rundll32.exe%SystemRoot%system32shell32.dll,OpenAs_RunDLL%1"
删除HKLMSOFTWAREClasseswinfiles整个子键
修改HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon
的{shell}值为Explorer.exe
【19.exe,pagefile.pif专杀 pagefile.pif病毒 auto.inf】相关文章:
★ 恶劣的U盘病毒Worm.Pabug.ck(OSO.exe)分析与查杀
★ 病毒Autorun.inf、pagefile.pif等的解决办法
★ test.exe,vista.exe,a.jpg,Flower.dll病毒分析解决
★ 455373m.455373,infoms.tdm,zxfpri.dll,dhbpri.dll,xygpri.dll等病毒的专杀工具
★ Worm.Win32.AutoRun.bqn病毒分析解决
★ 替换ctfmon.exe的下载器window.exe的方法
★ 熊猫烧香病毒原理、清除/删除方法及解决方案(附最新专杀工具下载) 原创