亚博网页版

gongnengmiaoshu:

meifenzhongxiang "c:\program files\internet explorer\dmlconf.dat" zhongxieru 16 zijiedeshuju，qian8zijieweixitongshijian，jiezheshi 4 zijieshujushiliangciliantongtedingwangzhandeshijiancha， zuihou 4 zijieshujushizhongwei 0

huoquxitongshijianxinxi

(3-4-4):thread4(threadfunction:2001790c)

gongnengmiaoshu:

mei10fenzhongxiang "fget-career.comde443duankou" fasongdangqianxitongshijianxinxiyijihanyoubenjixinxidezifuchuan，bingjieshou "fget-career.com" fahuideshuju。

jiexi "fget-career.com" dewangzhi

he "fget-career.com" de 443 duankoujianlilianjie

benjiheyuanchengfuwuqideshujujiaohuguocheng

(3-4-5):thread5(threadfunction:20016ea8)

gongnengmiaoshu：

dui drive_fixed leixingdecipanshangde .exe、.dll、 .html、 .htm：sizhongwenjianjinxingganran。

huoquxitongmuluhewindowsmulu,yibianzaiquanpanbianliwenjiandeshihoubikaizheilianggemuludewenjian

huoqusuoyoudecipanpanfu，yibianquanpanbianli

jianchacipanleixingshibushidrive_fixed，ruguoshizeshenduyouxianbianlicipanwenjian

shenduyouxianbianlicipanwenjian

//ganranqianxiantongguowenjianmingpaichusanzhongwenjian(".."、"." he "rmnetwork")

//chakanwenjianzhongshifouyouanmingchengdaoru"loadlibrarya"he "getprocaddress" ,youdehuahuoquduiyingde iat rva

//chakanjiebiaozhihoushifouhaiyouyigekongjiebiaodekongjiankeyong,ruguoyoujiutianjiayigexinjie,bingxiugaiyuanlaidechengxurukoudian

//xiangwenjianzhongxieruyigepewenjian，gaipewenjianzaibeiganranwenjianyunxingshihuibeishifangchulai

.exehe.dllwenjiandeganranliucheng

beiganranhoude.exehe.dll wenjiandexingwei

  zaifenxibeiganranhoudewenjianzhixingliuchengshidezhizai xintianjiajiedejieneipianyide 0x328hchucunfangzhechengxuxianzairukoudianheyuanrukoudiandechazhi(dword leixing)，gaizhijishixiufurukoudiandeyiju。

.html he .htm wenjiandeganranguocheng

.htmlhe.htmwenjiandeganranliucheng

(3-4-6):Thread6(ThreadFunction:20016EC2)

gongnengmiaoshu：

mei10miaozhongbianliyicisuoyoucipan，dangcipanleixingweikeyidongcipanshi，duigaicipanjinxingganran,yidadaojiezhukeyidongcipanduigaiyangbenjinxingchuanbodemude。

jianchacipanshangshifouyou "autorun.inf" wenjian

ruguoyijingyou“autorun.inf”wenjian，zetongguoduigaiwenjiandepanduanlaiyanzhenggaikeyidongcipanshifoubeiganranguo

gaikeyidongcipanmeiyoubeiganranguoshi，zhixingyixiacaozuo

zaikeyidongcipangenmuluchuangjian“recycler”wenjianjiabingshezhishuxingweihidden

子文件下创建.exe 文件，并将DeskToplayer.exe文件的内容写入

zaigenmuluchuangjian"autorun.inf"wenjianbingxierushuju

duikeyidongcipandeganranguocheng

san.qinglifangshi

1. 使用字符串"KyUffThOkYwRRtgPP" 创建互斥体，如果互斥体已经存在，说明已经有样本在运行，此时需要遍历系统所有进程，查找名称为"Desktoplayer "和"iexplore "的进程:

对于"Desktoplayer "进程:直接结束；

duiyu"iexplore "jincheng:ruguojinchengkongjiande 20010000 dizhiweiyouxiaodizhi，zezhijiejieshujincheng，tongshishanchuiexploremuluxiade  dmlconf.datwenjian。

2. yicizai 1:"c:\program files\ ";

   2:"c:\program files\common files\ ";

       3:"c:\documents and settings\administrator\ ";

       4:"c:\documents and settings\administrator\application data\ ";

       5:"c:\windows\system32\ ";

       6:"c:\windows\ ";

       7:"c:\docume~1\admini~1\locals~1\temp\";

目录下查找"Microsoft"目录，如果找到该目录，则删除该目录及目录下的"Desktoplayer.exe"文件。

3. duquhkey_local_machine\software\microsoft\windows nt\

CurrentVersion\Winlogon的Userinit 的键值，并判断键值内容的最后一个启动项中是否包含"desktoplayer.exe"，如果包含，则删除最后一个启动项。

4. bianliquanpanwenjian，jinxingchasha：

duiyu disk_fixedleixingdecipan，zaibianlishikeyibikaixitongmuluhewindowsmulu,duiyuexewenjian,ruguowenjianmd5hetezhengwenjiandemd5pipei，zezhijieshanchu；

对于EXE、DLL，如果节表中含有".rmnet"节，则可判定文件已经被感染，可由用户决定是删除文件还是修复文件(修复办法:删除".rmnet"节并修复入口点)；对HTML、HTM文件，可以通过文件最后9 字节内容是否是"</script>"来判断文件是否被感染，文如果文件已被感染，则由用户决定是删除文件还是修复文件(修复办法:删除文件"<script Language=vbscript>"之后的内容)。

duiyu disk_removableleixingdecipan，ruguocipangenmuluyou "autorun.inf"wenjianqiewenjiantou3zijieneirongwei"rmn"，zekepandinggaicipanyijingbeiganran，xuyaoconggaiwenjianzongtiquzhuexewenjiandelujing，ranhouxianshanchu"autorun.inf"wenjian，zaishanchu

exe wenjian。