該病毒屬蠕蟲類,病毒運行後衍生大量病毒檔案,修改註冊表,添加啟動項,以達到隨機啟動的目的,連線網路,下載病毒檔案,採用 Ring0 環技術,該病毒會搜尋計算機中的 E-mail 地址,自動傳送郵件,並在郵件附屬檔案中添加病毒為附屬檔案。
基本介紹
- 外文名:Email-Worm.Win32.Zhelatin.bb
- 病毒類型:蠕蟲
- 公開範圍:完全公開
- 危害等級:4
簡介,病毒名稱,病毒類型,檔案 MD5,公開範圍,危害等級,檔案長度,感染系統,開發工具,加殼類型,命名對照,病毒描述,行為分析,清除方案,
簡介
病毒名稱
Email-Worm.Win32.Zhelatin.bb
病毒類型
檔案 MD5
89ABF35C87A2E20E63CA484364E055C8
公開範圍
完全公開
危害等級
4
檔案長度
9,310 位元組
感染系統
Win98 以上系統
開發工具
Microsoft Visual C++ 6.0 - 7.0
加殼類型
未知殼
命名對照
驅逐艦 [Trojan.Packed.46]
AntiVir [TR/Small.DBY.BE]
病毒描述
行為分析
1 、 病毒運行後衍生大量病毒檔案:
%WINDIR%\pp.exe
%WINDIR%\via.exe
%WINDIR%\xpupdate.exe
%WINDIR%\comdlg64.dll
%system32%\adirka.dll
%system32%\adirka.exe
%system32%\adirss.exe
%system32%\dd.exe so.bitsCN.com網管資料庫任你搜
%system32%\dlh9jkd1q1.exe
%system32%\dlh9jkd1q2.exe
%system32%\dlh9jkd1q5.exe
%system32%\dlh9jkd1q6.exe
%system32%\dlh9jkd1q7.exe
%system32%\dlh9jkd1q8.exe
%system32%\drivers\etc\hosts
%system32%\kernels32.exe
%system32%\lnwin.exe
%system32%\ma.exe.exe
%system32%\max1d641.exe
%system32%\naduhm.dll
%system32%\pfxzmtaim.dll
%system32%\pfxzmtforum.dll
%system32%\pfxzmtgtal.dll
%system32%\pfxzmticq.dll
%system32%\pfxzmtsmt.dll
%system32%\pfxzmtsmtspm.dll
%system32%\pfxzmtwbmail.dll
%system32%\pfxzmtymsg.dll
%system32%\pkfy.dll
%system32%\pp.exe.exe
%system32%\qvx5gamet2.exe
%system32%\qvxga6met3.exe
%system32%\qvxga7met4.exe
%system32%\rsvp32_2.dll www.bitsCN.net中國網管部落格
%system32%\sfxzmtforum.dll
%system32%\sfxzmtsmt.dll
%system32%\sfxzmtsmtspm.dll
%system32%\sfxzmtwbmail.dll
%system32%\sm.exe
%system32%\spoolsvv.exe
%system32%\sporder.dll
%system32%\vexg4am1et2.exe
%system32%\vexg6ame4.exe
%system32%\vexga1me4t1.exe
%system32%\vexga3me2.exe
%system32%\vexga4m1et4.exe
%system32%\vexga4me1.exe
%system32%\vexga5me3.exe
%system32%\wincom32.ini
%system32%\zlbw.dll
%system32%\zu.exe.exe
%Documents and Settings%\\commander\Local Settings\Temp\31.tmp
%Documents and Settings%\\commander\Local Settings\Temp\33.tmp
%Documents and Settings%\\commander\Local Settings\Temp\tmkeylfa.exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\ma[1].exe blog.bitsCN.com網管部落格等你來搏
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\sm[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\GHAR4PU3\60787[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\dd[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[2].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\20509[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\via[1].exe
%Documents and Settings%\\commander\Local Settings\ so.bitsCN.com網管資料庫任你搜
Temporary Internet Files\ Content.IE5\REFBTNJN\zu[1].exe
3 、修改註冊表:
修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\NumberOfCrashes
新 : DWORD: 2 (0x2)
舊 : DWORD: 1 (0x1)
新建的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
bitsCN全力打造網管學習平台
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
鍵值 : 字串: "Windows update loader"="C:\Windows\xpupdate.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime\
鍵值 : 字串: "ImagePath"="\??\C:\WINDOWS\System32\drivers\runtime.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Startup"="Startup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ dl.bitsCN.com網管軟體下載
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Impersonate"=1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
鍵值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)
HKEY_CURRENT_USER\
鍵值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\
鍵值 : 字串: "c"=0 (0)
4 、採用 Ring0 技術,載入核心驅動模組:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime\
鍵值 : 字串: "ImagePath"="\??\C:\WINDOWS\System32\drivers\runtime.sys"
5 、該病毒搜尋計算機中的 E-mail 地址,自動傳送郵件,在郵件附屬檔案中包含病毒體。
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
需要什麼來搜一搜吧so.bitsCN.com
--------------------------------------------------------------------------------
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(2) 刪除病毒檔案
%WINDIR%\pp.exe
%WINDIR%\via.exe
%WINDIR%\xpupdate.exe
%WINDIR%\comdlg64.dll
%system32%\adirka.dll
%system32%\adirka.exe
%system32%\adirss.exe
%system32%\dd.exe
%system32%\dlh9jkd1q1.exe
%system32%\dlh9jkd1q2.exe
%system32%\dlh9jkd1q5.exe
%system32%\dlh9jkd1q6.exe
%system32%\dlh9jkd1q7.exe
%system32%\dlh9jkd1q8.exe
%system32%\drivers\etc\hosts
%system32%\kernels32.exe play.bitsCN.com累了嗎玩一下吧
%system32%\lnwin.exe
%system32%\ma.exe.exe
%system32%\max1d641.exe
%system32%\naduhm.dll
%system32%\pfxzmtaim.dll
%system32%\pfxzmtforum.dll
%system32%\pfxzmtgtal.dll
%system32%\pfxzmticq.dll
%system32%\pfxzmtsmt.dll
%system32%\pfxzmtsmtspm.dll
%system32%\pfxzmtwbmail.dll
%system32%\pfxzmtymsg.dll
%system32%\pkfy.dll
%system32%\pp.exe.exe
%system32%\qvx5gamet2.exe
%system32%\qvxga6met3.exe
%system32%\qvxga7met4.exe
%system32%\rsvp32_2.dll
%system32%\sfxzmtforum.dll
%system32%\sfxzmtsmt.dll
%system32%\sfxzmtsmtspm.dll
%system32%\sfxzmtwbmail.dll
%system32%\sm.exe
%system32%\spoolsvv.exe feedom.net關注網管是我們的使命
%system32%\sporder.dll
%system32%\vexg4am1et2.exe
%system32%\vexg6ame4.exe
%system32%\vexga1me4t1.exe
%system32%\vexga3me2.exe
%system32%\vexga4m1et4.exe
%system32%\vexga4me1.exe
%system32%\vexga5me3.exe
%system32%\wincom32.ini
%system32%\zlbw.dll
%system32%\zu.exe.exe
%Documents and Settings%\\commander\
Local Settings\Temp\31.tmp
%Documents and Settings%\\commander\
Local Settings\Temp\33.tmp
%Documents and Settings%\\commander\
Local Settings\Temp\tmkeylfa.exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\ma[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\CHUFWD67\sm[1].exe
blog.bitsCN.com網管部落格等你來搏
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\GHAR4PU3\60787[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\dd[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\L2B9958U\pp[2].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\20509[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\via[1].exe
%Documents and Settings%\\commander\Local Settings\
Temporary Internet Files\ Content.IE5\REFBTNJN\zu[1].exe
feedom.net國內最早的網管網站
(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\
NumberOfCrashes
新 : DWORD: 2 (0x2)
舊 : DWORD: 1 (0x1)
新建的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "System"="C:\WINDOWS\system32\kernels32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
鍵值 : 字串: "Windows update loader"=
"C:\Windows\xpupdate.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
bitsCN全力打造網管學習平台
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Runtime\
鍵值 : 字串: "ImagePath"=
"\??\C:\WINDOWS\System32\drivers\ runtime.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "DllName"="C:\WINDOWS\system32\a3dxq.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Startup"="Startup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\A3dxq\
鍵值 : 字串: "Impersonate"=1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\
so.bitsCN.com網管資料庫任你搜
CurrentVersion\Explorer\
鍵值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)
HKEY_CURRENT_USER\
鍵值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\
鍵值 : 字串: "c"=0 (0)