基本介紹
行為分析,、衍生下列副本與檔案,、新建註冊表鍵值,、修改下列註冊表鍵值、破壞 LSP,下載病毒體並運行,、垃圾郵件,、利用下列搜尋引擎獲得郵件信息,清除方案,、安天馬防線,、 手工清除,基本信息,手工清除,使用進程管理關閉病毒進程,恢復註冊表,刪除病毒衍生檔案,
行為分析
、衍生下列副本與檔案
%WinDir%\pp.exe infected: Email-Worm.Win32.Zhelatin.d
%WinDir%\via.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\adirka.dll infected: Email-Worm.Win32.Banwarum.f 關注網管是我們的使命
%System32%\adirka.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\adirss.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\dd.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\lnwin.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\ma.exe.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\pfxzmtaim.dll
%System32%\pfxzmtforum.dll
%System32%\pfxzmtgtal.dll
%System32%\pfxzmticq.dll
%System32%\pfxzmtsmt.dll
%System32%\pfxzmtsmtspm.dll
%System32%\pfxzmtwbmail.dll
%System32%\pfxzmtymsg.dll
%System32%\pp.exe.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\rsvp32_2.dll infected: Email-Worm.Win32
%System32%\sfxzmtforum.dll
%System32%\sfxzmtsmt.dll
%System32%\sfxzmtsmtspm.dll
%System32%\sfxzmtwbmail.dll 中國網管部落格
%System32%\sm.exe infected: Email-Worm.Win32.Zhelatin.d
%System32%\sporder.dll
%System32%\svcp.csv
%System32%\wincom32.ini
%System32%\winsub.xml
%System32%\zlbw.dll
%System32%\zu.exe.exe infected: Email-Worm.Win32.Zhelatin.d
、新建註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\lnwin.exe Value: String: "%System32%\lnwin.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\sysinter Value: String: "%System32%\ adirss.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\adirka Value: String: "%System32%\adirka.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\
DisplayName
Value: String: "Windows 套接字 2 .0 Non-IFS 服務提供程式支持環境"
網管資料庫任你搜
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\ImagePath
Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes
%System32%\drivers\ws2ifsl.sys.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000012\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000013\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000014\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000015\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000016\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\ Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000017\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000018\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000019\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000020\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000021\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\ 命
Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000022\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000023\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
、修改下列註冊表鍵值、破壞 LSP
並可實現隨機啟動:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\
PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
bitsCN全力打造網管學習平台
rsvp32_2.dll.system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
下載病毒體並運行
從下列 URL 下載病毒體到本機 %Temporary Internet Files% 目錄,並運行病毒體:
[url=http://2*5.2*9.1*9.1*/aff/dir/zu.exe]http://2*5.2*9.1*9.1*/aff/dir/zu.exe
[url=http://2*6.2*5.1*4.1*2/aff/dir/via.exe]http://2*6.2*5.1*4.1*2/aff/dir/via.exe
[url=http://2*5.2*9.1*9.1*/aff/dir/sm.exe]http://2*5.2*9.1*9.1*/aff/dir/sm.exe
[url=http://2*6.2*5.1*4.1*2/aff/dir/pp.exe]http://2*6.2*5.1*4.1*2/aff/dir/pp.exe
[url=http://2*5.2*9.1*9.1*/aff/dir/pp.exe]http://2*5.2*9.1*9.1*/aff/dir/pp.exe
[url=http://2*5.2*9.1*9.1*/aff/dir/ma.exe]http://2*5.2*9.1*9.1*/aff/dir/ma.exe
、垃圾郵件
垃圾郵件可能為下列兩種形式,並附有擴展名為 .gif 的附屬檔案。鑒於相關信息從網際網路獲得,極為繁雜,故不列出。
、利用下列搜尋引擎獲得郵件信息
64.233.1**.1* 美國 加利福尼亞州 Google 公司
註:% System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
清除方案
、安天馬防線
使用安天木馬防線可徹底清除此病毒 ( 推薦 )
、 手工清除
請按照行為分析刪除對應檔案,恢復相關係統設定。
adirka.exe
sm.exe
dd.exe
(2) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
刪除下列新建項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\lnwin.exe
Value: String: "%System32%\lnwin.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\sysinter
Value: String: "%System32%\ adirss.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\adirka
Value: String: "%System32%\adirka.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\ 你搜
Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\
恢復下列修改項:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\
PackedCatalogItem
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\0000000000011\
PackedCatalogItem
恢復鍵值為:
%SystemRoot%\system32\mswsock.dll
(3) 刪除病毒衍生檔案:
%WinDir%\pp.exe
%WinDir%\via.exe
%System32%\adirka.dll
%System32%\adirka.exe
%System32%\adirss.exe
%System32%\dd.exe
%System32%\lnwin.exe
%System32%\ma.exe.exe
%System32%\pfxzmtaim.dll
%System32%\pfxzmtforum.dll
%System32%\pfxzmtgtal.dll
%System32%\pfxzmticq.dll
%System32%\pfxzmtsmt.dll
%System32%\pfxzmtsmtspm.dll
%System32%\pfxzmtwbmail.dll
%System32%\pfxzmtymsg.dll
%System32%\pp.exe.exe
%System32%\rsvp32_2.dll
%System32%\sfxzmtforum.dll
%System32%\sfxzmtsmt.dll
%System32%\sfxzmtsmtspm.dll
%System32%\sfxzmtwbmail.dll
%System32%\sm.exe
%System32%\sporder.dll
%System32%\svcp.csv
%System32%\wincom32.ini
%System32%\winsub.xml
%System32%\zlbw.dll
%System32%\zu.exe.exe
%Temporary Internet Files%/zu.exe
%Temporary Internet Files%/via.exe
%Temporary Internet Files%/sm.exe
%Temporary Internet Files%/pp.exe
%Temporary Internet Files%/pp.exe
%Temporary Internet Files%/ma.exe
%Temporary Internet Files%/dd.exe
基本信息
病毒名稱: Email-Worm.Win32
中文名稱: 澤拉丁變種
病毒類型: 蠕蟲類
檔案 MD5: 116C0F5BDC126CE5FE8DE20526DAD02F
公開範圍: 完全公開
危害等級: 5
檔案長度: 加殼後 6,789 位元組,脫殼後 21,504 位元組
感染系統: Win95以上系統
開發工具: Microsoft Visual C++ 6.0
加殼類型 : UPX變種殼,偽造為下列兩層殼信息
FSG v1.10 (Eng) ->dulek/xt
LCC Win32 1.x ->Jacob Navia
手工清除
手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
使用進程管理關閉病毒進程
adirka.exe
sm.exe
dd.exe
恢復註冊表
恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
刪除下列新建項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\lnwin.exe
Value: String: "%System32%\lnwin.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\sysinter
Value: String: "%System32%\ adirss.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\adirka
Value: String: "%System32%\adirka.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\
恢復下列修改項:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\
PackedCatalogItem
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\0000000000011\
PackedCatalogItem
恢復鍵值為:
%SystemRoot%\system32\mswsock.dll
刪除病毒衍生檔案
%WinDir%\pp.exe
%WinDir%\via.exe
%System32%\adirka.dll
%System32%\adirka.exe
%System32%\adirss.exe
%System32%\dd.exe
%System32%\lnwin.exe
%System32%\ma.exe.exe
%System32%\pfxzmtaim.dll
%System32%\pfxzmtforum.dll
%System32%\pfxzmtgtal.dll
%System32%\pfxzmticq.dll
%System32%\pfxzmtsmt.dll
%System32%\pfxzmtsmtspm.dll
%System32%\pfxzmtwbmail.dll
%System32%\pfxzmtymsg.dll
%System32%\pp.exe.exe
%System32%\rsvp32_2.dll
%System32%\sfxzmtforum.dll
%System32%\sfxzmtsmt.dll
%System32%\sfxzmtsmtspm.dll
%System32%\sfxzmtwbmail.dll
%System32%\sm.exe
%System32%\sporder.dll
%System32%\svcp.csv
%System32%\wincom32.ini
%System32%\winsub.xml
%System32%\zlbw.dll
%System32%\zu.exe.exe
%Temporary Internet Files%/zu.exe
%Temporary Internet Files%/via.exe
%Temporary Internet Files%/sm.exe
%Temporary Internet Files%/pp.exe
%Temporary Internet Files%/pp.exe
%Temporary Internet Files%/ma.exe
%Temporary Internet Files%/dd.exe
