Trojan-Downloader.Win32.Small.elo

該病毒運行後,衍生病毒檔案到多個目錄下,添加註冊表自動運行項與系統服務項以跟隨 系統引導病毒體。修改用戶 host檔案以重定向到不良網址,進而造成鏈式反應。下載的病毒體 多為網路遊戲盜號程式。

基本介紹

  • 中文名:Trojan-Downloader.Win32.Small.elo 
  • 病毒類型:蠕蟲類
  • 公開範圍: 完全公開
  • 危害等級:: 4
病毒標籤,行為分析,衍生副本與檔案,新建註冊表鍵值,修改host檔案,清除方案,

病毒標籤

病毒名稱: Trojan-Downloader.Win32.Small.elo
中文名稱: 下載者變種
病毒類型: 蠕蟲類
檔案 MD5: 49225E04EF3CC90B9B96AB6C9AC0CD9D
公開範圍: 完全公開
危害等級: 4
檔案長度: 1,097,736 位元組
感染系統: Win9X以上系統
開發工具: Microsoft Visual C++ 5.0

行為分析

衍生副本與檔案

%WinDir%\upxdnd.exe
%System32%\msdebug.dll
%System32%\netsrvcs.dll
%System32%\nwizAsktao.dll
%System32%\nwizAsktao.exe
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%System32%\windds32.dll
%System32%\WMIApiSrv.dll
%System32%\xpdhcp.dll

新建註冊表鍵值

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\Installed Components\
\StubPath
Value: String: "%WINdir\System32\nwiztlbu.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\Installed Components\
\StubPath
Value: String: "%WINdir\System32\nwiztlbu.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upxdnd
Value: String: "%\WinDir%\upxdnd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\Description
Value: String: " 啟用 IEEE 802.11 適配器的自動配置 ."
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\DisplayName
Value: String: "Wireless Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WinDir%\Syste|m32\rundll32.exenetsrvcs.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\Description
Value: String: " 為 Windows Management Instrumentation
(WMI) 提供所需的系統函式。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\Displa yName
Value: String: "WMI Performance API"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%\System32\rundll32.exe WMIApiSrv.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\Description
Value: String: " 為遠程計算機註冊並更新 IP 地址。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\DisplayName
Value: String: "WinXP DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\ImagePath
Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
%WinDir%\System32\rundll32.exexpdhcp.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\Description
Value: String: "Provides system and desktop level
support to the display driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\DisplayName
Value: String: "Win32 Display Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WinDir\System32\rundll32.exe windds32.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\Description
Value: String: " 允許 Administrators 組的成員進行遠程調試。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%\System32\rundll32.exeRemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\Description
Value: String: " 為計算機系統提供 32 位調試服務。如果此服務被禁用,
所有明確依賴它的服務都將不能啟動。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\DisplayName
Value: String: "Win32 Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\ImagePath
Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello Download\DisplayName
Value: String: "TCP/IP Check"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello Download\ImagePath
Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
%Program Files%\Common Files\System\wab32res.exe.

修改host檔案

註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。

清除方案

1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1)使用安天木馬防線斷開網路,結束病毒進程:
%WinDir%\upxdnd.exe
%System32%\nwizAsktao.exe
(2)刪除並恢復病毒添加與修改的註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ActiveSetup\InstalledComponents\
\StubPath
Value: String: "%WINdir\System32\nwiztlbu.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ActiveSetup\InstalledComponents\
\StubPath
Value: String: "%WINdir\System32\nwiztlbu.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Upxdnd
Value: String: "%\WinDir%\upxdnd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WZCSRVC\Description
Value: String: " 啟用 IEEE 802.11 適配器的自動配置 ."
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WZCSRVC\DisplayName
Value: String: "Wireless Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WZCSRVC\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WinDir%\Syste|m32\rundll32.exenetsrvcs.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WMIApiSrv\Description
Value: String: " 為 Windows Management Instrumentation
(WMI) 提供所需的系統函式。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WMIApiSrv\DisplayName
Value: String: "WMI Performance API"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WMIApiSrv\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%\System32\rundll32.exe WMIApiSrv.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinXPDHCPsvc\Description
Value: String: " 為遠程計算機註冊並更新 IP 地址。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinXPDHCPsvc\DisplayName
Value: String: "WinXP DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinXPDHCPsvc\ImagePath
Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
%WinDir%\System32\rundll32.exexpdhcp.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Win32DDS\Description
Value: String: "Provides system and desktop
level support to the display driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Win32DDS\DisplayName
Value: String: "Win32 Display Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Win32DDS\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WinDir\System32\rundll32.exe windds32.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\Description
Value: String: " 允許 Administrators 組的成員進行遠程調試。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\DisplayName
Value: String: "Remote Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteDbg\ImagePath
Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
%WinDir%\System32\rundll32.exeRemoteDbg.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSDebugsvc\Description
Value: String: " 為計算機系統提供 32 位調試服務。
如果此服務被禁用,所有明確依賴它的服務都將不能啟動。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSDebugsvc\DisplayName
Value: String: "Win32 Debug Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSDebugsvc\ImagePath
Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes
%WinDir%\System32\rundll32.exe msdebug.dll,input.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Hello Download\DisplayName
Value: String: "TCP/IP Check"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Hello Download\ImagePath
Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
%Program Files%\Common Files\System\wab32res.exe.
(3)刪除病毒衍生檔案:
%WinDir%\upxdnd.exe
%System32%\msdebug.dll
%System32%\netsrvcs.dll
%System32%\nwizAsktao.dll
%System32%\nwizAsktao.exe
%System32%\nwiztlbb.dll
%System32%\nwiztlbu.exe
%System32%\RemoteDbg.dll
%System32%\upxdnd.dll
%System32%\windds32.dll
%System32%\WMIApiSrv.dll
%System32%\xpdhcp.dll
(4)恢復 %WinDir%\system32\drivers\etc\hosts 檔案內容為:
127.0.0.1  localhost
(5)使用安天木馬防線掃描全盤。

熱門詞條

聯絡我們