Worm/Win32.AutoRun.etm

病毒名稱： Worm/Win32.AutoRun.etm

病毒類型： 蠕蟲

檔案 MD5： 4AA1BD21CD37E822348E19CE4917323E

公開範圍： 完全公開

危害等級： 4

檔案長度： 40,630 位元組

感染系統： Windows98以上版本

開發工具： Borland Delphi 6.0 - 7.0

加殼類型： Upack 0.3.9 beta2s -> Dwing

1、檔案運行後會釋放以下檔案

%System%\jjxzajcj32dl.dll 63,488 位元組[隨機檔案名稱]

%System%\jjxzwzjy090118.exe 40,630 位元組[隨機檔案名稱]

2、新增註冊表

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

註冊表值: "CheckedValue"

新建鍵值: DWORD: 0 (0)

原鍵值: DWORD: 1 (0x1)

描述：鎖定“資料夾選項”中對隱藏檔案的顯隱選擇

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

註冊表值: "Check_Associations"

類型： REG_SZ

值: "no"

描述：降低ie瀏覽器的安全性能

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

註冊表值: "dlmcjjcdfc"

類型： REG_SZ

值: "C:\WINDOWS\system\jjxzwzjy090118.exe"

描述：啟動項，使病毒檔案隨資源管理器啟動

1、連線網路下載要下載的病毒列表

協定：TCP

域名或IP位址：www.a3168.com

列表地址：HTTP://www.a3168.com/mydown.asp?ver=090118&tgid=3&address=00-0C-29-9C-7B-01

列表內容：

begin

1,090120,10241,http://www.wew2223.cn/new/shengji.exe,120,1,180,1,10000,11,0,1,0,1

7,

2,0,34000,http://www.wew2223.cn/new/css.exe,10,0-24,,

2,0,47000,http://www.wew2223.cn/new/ggg.exe,30,0-24,,

2,90120,16000,http://www.wew2223.cn/new/30.exe,100,0-24,,

2,0,148000,http://www.wew2223.cn/new/msn180.exe,10,0-24,,

3,127.0.0.1,js.tongji.cn.yahoo.com

3,127.0.0.1,img.tongji.cn.yahoo.com

end

2、下載檔案的危害說明：

http://www.wew2223.cn/new/shengji.exe

Worm/Win32.AutoRun.etn

http://www.wew2223.cn/new/css.exe

Rootkit/Win32.Agent.fvn

http://www.wew2223.cn/new/ggg.exe

Trojan/Win32.QQPass.eu[stealer]

http://www.wew2223.cn/new/30.exe

Trojan/Win32.VB.irf

http://www.wew2223.cn/new/msn180.exe

AdWare/Win32.AdMedia.ed[:not_virus]

註：%System32%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32，windows95/98/me中默認的安裝路徑是C:\Windows\System，windowsXP中默認的安裝路徑是C:\Windows\System32。

%Temp% = C:\Documents and Settings\AAAAA\Local Settings\Temp 當前用戶TEMP快取變數

%Windir%\ WINDODWS所在目錄

%DriveLetter%\ 邏輯驅動器根目錄

%ProgramFiles%\ 系統程式默認安裝目錄

%HomeDrive% = C:\ 當前啟動的系統的所在分區

%Documents and Settings%\ 當前用戶文檔根目錄

1、使用安天防線可徹底清除此病毒(推薦)，請點擊下載。

點擊此處免費下載安天防線。

2、手工清除請按照行為分析刪除對應檔案，恢復相關係統設定。

推薦使用ATool管理工具，

點擊此處下載免費工具Atool。

(1) 使用安天防線工具中的“進程管理”關閉病毒進程

Ggg.exe；svteppsk.exe；IEXPLORER.EXE；dfcjj32tmp0.exe

(2) 刪除病毒檔案

%Windir%\30.exe

%Windir%\css.exe

%Windir%\ggg.exe

%Windir%\installreg.asp

%Windir%\system\jjxzajcj32dl.dll

%Windir%\system\jjxzwzjy090120.exe

%System32%\40674985.dat

%System32%\anymie360.dll

%System32%\anymie360.exe

%System32%\cjpoajni.dll

%System32%\coebccid.dll

%System32%\ddgjndgf.dll

%System32%\dfcjj32tmp0.exe

%System32%\dllcache\beep.sys

%System32%\drivers\beep.sys

%System32%\drivers\etc\hosts

%System32%\fgjkccga.dll

%System32%\gmgedabp.dll

%System32%\ifigadlj.dll

%System32%\lgloboec.dll

%System32%\lpceeabp.dll

%System32%\nbepjcll.dll

%System32%\pknphokc.dll

%System32%\sadfasdf.jpg

%System32%\svtepps.dll

%System32%\svteppsk.exe

%System32%\sysdlwd2.dll

%System32%\TnmgtjD.dll

%Windir%\ver.txt

清空%Temp%

清空IE臨時目錄

(3) 恢復病毒修改的註冊表項目，刪除病毒添加的註冊表項

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

新: 字元串: "IEXPLORE.exe"

舊: 字元串: "mshta.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

新: 字元串: "svtepps.dll"

舊: 字元串: ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

新: DWORD: 0 (0)

舊: DWORD: 1 (0x1)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\FlashPlayerUpdate

鍵值: 字元串: "C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\gmgedabp.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\ifigadlj.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\sysmxd6.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0009-0001-69B8DB553683}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\sysdlwd2.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5058B8EC-9E4F-431F-8415-E2AD3569F02A}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\lgloboec.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\lpceeabp.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BE93C55-419A-40FA-8750-F4D2EBEF1847}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\nbepjcll.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9479184C-D769-4611-A992-526D8E72968D}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\pknphokc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C398A372-7022-40B1-9715-9BA47E9C59E9}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\cjpoajni.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\coebccid.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD037D0F-C51F-4870-9478-BD982536E415}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\ddgjndgf.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F034CC0A-377A-4247-A276-2D484EAA1229}\InProcServer32\@

鍵值: 字元串: "C:\WINDOWS\system32\fgjkccga.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3FDEB171-8F86-0004-0001-69B8DB553683}

鍵值: 字元串: ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3FDEB171-8F86-0009-0001-69B8DB553683}

鍵值: 字元串: ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5058B8EC-9E4F-431F-8415-E2AD3569F02A}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7BE93C55-419A-40FA-8750-F4D2EBEF1847}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9479184C-D769-4611-A992-526D8E72968D}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C398A372-7022-40B1-9715-9BA47E9C59E9}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD037D0F-C51F-4870-9478-BD982536E415}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{F034CC0A-377A-4247-A276-2D484EAA1229}

鍵值: <值未設定>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Alcmtr

鍵值: 字元串: "anymie360.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\dlmcjjcdfc

鍵值: 字元串: "C:\WINDOWS\system\jjxzwzjy090120.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\qq20009

鍵值: 字元串: "C:\WINDOWS\ggg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\060EDAB9

鍵值: 字元串: "{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\2F20AD53

鍵值: 字元串: "{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\5058B8EC

鍵值: 字元串: "{5058B8EC-9E4F-431F-8415-E2AD3569F02A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\59CEEAB9

鍵值: 字元串: "{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\7BE93C55

鍵值: 字元串: "{7BE93C55-419A-40FA-8750-F4D2EBEF1847}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\9479184C

鍵值: 字元串: "{9479184C-D769-4611-A992-526D8E72968D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\C398A372

鍵值: 字元串: "{C398A372-7022-40B1-9715-9BA47E9C59E9}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\C8EBCC2D

鍵值: 字元串: "{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DD037D0F

鍵值: 字元串: "{DD037D0F-C51F-4870-9478-BD982536E415}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\F034CC0A

鍵值: 字元串: "{F034CC0A-377A-4247-A276-2D484EAA1229}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Description

鍵值: 字元串: "Provides support for media palyer. This service can't be stoped."

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\DisplayName

鍵值: 字元串: "MS Media Control Center"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\ImagePath

鍵值: 字元串: "%SystemRoot%\System32\svchost.exe -k krnlsrvc"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\ObjectName

鍵值: 字元串: "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Parameters\ServiceDll

鍵值: 字元串: "C:\WINDOWS\system32\TnmgtjD.dll"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Start

鍵值: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\DisplayName

鍵值: 字元串: "Safe Mon 360"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\ImagePath

鍵值: 字元串: "\??\C:\WINDOWS\system32\40674985.dat"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\Start

鍵值: DWORD: 1 (0x1)