該病毒運行後,病毒衍生檔案到系統目錄下,添加註冊表自動運行項以隨機引導病毒體。在各邏輯盤創建autorun.inf檔案,誘使用戶雙擊從而運行病毒體。插入病毒執行緒到系統進程中,運行病毒進程spcolsv.exe,攔截進程調用API,關閉“任務管理器”等應用程式。該病毒可能過區域網路傳播。
基本介紹
- 中文名:Worm.Win32.Fujack.b
- 名稱::Worm.Win32.Fujack.b
- 中文名稱::熊貓燒香變種
- 病毒類型::蠕蟲類
詳細介紹,行為分析,清除方案,
詳細介紹
檔案 MD5:5635121EEFE47333D00FFF1FD4A5021F
公開範圍:完全公開
危害等級:高
檔案長度:57,344 位元組
感染系統:Win98以上系統
開發工具:Borland Delphi 6.0 - 7.0 [Overlay]
加殼工具:ARVID's TDR file
命名對照:驅逐艦[Win32.HLLP.Whboy]
瑞星[Worm.Nimaya.av]
行為分析
1、衍生下列副本與檔案
C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.dll
2、新建註冊表鍵值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\upxdn
Value: String: "%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\Description
Value: String: "為遠程計算機註冊並更新 IP 地址。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\DisplayName
Value: String: "Windows DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WINDOWS%\system32\\rundll32.exe windhcp.ocx,start.
3、更改註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ShellExecuteHooks\{11017031-7031-1012-3110-031010311012}
Value: String: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11017031-7031-1012-3110-031010311012}\InProcServer32\@
Value: String: "C:\ProgramFiles\CommonFiles\MicrosoftShared\MSINFO\70311012.dll"
\system32\mswsock.dl
3、訪問http://wan**a.9966.org//down.txt頁面獲得下載病毒體地址:
wan**a.9966.org(60.19*.1*4.219)
http://wan**a.9966.org/zaq4.exe
http://wan**a.9966.org/zaq1.exe
http://wan**a.9966.org/zaq2.exe
http://wan**a.9966.org/zaq3.exe
http://wan**a.9966.org/zaq5.exe
http://wan**a.9966.org/zaq6.exe
http://wan**a.9966.org/zaq9.exe
http://wan**a.9966.org/zaq10.exe
http://wan**a.9966.org/zaq7.exe
註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。
--------------------------------------------------------------------------------
清除方案
1、使用安天木馬防線可徹底清除此病毒(推薦)
2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用安天木馬防線“進程管理”關閉病毒進程
spcolsv.exe
zaq5.exe
(2) 刪除病毒釋放檔案
C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\當前用戶名\Local Settings\Temp\upxdn.dll
(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\upxdn
Value:String:"%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%