AV终结者感染文件型oyo.exe的分析及清除
样本来自某网友,瑞星报Worm.Win32.AvKiller.bm
File: oyo.exe
Size: 430080 bytes
MD5: 2C068E6CC68ABAC97FB2011313A0AF36
SHA1: CC3E94456CE02B8A1DEF89D4296F0B4DBA15794F
CRC32: 5D3156A8
1.生成如下文件
%system32%\oyo.exe
各个分区下面生成
autorun.inf和oyo.exe
运行后通过cmd命令打开被运行的病毒所在盘cmd.exe /c explorer X:\
默认cmd.exe /c explorer C:\
2.注册表变化
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面创建
<rav><C:\WINDOWS\system32\oyo.exe>的动项目
修改[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000
破坏显示隐藏文件
删除HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKU\S-1-5-21-448539723-1580436667-725345543-1003
破坏显示隐藏文件
IFEO映像劫持一些杀毒软件 指向病毒文件
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
3.感染行
感染除以下目录的exe和scr文件
WINDOWS
WINNT
COMMON FILES
感染方式应该是文件头寄生,但被感染文件经简单修复后文件图标也发生了变化,如图。具体感染方式还请高手指教!
清除办法:
下载冰刃http://mail.ustc.edu.cn/~jfpan/download/IceSword122cn.zip
sreng
http://download.kztechs....sreng2.zip1.把Icesword.exe改名
打开冰刃 在进程中结束oyo.exe
点击左下角的文件 按钮 删除如下文件
%system32%\oyo.exe
以及各个分区下面的autorun.inf和oyo.exe
2.打开sreng
动项目 注册表 删除如下项目
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面的
<rav><C:\WINDOWS\system32\oyo.exe> []
删除所有红色的IFEO项
sreng中 系统修复-高级修复-修复安全模式
sreng中 系统修复-Windows shell/IE-勾选显示隐藏文件-修复
3.使用杀毒软件修复受感染的exe文件(目前还没有能够修复文件的...)
