[方案] 新autorun病毒(Kaspersky.exe)含樣本ꄠ…
學校果然是隨身碟病毒風行的地方
又中獎拉.....
然後去google找不到解法Orz
只好自己試看看>"<
爾且繼偽avp.exe後
有一隻病毒,頂著卡車司機的名號招搖撞騙
常常在論壇裡面下載卡車司機的人小心中招....
檔名就叫做kaspersky.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
autorun.inf
[AutoRun]
open=Kaspersky.exe
shellexecute=Kaspersky.exe
shell\Auto\command=Kaspersky.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
機制測試: 這邊可能有一點問題Orz,如果有其他高手測試後請補充
測試樣本:http://kotuha.com/file/pKqkt-Kaspersky.html
樣本密碼:virus
VT測試:
反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 - - -
AntiVir - - TR/Crypt.CFI.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - MalwareScope.Backdoor.Hupigon.17
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.CFI.Gen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
檔案生成:
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat
C:\WINDOWS\system32\_Kaspersky.exe
X:\AutoRun.inf
X:\Kaspersky.exe
(其中X為全部磁碟)
測試過程中沒有機碼的寫入Orz
但事後掃Sreng
則在Server裡面有
[kaspersky 7.0 / kaspersky 7.0][Stopped/Auto Start]
<C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe><N/A>
特別事情:修改其他程序記憶體那部分的機制我不是很清楚
EQ顯示:
2008-01-07 14:45:07 訪問物理記憶體 操作:阻止
程序路徑:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
2008-01-07 14:45:07 執行應用程序 操作:允許(自動建立規則)
程序路徑:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
檔案路徑:C:\WINDOWS\system32\calc.exe
2008-01-07 14:45:17 修改其它程序記憶體 操作:阻止
程序路徑:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
目標程序:C:\WINDOWS\system32\calc.exe
=>這邊如果一直"允許"的話,最後會出現記憶體無法寫入的錯誤視窗
2008-01-07 14:45:34 執行應用程序 操作:允許(自動建立規則)
程序路徑:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
檔案路徑:C:\program files\internet explorer\IEXPLORE.EXE
2008-01-07 14:45:39 修改其它程序記憶體 操作:阻止
程序路徑:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
目標程序:C:\program files\internet explorer\IEXPLORE.EXE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
解法:
windows的開始->"執行"
在開啟那邊輸入:
sc delete kaspersky 7.0
按下確定
下載OTmoveit
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
複製下列文字
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Kaspersky.exe
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat
C:\WINDOWS\system32\_Kaspersky.exe
X:\AutoRun.inf
X:\Kaspersky.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
執行OTMoveIt主程式
在左半邊視窗按右鍵選貼上後
按MoveIt!
註:X表示各磁碟代號,請自行加入
C:\AutoRun.inf
C:\Kaspersky.exe
D:\AutoRun.inf
D:\Kaspersky.exe
E:\AutoRun.inf
E:\Kaspersky.exe
※ 編輯: lcjjaff 來自: 140.112.63.194 (01/07 17:13)
推
01/07 17:13, , 1F
01/07 17:13, 1F
推
01/07 17:15, , 2F
01/07 17:15, 2F
→
01/07 17:16, , 3F
01/07 17:16, 3F
→
01/07 17:17, , 4F
01/07 17:17, 4F
推
01/07 17:19, , 5F
01/07 17:19, 5F
→
01/07 17:20, , 6F
01/07 17:20, 6F
推
01/07 18:18, , 7F
01/07 18:18, 7F
→
01/07 18:26, , 8F
01/07 18:26, 8F
推
01/07 19:04, , 9F
01/07 19:04, 9F
推
01/07 20:04, , 10F
01/07 20:04, 10F
AntiVirus 近期熱門文章
PTT數位生活區 即時熱門文章
12
22