AV終結者感染文件型oyo.exe的分析及清除
樣本來自某網友,瑞星報Worm.Win32.AvKiller.bm
File: oyo.exe
Size: 430080 bytes
MD5: 2C068E6CC68ABAC97FB2011313A0AF36
SHA1: CC3E94456CE02B8A1DEF89D4296F0B4DBA15794F
CRC32: 5D3156A8
1.生成如下文件
%system32%\oyo.exe
各個分區下面生成
autorun.inf和oyo.exe
運行後通過cmd命令打開被運行的病毒所在盤cmd.exe /c explorer X:\
默認cmd.exe /c explorer C:\
2.注冊表變化
在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面創建
<rav><C:\WINDOWS\system32\oyo.exe>的動項目
修改[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000
破壞顯示隱藏文件
刪除HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKU\S-1-5-21-448539723-1580436667-725345543-1003
破壞顯示隱藏文件
IFEO映像劫持一些殺毒軟件 指向病毒文件
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
3.感染行
感染除以下目錄的exe和scr文件
WINDOWS
WINNT
COMMON FILES
感染方式應該是文件頭寄生,但被感染文件經簡單修複後文件圖標也發生了變化,如圖。具體感染方式還請高手指教!
清除辦法:
下載冰刃http://mail.ustc.edu.cn/~jfpan/download/IceSword122cn.zip
sreng
http://download.kztechs....sreng2.zip1.把Icesword.exe改名
打開冰刃 在進程中結束oyo.exe
點擊左下角的文件 按鈕 刪除如下文件
%system32%\oyo.exe
以及各個分區下面的autorun.inf和oyo.exe
2.打開sreng
動項目 注冊表 刪除如下項目
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run下面的
<rav><C:\WINDOWS\system32\oyo.exe> []
刪除所有紅色的IFEO項
sreng中 係統修複-高級修複-修複安全模式
sreng中 係統修複-Windows shell/IE-勾選顯示隱藏文件-修複
3.使用殺毒軟件修複受感染的exe文件(目前還沒有能夠修複文件的...)