现在的位置: 首页 > 综合 > 正文

04-17/网友的电脑成灰鸽子窝了/V2

2013年08月22日 ⁄ 综合 ⁄ 共 13722字 ⁄ 字号 评论关闭

endurer 原创
2007-04-17 第2版 补充pe_xscan的log分析,Dr.Web CureIt的扫描结果,部本病毒样本信息
2007-04-16 第1

刚才一位网友反应说他的电脑最近工作速度很慢,让偶通过QQ远程协助帮助检查。

打开任务管理器,发现有名为 Down(0).exe 和 iexplore.exe 的进程,而当时并没有运行IE。估计是中标了。

下载 pe_xscan 和 HijackThis扫描log。

在 pe_xscan 的 log 中发现如下可疑项目:
/===
pe_xscan 07-03-25 by Purple Endurer
2007-4-16 21:59:33
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 1484 | 1980-4-2 7:1:30
    C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/WINDOWS/Explorer.EXE * 1644 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) OperatingSystem | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved.| 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer |EXPLORER.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1720 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1784 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26C:/program files/internet explorer/iexplore.exe * 1804 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/system32/ok6250522.3322.org.dll | 2007-4-15 14:21:32 | Microsoft?Windows? Operating System | 5.1.2600.2180 | Microsoft? Windows? Operating System | MicrosoftCorporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | MicrosoftCorporation |  | VipDll | msgsvc4.dll
C:/WINDOWS/system32/khooker.exe * 236 | 2002-9-24 1:50:48 | SIS (R) Compatible SuperVGA keyboard daemon for Windows 2000/XP | 0.0.0.2098 | SiS Compatible Super VGA KeyboardDaemon | Copyright (C) Silicon Integrated Systems Corp. 1998-2002 | 0.0.0.2098 | SiliconIntegrated Systems Corporation |  | KHOOKER 2.09j.03 | KHOOKER.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 320 | 2007-2-1415:9:14 | RealPlayer (32-bit)  | 0.1.0.3760 | RealNetworks Scheduler | Copyright ?RealNetworks, Inc. 1995-2004 | 0.1.0.3760 | RealNetworks, Inc. | RealAudio(tm) is atrademark of RealNetworks, Inc. | schedapp | realsched.exe
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/ctfmon.exe * 352 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON |CTFMON.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/SVCHOST.exe * 428 | 2006-11-15 21:59:30    C:/SVCHOST.exe | 2006-11-15 21:59:30    C:/WINDOWS/system32/ntdll.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R)Operating System | 5.1.2600.2180 | NT Layer DLL | (C) Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | ntdll.dll| ntdll.dll
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Messenger/msmsgs.exe * 456 | 2004-10-14 0:24:38 | Messenger |Version 4.7.3001 | Windows Messenger | Copyright (c) Microsoft Corporation 2004 | 4.7.3001 |Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation inthe U.S. and/or other countries. | msmsgs | msmsgs.exe
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 932 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 964 | 1980-4-2 7:1:30
    C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/PROGRA~1/GAMECH~1/GameHall.exe * 3084 | 2007-1-19 13:7:42 | GameHall 应用程序 | 18, 0, 2006, 1012 | 游戏大厅程序 | 同城游戏 (C) 2003-2004 | 18, 0, 2006, 1012 | 同城游戏 |  | GameHall | GameHall.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/conime.exe * 1312 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console |CONIME.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/YHL2J69S/3[1].exe * 2692 | 2007-4-16 16:50:30
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26

O4 - HKCR/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCR/../Run: [system] c:/SVCHOST.exe

O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe

D:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/

O9 - IE工具栏扩展按钮HKLM:JUJU猫 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com
O9 - IE工具菜单扩展项HKLM: - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com

O23 - 服务: 110 (110) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自动)
O23 - 服务: cdnprot (cdnprot) - system32/drivers/cdnprot.sys(引导)
O23 - 服务: cdntran (cdntran) - system32/drivers/cdntran.sys(自动)
O23 - 服务: DHCPmanager (DHCPmanager) - C:/WINDOWS/system32/DHCPmanager.exe | 1980-4-2 7:1:40(自动)
O23 - 服务: ferdr (FERDR) - C:/WINDOWS/system32/Drivers/Ferdr.sys | 2002-5-31 10:26:22(自动)
O23 - 服务: GrayPigeonServer1.23 (Gray_Pigeon_Server1.23) - C:/WINDOWS/G_Server1.23.exe | 2007-3-21 21:40:6(自动)
O23 - 服务: ok6250522.3322.org (ok6250522.3322.org) - C:/WINDOWS/system32/ok6250522.3322.org.exe | 2007-4-16 13:32:18(自动)
O23 - 服务: windows backup for xp (window backup for xp) - c:/backup/backupms0213313751.exe | 2007-3-21 20:49:42(自动)
O23 - 服务: Windows XP Vista         (Windows XP Vista        ) - C:/WINDOWS/Hac.exe(自动)
O23 - 服务: windows_0 (Windows Accounts Driver) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自动)

SHOWALL    Type isn't dword
===/

再看HijackThis 的 log:
/---
Logfile of HijackThis v1.99.1
Scan saved at 22:01:17, on 2007-4-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:/WINDOWS/system32/Down(0).exe

O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe
O4 - HKCU/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCU/../Run: [system] c:/SVCHOST.exe

O23 - Service: 110 - Unknown owner - C:/WINDOWS/system32/Down(0).exe

O23 - Service: DHCPmanager - Unknown owner - C:/WINDOWS/system32/DHCPmanager.exe

O23 - Service: Gray_Pigeon_Server1.23 (GrayPigeonServer1.23) - Unknown owner - C:/WINDOWS/G_Server1.23.exe (file missing)

O23 - Service: ok6250522.3322.org - Unknown owner - C:/WINDOWS/system32/ok6250522.3322.org.exe

O23 - Service: window backup for xp (windows backup for xp) - Unknown owner - c:/backup/backupms0213313751.exe

O23 - Service: Windows XP Vista         - Unknown owner - C:/WINDOWS/Hac.exe (file missing)

O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:/WINDOWS/system32/Down(0).exe

O23 - Service: WinNetwork - Unknown owner - C:/WINDOWS/system32/WinNetwork.exe
---/

用到 http://endurer.ys168.com 下载 IceSword检查进程,发现还有一个隐藏的IE进程。

终止病毒进程。

停止并禁用O23中的服务。

http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。用FileInfo提取文件信息,用 bat_do 将病毒文件打包。

下载 Dr.Web CureIt(下载地址和使用方法可参考:
免费的恶意程序检测和清除工具---Dr.Web CureIt! http://endurer.bokee.com/5488502.html),因为时间关系,只扫描 c:/windows 和 c:/Documents and Settings,结果……明天补上。

============================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)

[Scan path] c:/windows/htpatch.exe
c:/windows/htpatch.exe is hacktool program Tool.Htpatch
----------------------------

[Scan path] C:/WINDOWS
C:/WINDOWS/htpatch.exe is hacktool program Tool.Htpatch
>C:/WINDOWS/system32/DHCPmanager.exe.vi infected with BackDoor.Pigeon.1220 - deleted
C:/WINDOWS/system32/DHCPmanager.DLL.vi infected with BackDoor.Pigeon.680 - deleted
C:/WINDOWS/system32/DHCPMANAGERKEY.DLL.vi infected with BackDoor.Pigeon.1294 - deleted
C:/WINDOWS/system32/RpcS.dll infected with BackDoor.Klj - deleted
C:/WINDOWS/system32/WinNetwork.exe.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WinNetwork.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WINNETWORKKEY.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/ok6250522.3322.org.exe.vi probably infected with BINARYRES
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi probably infected with DLOADER.Trojan

C:/WINDOWS/system32/drivers/i.sys is adware program Adware.Cdn
C:/WINDOWS/Temp/DHCPmanager0.DLL infected with BackDoor.Pigeon.680 - deleted
>C:/WINDOWS/Temp/WinNetwork0.DLL infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/Temp/WinNetwork1.DLL infected with BackDoor.Pigeon.1562 - deleted

[Scan path] C:/Documents and Settings
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/WinNetwork.exe.xor infected with BackDoor.Pigeon.1562 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPMANAGERKEY.DLL.xor infected with BackDoor.Pigeon.1294 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPmanager.DLL.xor infected with BackDoor.Pigeon.680 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/68YH35WC/icast[1].js>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/LVN1357C/formdatecheck[1].jsC:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/ZVPBN9SW/network[1].exe infected with BackDoor.Pigeon.1562 - deleted

----------------------------
c:/windows/htpatch.exe - deleted
C:/WINDOWS/htpatch.exe - deleted
C:/WINDOWS/system32/ok6250522.3322.org.exe.vi - deleted
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi.vi - will be deleted after reboot
C:/WINDOWS/system32/drivers/i.sys - deleted

============================
Total session statistics
============================
Objects scanned: 30891
Infected objects found: 14
Objects with modifications found: 0
Suspicious objects found: 2
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 2
Objects cured: 0
Objects deleted: 19
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 1800 Kb/s
Scan time: 00:28:41
============================

用HijackThis 修复可疑项。

Dr.Web CureIt未能发现和清除的,对bat_do生成取消文件所有属性和删除文件命令,下次启动时执行。

文件说明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
属性 : -SHR
获取文件版本信息大小失败!
创建时间 : 2007-4-12 18:29:56
修改时间 : 1980-4-2 7:1:26
访问时间 : 2007-4-16 0:0:0
大小 : 27664 字节 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc

文件说明符 : D:/sxs.exe
属性 : -SH-
获取文件版本信息大小失败!
创建时间 : 2006-9-2 20:28:51
修改时间 : 2006-8-11 2:12:48
访问时间 : 2007-4-16 0:0:0
大小 : 33815 字节 33.23 KB
MD5 : 1781cb8004dc700ac66d799c35ac5c5a

卡巴报为 Trojan-PSW.Win32.QQPass.jn

文件说明符 : C:/net.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 1980-4-2 7:1:34
修改时间 : 1980-4-2 7:1:36
访问时间 : 2007-4-16 0:0:0
大小 : 315697 字节 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53

文件说明符 : C:/WINDOWS/Hac.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-5 13:33:5
修改时间 : 2007-4-5 13:33:6
访问时间 : 2007-4-16 0:0:0
大小 : 627712 字节 613.0 KB
MD5 : 9dd4cae0b290fc6c3183e0b867079ea3

文件说明符 : C:/WINDOWS/system32/Down(0).exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 1980-4-2 7:1:31
修改时间 : 1980-4-2 7:1:30
访问时间 : 2007-4-16 0:0:0
大小 : 17920 字节 17.512 KB
MD5 : 911c879eba7bc9a474ec8fa5c327d6b6

文件说明符 : C:/WINDOWS/system32/WinNetwork.DLL
属性 : ASHR
获取文件版本信息大小失败!
创建时间 : 1980-4-8 22:6:5
修改时间 : 1980-4-2 7:1:12
访问时间 : 2007-4-16 0:0:0
大小 : 257258 字节 251.234 KB
MD5 : 3ffee9665b61a4cb9155098b0fa63a01

卡巴报为 Backdoor.Win32.Hupigon.edb

文件说明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
属性 : ASHR
获取文件版本信息大小失败!
创建时间 : 2007-4-12 18:29:56
修改时间 : 1980-4-2 7:1:26
访问时间 : 2007-4-16 0:0:0
大小 : 27664 字节 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc

卡巴报为 Backdoor.Win32.Hupigon.cge

文件说明符 : C:/WINDOWS/system32/DHCPmanager.exe
属性 : ASHR
获取文件版本信息大小失败!
创建时间 : 1980-4-3 23:39:46
修改时间 : 1980-4-2 7:1:40
访问时间 : 2007-4-16 0:0:0
大小 : 293058 字节 286.194 KB
MD5 : 0c8db59d9480bb0eb745fc97dd2bd729

文件说明符 : C:/WINDOWS/system32/WinNetwork.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 1980-4-8 22:6:2
修改时间 : 1980-4-2 7:1:42
访问时间 : 2007-4-16 0:0:0
大小 : 315697 字节 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53

卡巴报为 Backdoor.Win32.Hupigon.edb

文件说明符 : C:/backup/backupms0213313751.exe
属性 : -SHR
获取文件版本信息大小失败!
创建时间 : 2007-3-21 19:51:1
修改时间 : 2007-3-21 20:49:42
访问时间 : 2007-4-16 0:0:0
大小 : 624236 字节 609.620 KB
MD5 : e855d4668047e699077d5b3b5e6eb250

C:/>dir backup /a
 驱动器 C 中的卷没有标签。
 卷的序列号是 84E4-56E2

 C:/backup 的目录

2007-03-21  19:51    <DIR>          .
2007-03-21  19:51    <DIR>          ..
2007-03-21  20:49           624,236 backupms0213313751.exe
2007-04-16  16:52            18,944 Down(0).exe
2007-04-16  13:06            18,944 Down(1).exe
2007-04-13  22:05            18,944 Down(2).exe
2007-04-13  22:08            18,944 Down(3).exe
2007-04-05  17:59            18,944 Down(4).exe
2007-04-05  17:59            18,944 Down(5).exe
2007-04-02  18:53            18,944 Down(6).exe
2007-04-02  18:53            18,944 Down(7).exe
2007-03-31  20:50            18,944 Down(8).exe
2007-03-31  20:13            18,944 Down(9).exe
2007-03-31  20:13            18,944 Down(10).exe
2007-03-31  20:13            18,944 Down(11).exe
2007-03-31  20:13            18,944 Down(12).exe
2007-03-31  20:13            18,944 Down(13).exe
2007-03-31  20:13            18,944 Down(14).exe
              16 个文件        908,396 字节
               2 个目录  3,691,520,000 可用字节

文件说明符 : C:/WINDOWS/system32/ok6250522.3322.org.dll
属性 : -SHR
语言 : 中文(中国)
文件版本 : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
说明 : Microsoft? Windows? Operating System
版权 : Microsoft Corporation. All rights reserved.
备注 :
产品版本 : 5.1.2600.2180
产品名称 : Microsoft? Windows? Operating System
公司名称 : Microsoft Corporation
合法商标 :
内部名称 : VipDll
源文件名 : msgsvc4.dll
创建时间 : 2007-4-15 14:21:31
修改时间 : 2007-4-15 14:21:32
访问时间 : 2007-4-16 0:0:0
大小 : 17408 字节 17.0 KB
MD5 : 74d1ab119831c91da4bc22d44761fcd4

文件说明符 : C:/WINDOWS/system32/ok6250522.3322.org.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-15 14:21:28
修改时间 : 2007-4-16 13:32:18
访问时间 : 2007-4-16 0:0:0
大小 : 43008 字节 42.0 KB
MD5 : 212b77e3914735ee18ef5fde966870b4

文件说明符 : C:/WINDOWS/htpatch.exe
属性 : A--R
获取文件版本信息大小失败!
创建时间 : 2007-11-15 10:55:18
修改时间 : 2002-12-20 0:40:24
访问时间 : 2007-4-16 0:0:0
大小 : 28672 字节 28.0 KB
MD5 : 47122e4e9b3da3e6ee66e1a56aae8f57

DrWeb 报为 Tool.Htpatch

G_Server1.23.exe 卡巴报为 Packed.Win32.PePatch.ev
DHCPmanager.exe、DHCPmanager.DLL、DHCPMANAGERKEY.DLL 卡巴报为 Backdoor.Win32.Hupigon.emr

返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)
必威体育
必威电竞