Email-Worm.Win32.Warezov.ev
病毒類型: 蠕蟲檔案 MD5: E8071DCA2CEA7FEF2316FA749BFD478C
公開範圍: 完全公開
危害等級: 4
檔案長度: 32,772 位元組
感染系統: windows98以上版本
開發工具: Microsoft Visual C++ 6.0 - 7.0
加殼類型: 未知殼
命名對照: 驅逐艦[win32.hllm.limar]
BitDefender [Trojan.Downloader]
病毒描述:
該病毒屬蠕蟲類,病毒運行後衍生病毒檔案,修改註冊表,添加啟動項,以達到隨機啟動的目的;連線網路,以自身為郵件附屬檔案傳送email。關閉自動更新功能。
行為分析:
1、病毒運行後衍生病毒檔案:
%WINDOWS%\crsdata.tmp
%WINDOWS%\dskdata.tmp
%WINDOWS%\dssdata.tmp
%WINDOWS%\msserrv32.c
%WINDOWS%\msserrv32.dat
%WINDOWS%\msserrv32.exe
%WINDOWS%\msserrv32.s
%WINDOWS%\msserrv32.wax
%WINDOWS%\msserrv32.z
%WINDOWS%\msserv32.c
%WINDOWS%\msserv32.dat
%WINDOWS%\msserv32.exe
%WINDOWS%\msserv32.s
%WINDOWS%\msserv32.wax
%WINDOWS%\msserv32.z
%WINDOWS%\tskmn32.exe
%System32%\conscdfv.exe
%system32%\dmocwebc.dll
%system32%\e1.dll
%system32%\elrsnfkyhp.exe
%system32%\iyuvkbdb.exe
%system32%\uxthwmer.dll
%system32%\uxthwmer.exe
%system32%\winmfaul.dll
2、修改註冊表,添加啟動項,以達到隨機啟動的目的:
新建鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "msserrv32"="C:\WINDOWS\msserrv32.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "msserv32"="C:\WINDOWS\msserv32.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\Notify\uxthwmer\
鍵值: 字串: " DllName "="C:\WINDOWS\system32\uxthwmer.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\WindowsUpdate\Reporting\EventCache\9482f4b4-
e343-43b6-b170-9a65bc822c77\
鍵值: 字串: "CurrentCacheFile "="C:\WINDOWS\Software
Distribution\EventCache\.bin"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\
鍵值: 字串: "PendingFileRenameOperations "="\??\C:\WINDOWS\system32\elrsnfkyhp.exe..\??\c:\docume~1\comman~1"
修改鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\
新建鍵值: 字串: "AppInit_DLLs "="e1.dll winmfaul.dll"
原鍵值: 字串: "AppInit_DLLs "=""
刪除鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\
鍵值: 字串: "Description "="允許下載並安裝 Windows 更新。如果此服務被禁用,計算機將不能使用 Windows Update 網站的自動更新功能。"
3、關閉自動更新功能:
刪除鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\
鍵值: 字串: "Description "="允許下載並安裝 Windows 更新。如果此服務被禁用,計算機將不能使用 Windows Update 網站的自動更新功能。"
4、連線網路,以自身為郵件附屬檔案傳送email:
Host: www2.endfunjdaswuinjdeshihus.com:8081
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]… …
Host: www1.endfunjdaswuinjdeshihus.com:8081
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]……
Host:www1.endfunjdaswuinjdeshihus.com:8081
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]……
Host:www2.endfunjdaswuinjdeshihus.com:8081
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]……
Host: www2.endfunjdaswuinjdeshihus.com:8081
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]……
註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。
--------------------------------------------------------------------------------
清除方案:
1、使用安天木馬防線可徹底清除此病毒(推薦)。2、手工清除請按照行為分析刪除對應檔案,恢復相關系統設定。
(1) 使用安天木馬防線“進程管理”關閉病毒進程
Msserw32.exe
6.tmp
Uxthwmer.exe
Ijtconf.exe
Brwconf.exe
Deiconf.exe
(2) 刪除病毒檔案
%WINDOWS%\crsdata.tmp
%WINDOWS%\dskdata.tmp
%WINDOWS%\dssdata.tmp
%WINDOWS%\msserrv32.c
%WINDOWS%\msserrv32.dat
%WINDOWS%\msserrv32.exe
%WINDOWS%\msserrv32.s
%WINDOWS%\msserrv32.wax
%WINDOWS%\msserrv32.z
%WINDOWS%\msserv32.c
%WINDOWS%\msserv32.dat
%WINDOWS%\msserv32.exe
%WINDOWS%\msserv32.s
%WINDOWS%\msserv32.wax
%WINDOWS%\msserv32.z
%WINDOWS%\tskmn32.exe
%system32%\conscdfv.exe
%system32%\dmocwebc.dll
%system32%\e1.dll
%system32%\elrsnfkyhp.exe
%system32%\iyuvkbdb.exe
%system32%\uxthwmer.dll
%system32%\uxthwmer.exe
%system32%\winmfaul.dll
(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
新建鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "msserrv32"="C:\WINDOWS
\msserrv32.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "msserv32"="C:\WINDOWS
\msserv32.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\Notify\uxthwmer\
鍵值: 字串: " DllName "="C:\WINDOWS\system32
\uxthwmer.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\WindowsUpdate\Reporting\EventCache
\9482f4b4-e343-43b6-b170-9a65bc822c77\
鍵值: 字串: "CurrentCacheFile "="C:\WINDOWS
\SoftwareDistribution\EventCache\
.bin"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
\Session Manager\
鍵值: 字串: "PendingFileRenameOperations "="\??\C:\WINDOWS\system32\elrsnfkyhp.exe..\??\c:
\docume~1\comman~1"
修改鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
新建鍵值: 字串: "AppInit_DLLs "="e1.dll winmfaul.dll"
原鍵值: 字串: "AppInit_DLLs "=""
刪除鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\
鍵值: 字串: "Description "="允許下載並安裝 Windows 更新。如果此服務被禁用,計算機將不能使用 Windows Update 網站的自動更新功能。
