病毒名稱
Trojan-Spy.Win32.VB.oe病毒類型
木馬檔案MD5值
B61DF4379D30063FDFCA883E8B9FA2AC公開範圍
完全公開危害等級
中檔案長度
155,648 位元組感染系統
windows98以上版本開發工具
Microsoft Visual Basic 5.0 / 6.0加殼類型
無命名對照
Symentec[]Mcafee[]
病毒描述
該病毒屬木馬類,病毒運行後複製自身到% System32%下,並衍生Microsoft Visual Basic所必須的控制項 mswinsck.ocx 到%system32%目錄下,修改註冊表,添加啟動項,以達到隨機啟動的目的。行為分析
1、病毒運行後複製自身到%system32%下,並釋放Microsoft Visual Basic所必須的控制項:%system32%\ mswinsck.ocx
%system32%\病毒名.exe
2、修改註冊表,添加啟動項,以達到隨機啟動的目的:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "病毒名"="C:\WINDOWS\system32\病毒名"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{0DE86A57-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{40FC6ED4-2438-11CF-A3DB-080036F12502}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{40FC6ED5-2438-11CF-A3DB-080036F12502}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
鍵值: 字串: "ThreadingModel "="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
鍵值: 字串: "@"="132497"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC
0080C7E7B78D}\MiscStatus
鍵值: 字串: "@"="0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
鍵值: 字串: "@"="MSWinsock.Winsock.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX, 1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-
11CF-9ABC-0080C7E7B78D}\Version
鍵值: 字串: "@"="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
\VersionIndependentProgID
鍵值: 字串: "@"="MSWinsock.Winsock"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="Winsock General Property Page Object"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="IMSWinsockControl"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
鍵值: 字串: "@"="{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
鍵值: 字串: "@"="{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "Version "="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="DMSWinsockControlEvents"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
鍵值: 字串: "@"="{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\
鍵值: 字串: "@"="{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "Version"="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\
鍵值: 字串: "@"="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\
鍵值: 字串: "@"="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\
鍵值: 字串: "@"="MSWinsock.Winsock.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLi
b\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\
鍵值: 字串: """="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0
鍵值: 字串: "@"="Microsoft Winsock Control 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\
鍵值: 字串: "@"="2"
註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。
清除方案
1、使用安天 木馬防線可徹底清除此病毒(推薦)。2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用安天木馬防線“ 進程管理”關閉病毒進程
(2) 刪除病毒檔案
%system32%\mswinsck.ocx
%system32%\病毒名.exe
(3) 恢復病毒修改的 註冊表項目,刪除病毒添加的註冊表項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
鍵值: 字串: "病毒名"="C:\WINDOWS\system32\病毒名"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{0DE86A52-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{0DE86A57-2BAA-11CF-A229-00AA003D7352}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
\{40FC6ED5-2438-11CF-A3DB-080036F12502}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
鍵值: 字串: "ThreadingModel "="Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
鍵值: 字串: "@"="132497"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
鍵值: 字串: "@"="0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
鍵值: 字串: "@"="MSWinsock.Winsock.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX, 1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version
鍵值: 字串: "@"="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID
鍵值: 字串: "@"="MSWinsock.Winsock"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="Winsock General Property Page Object"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
鍵值: 字串: "@"="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="IMSWinsockControl"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
鍵值: 字串: "@"="{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
鍵值: 字串: "@"="{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "Version "="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
鍵值: 字串: "@"="DMSWinsockControlEvents"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
鍵值: 字串: "@"="{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\
鍵值: 字串: "@"="{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\
鍵值: 字串: "@"="{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
鍵值: 字串: "Version"="1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\
鍵值: 字串: "@"="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\
鍵值: 字串: "@"="Microsoft WinSock Control, version 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\
鍵值: 字串: "@"="{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\
鍵值: 字串: "@"="MSWinsock.Winsock.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC
0080C7E7B78D}\1.0\0\win32\
鍵值: 字串: """="C:\WINDOWS\system32\MSWINSCK.OCX"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0
鍵值: 字串: "@"="Microsoft Winsock Control 6.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\
鍵值: 字串: "@"="2"
