病毒名稱: Trojan.Win32.Autoit.ab
中文名稱: 敲詐者變種
病毒類型: 木馬
檔案 MD5: 65A73CDF15F4507D0AB2FE7C54B0559B
公開範圍: 完全公開
危害等級: 5
檔案長度: 401,759 位元組
感染系統: windows2000以上版本
加殼類型
第一層殼:UPX 0.89.6 - 1.02 / 1.05 - 1.24 ->Markus &Laszlo
第二層殼:nSPack 3.1 -> North Star/Liu Xing Ping
病毒描述
表現形式為用戶登入前彈出文本勒索用戶,進入系統後彈出對話框,恐嚇用戶,如果用戶點擊“確定”,則重啟電腦。病毒還會在系統目錄下留下多個病毒檔案。給用戶帶來極大不便,行為極其惡劣。行為分析
1、衍生下列副本與檔案:
%WinDir%\_default%System32%\Wpa.dbl
%System32%\wins
%System32%\taskmgr.exe 393KB
%documents and settings\all users\「開始」選單\程式\啟動\SvcHost
%Documents and Settings%\All Users\Application Data\Microsoft\
win1ogon.exe
2、修改註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\win1ogon.exe\shell\open\command\@
Value: String: "%Documents and Settings%\All Users\Application Data\
Microsoft\win1ogon.exe"
Old: String: ""%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\@
New:String:"C:\DocumentsandSettings\AllUsers\Application Data\Microsoft\win1ogon.exe"
Old: Type: REG_EXPAND_SZ Length: 37 (0x25) bytes
%SystemRoot%\system32\NOTEPAD.EXE %1.
Old: Type: REG_EXPAND_SZ Length: 37 (0x25) bytes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
system\legalnoticecaption
New: String: "警告:"
Old:(valuenotset)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
system\legalnoticetext
New: String: " 發現您硬碟內曾使用過盜版了的我公司軟體,所以將您部份檔案
購買相應的軟體"
Old: String: ""
3、新建註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS \DescriptionValue: String: "WINS為客戶提供系統域名解析服務"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS \DisplayName
Value: String: "WINS "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS \ImagePath
Value: String: "%windows%\system32\wins"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
svchost.exe
Value: String: "%Documents and Settings%\All Users\Application Data
\Microsoft\win1ogon.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoClose
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoFind
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoRun
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\StartMenuLogOff
Value: DWORD: 1 (0x1)
4、刪除註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\DefaultValue
Value: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\HelpID
Value: String: "shell.hlp#51105"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\HKeyRoot
Value: DWORD: 2147483649 (0x80000001)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\RegPath
Value: String: "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\Text
Value: String: "@shell32.dll,-30500"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\Type
Value: String: "radio"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\ValueName
Value: String: "Hidden"
註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。
Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的
安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。
清除方案
1、使用安天木馬防線可徹底清除此病毒(推薦)。2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 用戶進入%system32%目錄下,找到cmd.exe檔案,雙擊運行。
輸入regedit.回車運行。
(2) 刪除下列註冊表項:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\
MUICache\ svchost
Value: String: "%Documents and Settings\All Users\「開始」
選單\程式\啟動\svchost"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\svchost.exe
Value: String: "%\Documents and Settings%\All Users\
Application Data\Microsoft\win1ogon.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\legalnoticetext
New: String: " 發現您硬碟內曾使用過盜版了的我公司軟體,所以
將您部份檔案移到鎖定了的扇區,若要解鎖將檔案釋放,請電郵
購買相應的軟體"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\NoClose
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\NoFind
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\NoRun
Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\StartMenuLogOff
Value: DWORD: 1 (0x1)
(3) 修改下列註冊表項為原值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\@
New:String:"C:\DocumentsandSettings\AllUsers\ApplicationData\
Microsoft\win1ogon.exe"
Old: Type: REG_EXPAND_SZ Length: 37 (0x25) bytes
%SystemRoot%\system32\NOTEPAD.EXE %1.
(4) 冷重啟電腦到安全模式下。刪除下列目錄下病毒體:
%documents and settings\all users\「開始」選單\程式\啟動\svchost
(5) 在“運行”中輸入gpedit.msc,依次展開:
“用戶配置”=>“管理模板”=>“Windows組件”=>“Windows資源管理器”
雙擊“從“工具”選單中刪除“資料夾選項”選單” 選中“已禁用”
(6) 將下列內容保存為.reg檔案,雙擊導入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\
Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
(7) 打開“資料夾選項”選至下列狀態:
(8) 刪除病毒衍生檔案:
%WinDir%\_default
%System32%\taskmgr.exe 393KB
%System32%\wins
%System32%\wpa.dbl
%documents and settings\all users\「開始」選單\程式\啟\
svchost
%Documents and Settings%\All
Users\Application\Data\Microsoft\win1ogon.exe
(9) 對於已刪除檔案,用戶可採用Easyrecover軟體恢複數據,或找專業
數據恢復人士恢複數據。