|
该病毒使用了rootkits技术,可以从系统底层卸载杀毒软件的钩子,同时会释放自己的驱动,这样就会使杀毒软件的监控失效,无法查杀病毒。同时,病毒还会频繁查找杀毒软件的程序窗口,强行将其关闭。那些没有
使用智能主动防御技术的杀毒软件,很容易被此病毒破坏无法运行。
病毒运行后,会在C盘根目录下释放病毒驱动NetApi000.sys,该驱动用来恢复SSDT,把杀毒软件挂的钩子全部卸掉。这样,杀毒软件的很多功能将无法使用,如文件监控、注册表监控等。同时,病毒会在系统里释放smss.exe等病毒文件,实现进程保护,使杀毒软件很难彻底查杀。
除了关闭杀毒软件之外,磁碟机病毒还会从http://**.c0mo.com、http://**.k0102.com等网站下载数十个木马盗号病毒,试图窃取用户的网游账号装备、网银密码等私密信息。
据病毒专家分析,近日大规模爆发的磁碟机病毒,是经过精心准备和充分预谋的,这的确为我们带来了很多的麻烦。不过,知己知彼方能百战不殆,面对来势汹汹的病毒,只有尽快的了解它,才能尽快的破解它。
技术细节
已发现: 2007 年 11 月 29 日
更新: 2007 年 12 月 19 日 7:51:47 AM
类型: Worm
感染长度: 45,056 字节;9,397 字节。
受影响的系统: Windows 98, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
该蠕虫执行时,它会创建下列文件:
%System%\Com\lsass.exe (W32.Pagipef.I!inf)
%System%\Com\netcfg.000
%System%\Com\netcfg.dll
%System%\Com\smss.exe
然后,该蠕虫会创建下列注册表子项:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1
接着,其会删除下列注册表子项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
然后,该蠕虫会修改下列注册表项:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "91"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\"Type" = "72 00 61 00 64 00 69 00 6F 00 00 00 6F 00 78 00 00 00 00 00 62 00 00 00 6F 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 27 00 EB 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 0A 00 00 00 58 00 01 00 08 00 01 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 27 00 EB 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 14 00 00 00 22 00 01 00 08 00 01 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 27 00 EB 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 1E 00 00 00 2C 00 01 00 08 00 01 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\"409" = "Controls safely scriptable!"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\"409" = "Controls safely initializable from persistent data!"
该蠕虫会随着下列文件,通过将自身复制到本地和可移动驱动器 C 至 F:[DRIVELETTER]:\pagefile.pif
其还会创建下列文件,以便其可以在发生任何驱动器访问操作时执行:[DRIVELETTER]:\autorun.inf
该蠕虫会感染具有下列脚本标记的 RAR 存档文件中包含的 HTML 文件:
上述标记可能会链接到潜在恶意代码。
受感染的 HTML 文件会重新插入 RAR 存档文件,并且不会压缩该 HTML 文件。
接下来,该蠕虫会结束含有下列字符串的任何进程:
asm
ida
softice
ollydbg
metapad
mozillauiwindowclass
ieframe
cabinetwclass
360
然后,其会联系使用隐藏的 Internet Explorer 实例的下列网站:http://js.k0102.com/ad.asp
该蠕虫还会尝试通过发布下列命令重新启动计算机:shutdown -r -t 0
该蠕虫还会感染受感染计算机上的可执行文件。
描述者: Stephen Doherty
(计世网整理)
|
