File: 19.exe Size: 33495 bytes File Version: 0.00.0204 Modified: 2007年12月29日, 21:23:18 MD5: 4B2BE9775B6CA847FB2547DD75025625 SHA1: 2660F88591AD4DA8849A3A56F357E7DFB9694D45 CRC32: 2A485241 编写语言：VB 1.病毒运行后，衍生如下副本及文件： Quote: %systemroot%\Debug\DebugProgram.exe %systemroot%\system32\command.pif %systemroot%\system32\dxdiag.com %systemroot%\system32\finder.com %systemroot%\system32\MSCONFIG.COM %systemroot%\system32\regedit.com %systemroot%\system32\rundll32.com %systemroot%\1.com %systemroot%\ExERoute.exe %systemroot%\explorer.com %systemroot%\finder.com %systemroot%\SERVICES.EXE D:\autorun.inf D:\pagefile.pif 2.提升自身权限，试图结束带有如下关键字的进程 Quote: 360tray* ravmon* ccenter* trojdie* kpop* ssistse* agentsvr* kv* kreg* iefind* iparmor* uphc* rulewize* fygt* rfwsrv* rfwma* trojan* svi.exe 3.篡改很多文件关联方式 使得打开这些文件后会启动病毒 Quote: HKLM\SOFTWARE\Classes\.bfc\ShellNew\Command: "%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1" HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\iexplore.com"" HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\explorer.com" HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1" HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: "rundll32.com %SystemRoot%\system32\mshtml.dll,PrintHTML "%1"" HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1" HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"（打开未知程序都能启动病毒，汗...） HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command\: ""C:\Program Files\common~1\iexplore.pif"" （修改开始程序上的IE的指向文件） HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: "rundll32.com appwiz.cpl,NewLinkHere %1" HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" %1" HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.com shell32.dll,Control_RunDLL "%1",%*" HKLM\SOFTWARE\Classes\ftp\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" %1" HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.com" -nohome" HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\common~1\iexplore.pif" %1" HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\common~1\iexplore.pif" -nohome" HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: "finder.com shdocvw.dll,OpenURL %l" HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "finder.com desk.cpl,InstallScreenSaver %l" HKLM\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\: ""C:\WINDOWS\system32\finder.com" C:\WINDOWS\system32\scrobj.dll,GenerateTypeLib "%1"" HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "finder.com url.dll,TelnetProtocolHandler %l" HKLM\SOFTWARE\Clients\StartMenuInternet\: "iexplore.pif" ... 增加winfiles的新的文件关联指向C:\WINDOWS\ExERoute.exe 并篡改exe文件关联HKLM\SOFTWARE\Classes\.exe\: "winfiles" 4.修改 Quote: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon    的{shell}值为Explorer.exe 1 5.连接网络盗取传奇世界等游戏的帐号密码 清除方法： 1.解压缩Icesword 把Icesword.exe改名为Icesword.com运行 进程一栏 结束%systemroot%\SERVICES.EXE 点击左下角的文件按钮删除如下文件 %systemroot%\Debug\DebugProgram.exe %systemroot%\system32\command.pif %systemroot%\system32\dxdiag.com %systemroot%\system32\finder.com %systemroot%\system32\MSCONFIG.COM %systemroot%\system32\regedit.com %systemroot%\system32\rundll32.com %systemroot%\1.com %systemroot%\ExERoute.exe %systemroot%\explorer.com %systemroot%\finder.com %systemroot%\SERVICES.EXE D:\autorun.inf D:\pagefile.pif 2.把sreng扩展名改为bat，运行 系统修复－文件关联 修复 3.修复系统 打开系统盘 直接运行%systemroot%\system32\regedit.exe 把被病毒修改的注册表恢复回来 Quote: HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: "rundll32.exe appwiz.cpl,NewLinkHere %1" HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" %1" HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*" HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*" HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome" HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" %1" HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\iexplore.exe" -nohome" HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: "rundll32.exe shdocvw.dll,OpenURL %l" HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "rundll32.exe desk.cpl,InstallScreenSaver %l" HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: "rundll32.exe desk.cpl,InstallScreenSaver %l" HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "rundll32.exe url.dll,TelnetProtocolHandler %l" HKLM\SOFTWARE\Classes\telnet\shell\open\command\: "rundll32.exe url.dll,TelnetProtocolHandler %l" HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\Explorer.exe" HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\iexplore.exe"" HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\Explorer.exe" HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1" HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: "rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1"" HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1" HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1" 删除HKLM\SOFTWARE\Classes\winfiles整个子键 修改HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon    的{shell}值为Explorer.exe