[getter]

這一次 kavo.exe & ntdelect.com 病毒，跟大多數 USB 病毒一樣
除了用 USB 傳染外，亦可利用網路傳播(廢話)

想必也有不少人像我一樣中獎

不過此次的病毒目前，暫時無防毒軟體可以有效防堵。多數只能使用解毒器
或是手動解毒。

經過明察暗訪 + 本人給他中毒來研究，確定一些此次病毒檔名及所在及部份行為
再此篇說明讓大家研究看看。


檔案部份：
-----------------------------------------------------------
1.除了網路磁碟機外，會在每個可以有效寫入的磁碟機代號的 \ 處寫入
autorun.inf、ntdelect.com 兩個檔案，並將檔案屬性設定成唯讀、
隱藏、系統。病毒檔 ntdelect.com 與 XP 系統檔 ntdetect.com 檔
名類似。中間的 l 與 t 僅一個字母的差異。誤刪系統檔的話會不斷重新
開機。

檔名小寫時
病毒檔 ntdelect.com
系統檔 ntdetect.com

檔名大寫時
病毒檔 NTDELECT.COM
系統檔 NTDETECT.COM

2.在 C:\Winddows\System32 中，留下兩個駐留檔案，分別是 kavo.exe、
kavo0.dll 兩個檔案，並將檔案屬性設定成唯讀、隱藏、系統。
那個 KAVO.EXE 則是仿知名的防毒軟體 KAV 而來，實際上防毒軟體 KAV 的
執行檔不見得就市 KAV.EXE 而是其他的檔名。


3.被 AVAST 防毒軟體，捕捉到的 C:\Winddows\System32\wincab.sys ，
若是沒有做處理則該黨會自動消失，所以是短暫的任務檔，要是讓防毒軟體去
處理它時，會不斷出現。檔案屬性為保存。

4.在 Winddows\Prefetch 中也有 NTDELECT.COM-16A3E489.pf 的檔案。
檔案屬性為保存。

5.網路上指出的變種或攔截到的檔案：

C:\Winddows\system32\fly32.dll
C:\Winddows\system32\poor32.dll
C:\Winddows\system32\kavo1.dll
C:\Winddows\system32\kav0.dll
C:\Winddows\system32\kav1.dll


-----------------------------------------------------------
登錄檔機碼的部份，我只能列出容易判斷的部份，應該還是有不易判斷的方

共同項目：

語法:

1.把可以檢視隱藏的的功能關閉。
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000 // 原本為 1 改成 0


2.增加機碼 LEGACY_TRLMNCZQ，不知道做啥用途。
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ\0000]
"Service"="trlmnczq"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="trlmnczq"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="trlmnczq"


3.讓病毒開機自動執行。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava"="C:\\WINDOWS\\system32\\kavo.exe"


4.在 MUICache 中留下紀錄。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\kavo.exe"="kavo"
"C:\\ntdelect.com"="ntdelect" ---> 有效寫入的磁碟機所在越多則越多
"D:\\ntdelect.com"="ntdelect" ---> 有效寫入的磁碟機所在越多則越多


5.在 MountPoints2 機碼中的 C、D、E … 留下紀錄(磁碟機代號越多該機碼就越多)，C 代表 C:，依此類推。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
@="C:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
@="C:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
@="C:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Default]
@="1"

在來是每台電腦的某個特定機碼，數值均不同：

語法:

6.在機碼 {8603ec90-621d-11dc-86c0-00c1260a8394} 中紀錄，每台電腦的該項機碼，數值均不同。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
  5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
  01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,00,00,10,00,00,09,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun\command]
@="G:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore\Command]
@="G:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Command]
@="G:\\ntdelect.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Default]
@="1"



在 S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx 中留下串改或記錄，每組 xxx 均相同，但每台電腦不同 

7.病毒加入的，應該也是用在遮蔽隱藏檔不給看
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000   
                     

8.讓病毒開機以某個身份自動執行。
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Run] 
"kava"="C:\\WINDOWS\\system32\\kavo.exe"


9.在以某個身份機碼 {8603ec90-621d-11dc-86c0-00c1260a8394} 中紀錄
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
  5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
  01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,00,00,10,00,00,09,00,00,00

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell]
@="Open"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun]
"Extended"=""

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun\command]
@="G:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore]

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore\Command]
@="G:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open]

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Command]
@="G:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Default]
@="1" 


10.在以某個身份 MountPoints2 機碼中的 C、D、E … 留下紀錄(磁碟機代號越多該機碼就越多)，C 代表 C:，依此類推。
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell]
@="Open"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun]
"Extended"=""

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
@="C:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore]

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
@="C:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open]

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
@="C:\\ntdelect.com"

[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Default]
@="1"

註：由於登錄檔的機碼被修改，其中較明顯的為檔案總管的檢視隱藏檔的功能被關閉了。

以上就是目前分析出來的狀況，光用殺毒器、殺毒批次黨可能清不完全，建議需使用 Sysdoctor 或 Windoctor
或 CCleaner 之類的軟體作登錄檔檢查。因為手動作太累人了。