| getter |
2007-09-15 09:29 PM |
有關於 kavo.exe & ntdelect.com 病毒
這一次 kavo.exe & ntdelect.com 病毒,跟大多數 USB 病毒一樣
除了用 USB 傳染外,亦可利用網路傳播(廢話) :on_51:
想必也有不少人像我一樣中獎 :on_67:
不過此次的病毒目前,暫時無防毒軟體可以有效防堵。多數只能使用解毒器
或是手動解毒。
經過明察暗訪 + 本人給他中毒來研究,確定一些此次病毒檔名及所在及部份行為
再此篇說明讓大家研究看看。
檔案部份:
-----------------------------------------------------------
1.除了網路磁碟機外,會在每個可以有效寫入的磁碟機代號的 \ 處寫入
autorun.inf、ntdelect.com 兩個檔案,並將檔案屬性設定成唯讀、
隱藏、系統。病毒檔 ntdelect.com 與 XP 系統檔 ntdetect.com 檔
名類似。中間的 l 與 t 僅一個字母的差異。誤刪系統檔的話會不斷重新
開機。
檔名小寫時
病毒檔 ntdelect.com
系統檔 ntdetect.com
檔名大寫時
病毒檔 NTDELECT.COM
系統檔 NTDETECT.COM
2.在 C:\Winddows\System32 中,留下兩個駐留檔案,分別是 kavo.exe、
kavo0.dll 兩個檔案,並將檔案屬性設定成唯讀、隱藏、系統。
那個 KAVO.EXE 則是仿知名的防毒軟體 KAV 而來,實際上防毒軟體 KAV 的
執行檔不見得就市 KAV.EXE 而是其他的檔名。
3.被 AVAST 防毒軟體,捕捉到的 C:\Winddows\System32\wincab.sys ,
若是沒有做處理則該黨會自動消失,所以是短暫的任務檔,要是讓防毒軟體去
處理它時,會不斷出現。檔案屬性為保存。
4.在 Winddows\Prefetch 中也有 NTDELECT.COM-16A3E489.pf 的檔案。
檔案屬性為保存。
5.網路上指出的變種或攔截到的檔案:
C:\Winddows\system32\fly32.dll
C:\Winddows\system32\poor32.dll
C:\Winddows\system32\kavo1.dll
C:\Winddows\system32\kav0.dll
C:\Winddows\system32\kav1.dll
-----------------------------------------------------------
登錄檔機碼的部份,我只能列出容易判斷的部份,應該還是有不易判斷的方
共同項目:
語法:
1.把可以檢視隱藏的的功能關閉。
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000 // 原本為 1 改成 0
2.增加機碼 LEGACY_TRLMNCZQ,不知道做啥用途。
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ\0000]
"Service"="trlmnczq"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="trlmnczq"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TRLMNCZQ\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="trlmnczq"
3.讓病毒開機自動執行。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava"="C:\\WINDOWS\\system32\\kavo.exe"
4.在 MUICache 中留下紀錄。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\kavo.exe"="kavo"
"C:\\ntdelect.com"="ntdelect" ---> 有效寫入的磁碟機所在越多則越多
"D:\\ntdelect.com"="ntdelect" ---> 有效寫入的磁碟機所在越多則越多
5.在 MountPoints2 機碼中的 C、D、E … 留下紀錄(磁碟機代號越多該機碼就越多),C 代表 C:,依此類推。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell]
@="Open"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun]
"Extended"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
@="C:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
@="C:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
@="C:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Default]
@="1"
在來是每台電腦的某個特定機碼,數值均不同:
語法:
6.在機碼 {8603ec90-621d-11dc-86c0-00c1260a8394} 中紀錄,每台電腦的該項機碼,數值均不同。
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,09,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell]
@="Open"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun]
"Extended"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun\command]
@="G:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore\Command]
@="G:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Command]
@="G:\\ntdelect.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Default]
@="1"
在 S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx 中留下串改或記錄,每組 xxx 均相同,但每台電腦不同
7.病毒加入的,應該也是用在遮蔽隱藏檔不給看
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
8.讓病毒開機以某個身份自動執行。
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Run]
"kava"="C:\\WINDOWS\\system32\\kavo.exe"
9.在以某個身份機碼 {8603ec90-621d-11dc-86c0-00c1260a8394} 中紀錄
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,\
01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,09,00,00,00
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell]
@="Open"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun]
"Extended"=""
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\AutoRun\command]
@="G:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore]
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\explore\Command]
@="G:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open]
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Command]
@="G:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8603ec90-621d-11dc-86c0-00c1260a8394}\Shell\open\Default]
@="1"
10.在以某個身份 MountPoints2 機碼中的 C、D、E … 留下紀錄(磁碟機代號越多該機碼就越多),C 代表 C:,依此類推。
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell]
@="Open"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun]
"Extended"=""
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
@="C:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore]
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
@="C:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open]
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
@="C:\\ntdelect.com"
[HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Default]
@="1"
註:由於登錄檔的機碼被修改,其中較明顯的為檔案總管的檢視隱藏檔的功能被關閉了。
以上就是目前分析出來的狀況,光用殺毒器、殺毒批次黨可能清不完全,建議需使用 Sysdoctor 或 Windoctor
或 CCleaner 之類的軟體作登錄檔檢查。因為手動作太累人了。 |
