基本訊息
病毒名稱:W32/Bagle.FC-mm
類型:木馬 長度:35307 威脅及別:2
其它别名:Email-Worm.Win32.Bagle.fc(KAV), WORM_BAGLE.FC(Trend), W32.Beagle.DU(Norton)
影響系統:Windows 98/me,Windows 2K,Windows XP
表現特徵
1.系統響應速度相對減慢;
2.存在如下文件:
SYSTEM\anti_troj.exe
SYSTEM\winlog.dll
SYSTEM\winlog.exe
TEMP\~{RANDOM NUMBER}.tmp
TEMP\~{RANDOM NUMBER}.exe
TEMP\~{RANDOM NUMBER+1}.tmp
TEMP\~{RANDOM NUMBER+1}.exe
注:{RANDOM NUMBER} 為一個隨即數字;
3.存在文件夾:SYSTEM\exefld\ ;
4.進程列表中存在進程:winlog.exe,~{RANDOM NUMBER+1}.exe
行動力分析
1.這是一個 PE 病毒,使用 Yoda's Crypter 加殼,加殼後長度為 35,307 字節;
2.創建如下文件:
SYSTEM\anti_troj.exe (文件 TEMP\~{RANDOM NUMBER+1}.exe 的拷貝)
SYSTEM\winlog.dll (釋放的文件,Fortinet 檢測為 W32/Bagle.FC!tr)
SYSTEM\winlog.exe (文件 TEMP\~{RANDOM NUMBER}.exe 的拷貝)
TEMP\~{RANDOM NUMBER}.tmp (0字節的幹淨文件)
TEMP\~{RANDOM NUMBER}.exe (釋放的文件,Fortinet 檢測為 W32/Bagle.FC!tr)
TEMP\~{RANDOM NUMBER+1}.tmp (0 字節的幹淨文件)
TEMP\~{RANDOM NUMBER+1}.exe (釋放的文件,Fortinet 檢測為 W32/Bagle.Y!dldr)
注:{RANDOM NUMBER} 為一個隨即數字;
3.創建注冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
4.終止如下安全相關的進程:
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashPopWz.exe
ashShA64.dll
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
AUPDATE.EXE
Avconsol.exe
avgcc.exe
AVGCMSG.DLL
avgemc.exe
AVGNT.EXE
…… (因列表過長,故只列出部分)
5.停止如下安全相關的服務:
alerter
AlertManger
AntiVir Service
aswUpdSv
Ati HotKey Poller
avast! Antivirus
AVEService
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVIRAMailService
AVIRAService
avpcc
AVUPDService
…… (因列表過長,故只列出部分)
6.刪除包含如下字符串的文件:
“\ashAvast.exe”
“\ashDisp.exe”
“\ashEnhcd.exe”
“\ashPopWz.exe”
“\ashShA64.dll”
“\ashSimpl.exe”
“\ashSkPck.exe”
“\ashWebSv.exe”
“\AUPDATE.EXE”
“\Avconsol.exe”
“\avgcc.exe”
“\AVGCMSG.DLL”
“\avgemc.exe”
“\AVGNT.EXE”
“\AVSCHED32.DLL”
“\AVSCHED32.EXE”
“\Avsynmgr.exe”
“\AVWUPD32.EXE”
“\BCGCB59.dll”
“\bdmcon.exe”
“\bdnews.exe”
“\bdsubmit.exe”
“\bdswitch.exe”
“\cafix.exe”
…… (因列表過長,故只列出部分)
7.阻止對以下安全相關域名的訪問:
upgrade.bitdefender.com
report.bitdefender.com
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
ca.com... click.atdmt.com
clicks.atdmt.com
…… (因列表過長,故只列出部分)
8.刪除以下安全相關的注冊表項:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
HKLM\SOFTWARE\Trend Micro
清除方法
1.終止病毒相關進程;
2.刪除如下文件:
SYSTEM\anti_troj.exe
SYSTEM\winlog.dll
SYSTEM\winlog.exe
TEMP\~{RANDOM NUMBER}.tmp
TEMP\~{RANDOM NUMBER}.exe
TEMP\~{RANDOM NUMBER+1}.tmp
TEMP\~{RANDOM NUMBER+1}.exe
3.刪除注冊表項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
轉
病毒資料之七-winlog.exe過程病毒
