突然发现单位到处都是病毒，随便发两个看看有没有人遇到过！

liumtz

aboringman 发表于 2017-6-20 14:14
Trend Micro杀掉xp-D41D8CD9.EXE，报WORM_FLYSTUDI.B【蠕虫，可能是U盘传播，个人猜测】

xp.EXE运 ...

那个XP.EXE刚才仔细看了下，是他们科里一个正常的工作软件，我只想说做得好LOW啊。。。

aboringman

liumtz 发表于 2017-6-20 16:07
那个XP.EXE刚才仔细看了下，是他们科里一个正常的工作软件，我只想说做得好LOW啊。。。

原来如此

tg123321

liumtz 发表于 2017-6-20 12:49
第一个疑似病毒，但第二个绝对是病毒，解压出来明明是应用程序，但图标却伪装成了文件夹图标，并设置只读 ...

大哥，我回的时候哪有第二个

ELOHIM

微软 MISS 第一个 | 第二个提示： Worm: Win32/Nuj.A

Threat behavior
Worm:Win32/Nuj.A is a worm that copies itself to fixed, removable or network drives. Some variants of this worm may also terminate antivirus related-processes.
Installation
When run, Win32/Nuj.A may drop a copy of itself as '<system folder>\jun.exe', and then modify the registry to execute its copy at each Windows start.

Adds value: "jun"
With data: "<system folder>\jun.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Next, the worm opens another window showing the directory where the malware was executed. This action is a trick to make a user believe the drive was actually opened, instead of the malware being executed. It may also drop the following non-malicious data files:
<system folder>\oeminfo.ini - configuration file
<system folder>\oemlogo.bmp - picture file

Lastly, the worm modifies the file attributes of the dropped data files to 'read-only', 'system', 'hidden' and 'archive'.
Spreads Via…
Fixed, Removable & Network Drives
Win32/Nuj attempts to copy itself to drives, either fixed, removable or networked, on the affected machine. The worm copies itself as 'jun.exe'.

Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root of the drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Disables Viewing Hidden Folders
Win32/Nuj may disable viewing hidden file folders by modifying registry data.

Modifies value: CheckedValue
With data: "0"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\ShowAll

Terminates Processes
Some variants of this worm may terminate the following processes related to antivirus software:
ravmon.exe
kav.exe
avp.exe

Downloads and Executes Arbitrary Files
Other variants connect to remote sites to download arbitrary files, including updates or additional components.

Analysis by Elda Dimakiling
Prevention

Take these steps to help prevent infection on your computer.

Top