本帖最后由 echo_simon 于 2015-1-9 21:42 编辑
文件原名:The.Hobbit.2014.Battle.Of.The.Five.Armies.2014.HDRip.XVID.AC3.HQ.Hive-CM8.mp4
病毒文件名:The.Hobbit.2014.Battle.Of.The.Five.Armies.2014.HDRip.XVID.AC3.HQ.Hive-CM8.exe
MD5值:
MD5: 0BC3604D72F4804832898BE1F689DA33
SHA1: 847A8CE9EB581E0F699243708EA0AE549A18F876
CRC32: 20C38ACB
LZ今晨在国外网站下载霍比特人三:五军之战时遇到的一枚体积臃肿的病毒
惊闻五军之战hdrip版已经发布,遂想尝个鲜
怎奈下下来的电影不能看
异常的快捷方式引起了LZ注意
更改文件后缀为.exe终于原形毕露
ESET未报毒,国产金山无视之
自动绑定主页http://www.surfvox.com/
C:\Users\XX\AppData
C://ProgramData
目录无法访问
win PE下一探究竟
C:\Users\XX\AppData\Roaming
目录下出现异常目录:
nvxasync
文件夹大小273M
C://ProgramData
Preference文件代码
[mw_shl_code=css,true]{
"browser": {
"check_default_browser": false
},
"countryid_at_install": 17230,
"default_apps_install_state": 2,
"default_search_provider": {
"synced_guid": "EB135AF4-27DF-4307-96BE-6C7B06CC3F19"
},
"dns_prefetching": {
"host_referral_list": [ 2 ],
"startup_list": [ 1, "https://clients2.google.com/", "https://clients2.googleusercontent.com/" ]
},
"enhanced_bookmarks_enabled": 0,
"extensions": {
"alerts": {
"initialized": true
},
"autoupdate": {
"next_check": "13065226347577780"
},
"chrome_url_overrides": {
"bookmarks": [ "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/main.html" ]
},
"last_chrome_version": "39.0.2171.95"
},
"intl": {
"accept_languages": "zh-CN,zh"
},
"invalidator": {
"client_id": "gPDvewZdubC1K24fzVoGmw=="
},
"media": {
"device_id_salt": "XwIbmd6wkv1GiQu+iJkBGg=="
},
"net": {
"http_server_properties": {
"servers": {
"clients2.google.com:443": {
"alternate_protocol": {
"port": 443,
"probability": 0.02,
"protocol_str": "quic"
},
"settings": {
"4": 100
},
"supports_spdy": true
},
"clients2.googleusercontent.com:443": {
"alternate_protocol": {
"port": 443,
"probability": 0.02,
"protocol_str": "quic"
},
"settings": {
"4": 100
},
"supports_spdy": true
}
},
"version": 3
}
},
"plugins": {
"migrated_to_pepper_flash": true,
"plugins_list": [ ],
"removed_old_component_pepper_flash_settings": true
},
"profile": {
"avatar_index": 26,
"content_settings": {
"clear_on_exit_migrated": true,
"pattern_pairs": {
},
"pref_version": 1
},
"exit_type": "Normal",
"exited_cleanly": true,
"managed_user_id": "",
"name": "第 1 位用户",
"per_host_zoom_levels": {
}
},
"protection": {
"macs": {
"browser": {
"show_home_button": "A9E79F8C41282054D67C8502B7329FE199E9CB77339857BE973B392421643AF9"
},
"default_search_provider": {
"keyword": "D707995A5484786DC2B03F8240E88202FB0CCAD8804A14750EC7167F03E39099",
"name": "1AAA4FAE6EE9044BB9A11AC7E66EF3D10B6D477CE807F9236E3A78C4B74D31BF",
"search_url": "4D9ECA920D884CD6A1D8AAE637865E585A8E8EF06E3147751D89ED2A2AB2DFDC"
},
"default_search_provider_data": {
"template_url_data": "5F0F14F90D8AC31E1FCB54CB37267D0D92352EE264A8949760095AA3EDB3730A"
},
"google": {
"services": {
"last_username": "1F945CEA5C86D0F718DE99F33F86ED9BDDF4C166A16D54838336713EDD1E8456"
}
},
"homepage": "36BDB0D8E4E2A1EB21A69A9DC342F990F3EA4EFA6695179A86E09082C0963657",
"homepage_is_newtabpage": "FCE65A0F25F918A9434CCEAB38986DA686B0FC5EA09FE3ECAD0D8B69018C031C",
"pinned_tabs": "B6EA3FC00BEBF49D3BA7E87A5942C90A9636C5BDD9E2371E6122AE509BCF1D98",
"prefs": {
"preference_reset_time": "AFD83C0CEF88B82EC23243860B6B18D7A9FEA143DAFFDC3AA02A55D06B489037"
},
"profile": {
"reset_prompt_memento": "8F8A688A87ACA7AF1FD545BD01FD1DDCF6CCFA99CD1EFE8E44C040D5663E34D4"
},
"safebrowsing": {
"incident_report_sent": "8C5763FBE1DEC63ED5265AAEDD7470CD1B82A26F72464FA9891F2A270A48A747",
"incidents_sent": "2C4EA80C6A800CBC743FB760C258FBC76702B4CC8E9228D9870F4A0507166F8D"
},
"search_provider_overrides": "5935EF2784813F15076CA3C3F52FF6A68186C2227A47B652B613A32034228A00",
"session": {
"restore_on_startup": "9501668FFD36079CEAD42DD5BDBEAFB2190CA0E9692FCFD490A9D772DF872D58",
"startup_urls": "B8488C08893C8E9CF31F3D901F9E27D12EB19EEC769AD5DC48D5554E19E4A71C"
},
"software_reporter": {
"prompt_reason": "B8F52714A7B308209DFBE28DABB8C5C8E0AF64EFE281F8CDFF8D9EFD2121669E",
"prompt_version": "BEA5B5FBCC6ADCB26D920D200D5977BD130724C039EDD7CD5770E9B354B84509"
},
"sync": {
"remaining_rollback_tries": "CB0473EE453BE51044B2ACF6A45CDE6EC4E34CF836F617B5EDCBA4E9009F18E5"
}
}
},
"proxy": {
"bypass_list": "",
"mode": "system",
"server": ""
},
"session": {
"restore_on_startup_migrated": true,
"startup_urls_migration_time": "13065207694469870"
},
"translate_blocked_languages": [ "zh", "zh-CN" ],
"translate_whitelists": {
}
}
[/mw_shl_code]
Setting文件代码
[mw_shl_code=css,true][Filter]
text=@@|http://www.surfvox.com
hitCount=162
lastHit=1307396849068
[Filter]
text=@@|http://surfvox.com
hitCount=344
lastHit=1307396474934
[Filter]
text=@@|http://www.google.com
hitCount=132
lastHit=1301396849068
[Filter]
text=@@|http://google.com
hitCount=314
lastHit=1307391474934
[Filter]
text=@@|http://www.google.*
hitCount=122
lastHit=1304396849068
[Filter]
text=@@|http://google.*
hitCount=324
lastHit=1307346474934
[Subscription filters]
@@|http://www.surfvox.com
@@|http://surfvox.com
@@|http://www.google.com
@@|http://google.com
@@|http://www.google.*
@@|http://google.*
[/mw_shl_code]
prefs.js文件代码
[mw_shl_code=css,true]user_pref("browser.startup.homepage", "http://www.surfvox.com");
user_pref("browser.search.defaultenginename", "SurfVox");
user_pref("browser.search.selectedEngine", "SurfVox");
user_pref("browser.search.update", false);
user_pref("browser.search.useDBForOrder", true);
user_pref("extensions.lastAppVersion");
user_pref("extensions.lastPlatformVersion");[/mw_shl_code]
任务管理器秒退
浏览器重置&捆绑
新增三个开机自启项
下图为其MD5值
附件为原种子文件
顺便附上115网盘离线的文件
[url=115网盘礼包码:5lbat4lb64ia http://115.com/lb/5lbat4lb64ia]115网盘礼包码:5lbat4lb64ia [/url]
附上此病毒的衍生物,即病毒原体
http://pan.baidu.com/s/1qWDM1CK
目前尚未查杀此病毒,因近期比较忙,选择重装系统了,回头再补刀 |
[复制链接]
发表于 2015-1-9 01:09:00
100m的网速 也不想尝试
,病毒作者丧心病狂
楼主