纯测修复，样本很好玩

呼啸风影

样本地址：http://yunpan.cn/cK8SGpIZtkP8N  访问密码 8db2
（请谨慎下载使用，解压密码infected）
试一下能不能修复它，很好玩的一个。

XywCloud

BAV修复成功。
这个样本以前有过。

ELOHIM

Virus:Win32/Nakuru.A
Virus:Win32/Nakuru.A is a prepending virus that infect files with .DOC and .XLS extensions.
[mw_shl_code=css,true]Threat behavior
Virus:Win32/Nakuru.A is a prepending virus that infect files with .DOC and .XLS extensions.
Installation
Virus:Win32/Nakuru.A drops the following files, which are detected as this virus, in the system:
    <system folder>\kspoold.exe
    <system folder>\avmeter32.dll
It then installs itself as a service so that it runs every time Windows starts:
Adds value: "Type"
With data: "dword:00000110"
Adds value: "Start"
With data: "dword:00000002"
Adds value: "ErrorControl"
With data: "dword:00000001"
Adds value: "ImagePath"
With data: "%sysdir%\kspoold.exe"
Adds value: "DisplayName"
With data: "K Print Spooler"
Adds value: "ObjectName"
With data: "LocalSystem"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\kspooldaemon
The file avmeter32.dll is injected into the explorer.exe process.
Spreads Via...
File Infection
Virus:Win32/Nakuru.A infects files with .DOC and .XLS extensions.
It prepends its code to host files and changes the extension from .DOc or .XLS to .EXE.
Upon execution of a file infected with this virus,
the virus drops the two files indicated above (in the Installation section)
to repeat the infection process.
It then deletes its currently running copy and drops
and runs the original clean file in the current folder.
Additional Information
Virus:Win32/Nakuru.A keeps a log of its activities in the file
%windir%\Temp\KSPOOLD.TXT.

Here is an example of what the log file may contain:

10/16/2008 3:29:06 AM - K Print Spooler Service starting...
10/16/2008 3:29:06 AM - Scanner for drive C has been created and started
10/16/2008 3:29:06 AM - Scanner for drive D has been created and started
10/16/2008 3:29:06 AM - Scanner for drive E has been created and started
10/16/2008 3:29:06 AM - Scanner for drive F has been created and started
10/16/2008 3:29:06 AM - Scanner for drive G has been created and started
10/16/2008 3:29:06 AM - Scanner for drive H has been created and started
10/16/2008 3:29:06 AM - Scanner for drive I has been created and started
10/16/2008 3:29:06 AM - Scanner for drive J has been created and started
10/16/2008 3:29:06 AM - K Print Spooler Service started
10/16/2008 3:29:06 AM - Guardian process not exists, try create it
10/16/2008 3:29:06 AM - Explorer found (HWND: 65664) injecting it
10/16/2008 3:29:06 AM - Mencari di folder C:\
10/16/2008 3:29:06 AM - Guardian process created
10/16/2008 3:29:07 AM - Mencari di folder C:\Documents and Settings

Analysis by Francis Allan Tan Seng
Symptoms
System Changes
The following system changes may indicate the presence of this malware:

    The presence of the following files:
    <system folder>\kspoold.exe
    <system folder>\avmeter32.dll
    The presence of the following service:
    K Print Spooler
[/mw_shl_code]
看介绍，微软应该可以修复。没有双击。。

aboringman

Trend Micro：fix it

Threat:        PE_NAKURU.A
Source:        Virus
Affected Files:        C:\Documents …\食用油采购合同.exe
Response:        Cleaned
Detected By:        Real Time Scan

tanshi1990

aboringman 发表于 2015-11-23 23:43
Trend Micro：fix it

some problem with my trend micro, so it go far way from my pc

EnZhSTReLniKoVa

        费尔解压隔离

C:\Users\NatsukiHanae\Desktop\食用油采购合同.exe        Backdoor.D37A14FE1F209C15        后门        353 KB        2015年11月24日, 星期二 2:40:45

dsb2466

有趣的样本，，，，

欧阳宣

FS隔离，无法修复

毛豆新人

CIS 解压隔离，报后门，无法修复

驭龙

ESET 删除与隔离，无法修复，早已预料到了