小红伞给病毒隐藏了！

song-ci

楼主上传   我们到样本区区看看结果

isas

google了一下，找到了这段文字


jwgkvsq.vmx

事实上，NOD32、AVAST都可以查到这个病毒，只是由于该病毒增加了自我保护机制，使得NOD32、AVAST等杀毒软件都无法清除这个病毒。病毒启动的方式主要有几种方式：1）通过加载到系统启动项，使用户在登录系统时，自动运行该病毒；2）通过修改系统文件，使系统启动时，自动加载病毒；3）将病毒加载为驱动程序，让系统在启动时加载并运行该病毒。4）将病毒注册为系统服务，让系统在启动时加载并运行病毒。这几种方法中，以第三、四中方法较为隐蔽，也较难处理。进入安全模式，进入注册表，搜索jwgkvsq.vmx，不果。证明该病毒并非通过加载到系统启动项的方式调用执行的。同时发现，在安全模式下，删除U盘里的autorun.inf和RECYCLER文件后，病毒会被立即重写入U盘。因此判断该病毒在安全模式下仍然处于启动状态。由于windows安全模式下，系统只启动必须的服务，对于外加的服务、驱动程序都不加载，但尽管如此，病毒仍然启动，初步推断，该病毒修改了系统文件达到自动加载的目的。但是利用syscheck对系统进行扫描后，并未发现有系统文件被修改，说明该病毒使用的是我以前未见过的方式进行加载的。虽然如此，但病毒的加载肯定是有迹可寻的，关键在于我们能否想到。Hook？RootKid？还是其他手段？看着这个病毒，突然间想起，既然这个病毒是伪装成回收站进行藏身，那么调用它，必须就要找到这个伪装的回收站。于是从这个回收站着手查找。在注册表里查找病毒的蛛丝马迹，忽然在一个地方发现该回收站的SID（HKLM_Software_Microsoft_Windows_CurrentVersion\Installer\UserData\),里面有一项值，写着c:\windows\system32\mmutspxi.dll，乍一看以为是mmutilse.dll（Microsoft 多媒体控件工具集）。回收站里怎么调用多媒体控件的？跟着进入C盘，发现了一个mmutspxi.dll的隐藏文件，而旁边就是mmutilse.dll。那么可见这个文件非常可以。查看文件属性，被设置为系统文件，无法被删除。利用命令attrib将该文件属性去掉，备份好，删除源文件，并将注册表中相关的信息全部删除。重启计算机。进入正常模式后，用NOD32对mmutspxi.dll进行扫描，扫描结果判断为Conficker病毒。由于该病毒加载项被清除，病毒已经无法进行启动加载，此时，清除各盘中的RECYCLER及autorun.inf后，病毒不会被重写入U盘,接着在利用NOD32对系统进行全盘扫描，没发现病毒文件。初步判断，该病毒被成功清除。


顺便说一下，这个文字是2月份的，直到今天红伞的病毒库，还是对这个病毒没有任何反应。。

[ 本帖最后由 isas 于 2009-4-23 21:30 编辑 ]

isas

样本文件我明天再打包个吧，因为红伞不能防，我有些担心压缩的时候就给激活了

isas

移动硬盘根目录不知何时出现了一个总也删除不掉的Autorun.vinf文件，用HexEditor打开一看，二进制的，但从末尾的ASCII码，能够看到  jwgkvsq.vmx 字样。上网搜索一看，才知道这是个比较新的病毒。

实际上，如果此病毒还没有感染系统的话，可以进入安全模式，进行如下操作：
1、关闭系统欢迎；
2、关闭回收站功能；
3、将Administrators组添加到RECYCLER，System Volume Information等文件夹，如果添加不了，清除权限继承，并将系统管理员添加的所有者；

4、对autorun.vinf的安全选项卡中，加入管理员组；
5、删除RECYCLER，System Volume Information,删除autorun.vinf文件；

下面是网络搜索到一个比较全的去除这个病毒的指南：
How to remove the jwgkvsq.vmx worm virusPosted by: Ryman in Security The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it. It is also known as:

• W32/Confi
• W32/Conficker.worm!inf
• Win32/Conficker.B - CA

It exploits Microsoft Windows vulnerability:
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008 Symptoms:

• ‘Show hidden files and folders’ doesn’t work. You can check this by going to a folder, then click Tools, then Folder Options, then View tab. Select the ‘Show hidden files and folders’ then click Apply, then Ok. Open Folder Options again, if it reverted back to ‘Do not show hidden files and folders’ then you have this virus.
• Evey time you plug in a USB device on your computer, it creates an autorun.inf file, and a RECYCLER folder with the jwgkvsq.vmx virus file.
• You can’t access anti-virus websites an other popular websites like microsoft.com or yahoo.com
• Windows won’t boot into Safe Mode. This happens on extreme cases. When you try to boot into Safe Mode, your computer restarts/shuts down

Side-effects

• Since this is a worm, system slowdown may (or may not) happen.
• Quickly spreads through networked computers and USB devices. Which includes flash drives, portable external hard drives, mobile phones, mp3 players, and anything that can be plugged into a USB port.
• Won’t let you access some websites.

Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus. Click through the link to continue… Here is a quick step to remove this virus from your computer, and from your USB devices. Preparation:

• Download FixDownadup.exe from Symantec.com
• Download anti-Downadup-EN.zip from BitDefender.com (just in case the first one doesn’t work).
• Download Process Explorer and AutoRuns from Sysinternals (we may or may not use this).
• Download MoSo Force Delete (just in case we need to delete something that can’t be deleted).

Now let’s start… Removing the jwgkvsq.vmx virus from your computer

• Disconnect your computer from the network, if it is connected. Removing the network cable from your PC should do the trick.
• Just run the FixDownadup.exe we downloaded from Symantec. It should clean the virus of the PC. This works if the infection is in a low-level state. Meaning you have anti-virus software already running and the infection is isolated.
• After scanning you should see a report popup, and an option to go to Microsoft website to patch your computer with a critical security update.
• Restart your computer. When you’re back on the desktop, check your programs/softwares if it is still running.
• Turn of System Restore to delete all entries, which sometimes contains remnants of the virus. To do this:
  • Right-click My Computer, select Properties.
  • Click System Restore tab.
  • Check ‘Turn off System Restore on all drives’. Click Apply, then Ok.
  • Restart your computer.
  • Then, uncheck ‘Turn off System Restore on all drives’ to enable it again.

Removing the jwgkvsq.vmx virus from your USB device

• First. Start your computer on Safe Mode
  • Shut down your computer
  • Turn it back on, before the Windows loading screen comes up, press F8. Or just press it repeatedly after starting your computer
  • Select Safe Mode on the menu by pressing the arrow keys and hitting Enter.
• Plug your USB device. Notice that the autorun.inf won’t run in safe mode.
• Enable the ‘Show hidden files and folders’. Instructions are listed on the Symptoms section above.
• Delete autorun.inf file. It is usually located on the root of the USB drive.
• Delete the hidden/system folder RECYCLER.
  • If you can’t delete it, you have to disable it’s function (for external/portable hard drives). Right-click on the Recycle Bin icon on your desktop, then select Properties. Select ‘Configure drives independently’. Then tab to the external drive, and check ‘Do not move files to the Recycle Bin.’ Hit Apply, then Ok’
  • If it is a flash drive or other USB device, use MoSo Force Delete, we’ve downloaded earlier on this guide.

Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it. If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post. In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something. Credits (and for reference refer) to these two sites:
http://tuxvoid.blogspot.com/
http://arpeex.blogspot.com/ For any additional support or inquiry regarding this problem, just leave a comment here, and I’ll reply as soon as I can.

fan4170

我只记得这个vmx的后缀
我同学机子上面中过
不确定是不是这个，但是表现是一样的，所有u盘的文件夹都隐藏了···
用大蜘蛛的免费单文件版杀了
后来是用到了cmd的attribute（记不清楚了）命令更改文件的属性才好······

cuixin000000

yaya  俺刚装了小红伞哦

isas

压缩病毒文件的过程中，家里的电脑也感染了。。

ch00962610

红伞不是可以杀吗

isas

回楼上的，到现在为止的病毒库，红伞对此病毒仍然没有任何反应。。

isas

er。。。貌似*星都可以杀掉了