最近有人在群上发这样的消息:
紧急通告: 请大家要速传!如果你收到一张带有《汶川速递!》的图片文件。在任何环境下都不要打开它,且立即删除它。如果你打开了它,你会失去个人电脑上的一切东西。这是一个新的病毒,已经确认了它的危险性,而杀毒软件不能清除它。他的目标是摧毁个人电脑。请copy 这封信给你认识的QQ群,为了大家,辛苦一下 真的啊!!相信我
刚开始我还以为是有人恶作剧,课时网上还有分析啊!
分析:
将产生的病毒文件为fmsbbqi.dll/exe, yuiabct.exe/dll, bincdwsa.dll/exe, winsvr64.dll/exe,ptshell.exe/dll,dionpis.exe/dll,ticisms.exe/dll
病毒文件在windows/system32\
msosdrop00.dll,
msosfmsq00.dll,
msoscqit00.dll,
msosdohs00.dll,
nicozftp00.dll,
msosping00.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_Dlls"=hex(2):6d,00,73,00,6f,00,73,00,64,00,72,00,6f,00,70,00,30,00,30,\
00,2e,00,64,00,6c,00,6c,00,2c,00,6d,00,73,00,6f,00,73,00,66,00,6d,00,73,00,\
71,00,30,00,30,00,2e,00,64,00,6c,00,6c,00,2c,00,6d,00,73,00,6f,00,73,00,63,\
00,71,00,69,00,74,00,30,00,30,00,2e,00,64,00,6c,00,6c,00,2c,00,6d,00,73,00,\
6f,00,73,00,64,00,6f,00,68,00,73,00,30,00,30,00,2e,00,64,00,6c,00,6c,00,2c,\
00,6e,00,69,00,63,00,6f,00,7a,00,66,00,74,00,70,00,30,00,30,00,2e,00,64,00,\
6c,00,6c,00,2c,00,6d,00,73,00,6f,00,73,00,70,00,69,00,6e,00,67,00,30,00,30,\
00,2e,00,64,00,6c,00,6c,00,00,00
在安全模式下无法删除.在cmd 下用命令导出进程所调用的Dll文件.只有
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 796 ntdll.dll
csrss.exe 852 ntdll.dll, CSRSRV.dll, basesrv.dll,
winsrv.dll, USER32.dll, KERNEL32.dll,
GDI32.dll, LPK.DLL, USP10.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, sxs.dll
这几个进程没有调用以上病毒文件.
其他全部调用.
破解方法:
在msosdrop00.dll,
msosfmsq00.dll,
msoscqit00.dll,
msosdohs00.dll,
nicozftp00.dll,
msosping00.dll这个几文件右键属性.安全项.把所有用户的权限都设为拒绝读取与运行.
重启电脑就可以删除了.再到注册表里清除一下.就OK 了.
如果你的磁盘格式为FAT32,这种格式是不能设置安全配置的,需要转换成NTFS格式才行
命令:
convert c: /fs:ntfs (c:代表c盘)
请问是真是假? |
[复制链接]
发表于 2009-7-15 12:26:57
发表于 2009-7-15 12:35:39
