U盘病毒1x

现在没有明显症状，看看有什么生成物

Sebastian

Avira
TR/Dropper.Gen

xiaojinglf

由晓月生成
简述：

特点为运行了两个假的
C:\WINDOWS\temp\ctfmon.exe
C:\WINDOWS\taskmgr.exe
此两个进程相互看守，需同时结束
建立了一个服务COM+ Event System32
干掉这个服务，同时结束两个进程或删除两个文件即可。处理不复杂。


----------------------------------
增加键:
----------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\Security
----------------------------------
增加值:
----------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\ImagePath: "cmd /c start C:\WINDOWS\TEMP\ctfmon.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Event System32\ObjectName: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\ImagePath: "cmd /c start C:\WINDOWS\TEMP\ctfmon.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Event System32\ObjectName: "LocalSystem"
----------------------------------
修改值:
----------------------------------
无关紧要
----------------------------------
文件增加:
----------------------------------
C:\WINDOWS\temp\ctfmon.exe
C:\WINDOWS\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\krnln.fnr
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\shell.fne
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\spec.fne
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\internet.fne
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\eAPI.fne
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\EThread.fne
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\dp1.fne
----------------------------------
文件修改:
----------------------------------
无关紧要
----------------------------------
目录增加:
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\..

schumi小粉

2009-07-17 23:01:06        应用程序保护(运行应用程序)     操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\zwei\zwei.scr
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c start C:\WINDOWS\TEMP\ctfmon.exe
2009-07-17 23:01:06        应用程序保护(运行应用程序)     操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\zwei\zwei.scr
文件路径:C:\WINDOWS\system32\attrib.exe
命令行:"C:\WINDOWS\TEMP\ctfmon.exe" +h +s
2009-07-17 23:01:06        文件保护(创建文件)     操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\zwei\zwei.scr
文件路径:C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\TEMP\ctfmon.exe
2009-07-17 23:01:06        文件保护(创建文件)     操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\zwei\zwei.scr
文件路径:C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\TEMP\ctfmon.exe
2009-07-17 23:01:06        文件保护(创建文件)     操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\zwei\zwei.scr
文件路径:C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS\TEMP\ctfmon.exe

看动作貌似不像U盘病毒啊~

我没有这个服务COM+ Event System32

找到了

尤金卡巴斯基

Hello,


zwei.scr_ - Trojan.Win32.FlyStudio.lx

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

Regards, Andrey Ladikov
Virus Analyst, Kaspersky Lab.

刚换了大蜘蛛就误点了样本，未知病毒谁都没办法。但是要的就是清理能力

xiaojinglf

原帖由 sololp 于 2009-7-17 23:33 发表
刚换了大蜘蛛就误点了样本，未知病毒谁都没办法。但是要的就是清理能力

其实如果是假设为未知的情况。你如果用小红伞绿色版扫描会立即发现这两个文件。到安全模式扫描删除文件。可以使病毒解体。此病毒服务正好也指向其中一个文件。删除后它的服务也没有了，残余的注册表服务值。你可以通过autoruns来发现并删除。

我也明白此道理。换了红伞监控，中了毒再用drweb cureIT清理。
刚才用红伞删除了假的任务管理器进程