查看: 4344|回复: 17
收起左侧

[转帖] 转个帖子 告诉你nod会被病毒关闭的原因(举例)

[复制链接]
dancerock
发表于 2007-5-15 09:40:23 | 显示全部楼层 |阅读模式
样本在虚拟机上分析:
扫描结果如下:
File: 74E14F81.exe
SHA-1 Digest: 1d6472eec2e8940a696010abc2fb8082a1b7764e
Packers: Unknown


Scanner Scanner Version Result Scan Time
ArcaVir 1.0.4 Clean 3.07072 secs
avast! 3.0.0 Clean 0.00544286 secs
AVG Anti Virus 7.5.45 Clean 2.64557 secs
BitDefender 7.1 Generic.Malware.SBVdld.80A995A7 4.53346 secs
CAT QuickHeal 9.00 Clean 4.37579 secs
ClamAV 0.90/3236 Trojan.Agent-3107 0.116282 secs
Dr. Web 4.33.0 Clean 8.75147 secs
F-PROT 4.6.7 Clean 0.820435 secs
F-Secure 1.02 Clean 0.352535 secs
H+BEDV AntiVir 2.1.10-37 NULL 5.63827 secs
McAfee Virusscan 5.10.0 Clean 1.74781 secs
NOD32 2.51.1 Clean 2.92784 secs
Norman Virus Control 5.70.01 Clean 8.4982 secs
Panda 9.00.00 Clean 1.31422 secs
Sophos Sweep 4.17.0 Troj/Hook-Gen 5.57204 secs
Trend Micro 8.310-1002 Possible_Infostl 0.106758 secs
VBA32 3.12.0 Protected File 3.48641 secs
VirusBuster 1.3.3 Clean 2.72778 secs
----------------------------------------------------------
打开:AutoRun.inf文件内容如下:
[AutoRun]
open=74E14F81.exe
shell\open=打开(&O)
shell\open\Command=74E14F81.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=74E14F81.exe
-------------------------------------------------------------
运行此病毒74E14F81.exe 生成文件及注册表变动:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\C68BC723.dll
在非系统根目录下生成C68BC723.exe可执行文件(隐藏)
--------------------------------------------------------------
蔚为壮观的IFEO,稍微有些名气的都挂了:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
-------------------------------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    注册表值: Start
    新的值:
      类型: REG_DWORD
      值: 00000004
    先前值:
      类型: REG_DWORD
      值: 00000002
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    注册表值: Start
    新的值:
      类型: REG_DWORD
      值: 00000004
    先前值:
      类型: REG_DWORD
      值: 00000003
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    注册表值: Start
    新的值:
      类型: REG_DWORD
      值: 00000004
    先前值:
      类型: REG_DWORD
      值: 00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    注册表值: Hidden
    新的值:
      类型: REG_DWORD
      值: 00000002
    先前值:
      类型: REG_DWORD
      值: 00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    注册表值: CheckedValue
    新的值:
      类型: REG_DWORD
      值: 00000000
    先前值:
      类型: REG_DWORD
      值: 00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    注册表值: {BC72C68B-C68B-C723-8BC7-68B7268BC723}
      类型: REG_SZ
      值:
HKCR\CLSID\{BC72C68B-C68B-C723-8BC7-68B7268BC723}\InProcServer32
    注册表值: (默认)
      类型: REG_SZ
      值: C:\Program Files\Common Files\Microsoft Shared\MSINFO\C68BC723.dll
----------------------------------------------------
The EQs
发表于 2007-5-15 10:55:56 | 显示全部楼层
发现用SSM保护nod32也不行。。。。。
jo763092
头像被屏蔽
发表于 2007-5-15 11:10:22 | 显示全部楼层
看得我头都大了
hahacomcn
发表于 2007-5-15 14:04:41 | 显示全部楼层
原帖由 EQ2 于 2007-5-15 10:55 发表
发现用SSM保护nod32也不行。。。。。


NOD不是在杀软中自我保护最好的吗?

这个是怎么解决NOD的?
基少 该用户已被删除
发表于 2007-5-15 14:47:31 | 显示全部楼层
看头都大
风野胤
发表于 2007-5-15 14:55:32 | 显示全部楼层
它连windows优化大师的流氓清理都关
无语了
dancerock
 楼主| 发表于 2007-5-15 15:41:29 | 显示全部楼层
原帖由 EQ2 于 2007-5-15 10:55 发表
发现用SSM保护nod32也不行。。。。。


hips类软件自己都有问题在里面 自己都保护不了自己 别说别人了
hj5abc
发表于 2007-5-15 17:20:08 | 显示全部楼层

回复 #6 风野胤 的帖子

关这个还不要紧 它把SRENG都 .. ..
备份注册表去 ..
wcb46888
头像被屏蔽
发表于 2007-5-15 17:52:31 | 显示全部楼层
好像很嚴重....
sanhu35
发表于 2007-5-15 17:52:53 | 显示全部楼层
映像劫持  可以不让杀软防火启动 或在他们启动前先启动
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-24 06:06 , Processed in 0.180894 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表