|
|
|
| Trojan.Win32.Autoit.aa分析,1sass.exe病毒专杀 |
 |
|
|
录入时间:07-08-15 21:25:33 来源: |
|
 病毒标签: |
| |
病毒名称: Trojan.Win32.Autoit.aa
中文名称: 敲诈者变种
病毒类型: 木马
文件 MD5: B150ECBA5B974C65E67F0DC32082A3A0
公开范围: 完全公开
危害等级: 3
文件长度: 696,189 字节
感染系统: windows2000以上版本
加壳类型: nSPack 3.1 -> North Star/Liu Xing Ping |
| 病毒描述: |
| |
该病毒运行后,衍生病毒文件到系统目录下,添加注册表自动运行项以随机引导病毒体。该病毒主要行为为删除用户扩展分区的所有文件,并向用户进行勒索。表现形式为用户登陆前弹出文本勒索用户,进入系统后弹出对话框,恐吓用户,如果用户点击确定,则重启电脑。给用户带来极大不便,行为极其恶劣。 |
| 行为分析: |
| |
1、衍生下列副本与文件:
%WINDOWS%\System32\1sass.exe"
%Documents and Settings%用户名\Application Data\\MMC.exe
2、修改注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\@
New: String: "C:\WINDOWS\System32\1sass.exe"
Old: String: ""%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\@
New: String: "C:\Documents and Settings\antiy\Application Data
\Microsoft\
win1ogon.exe"
Old: Type: REG_EXPAND_SZ Length: 37 (0x25) bytes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\
system\legalnoticecaption
New: String: "严重警告:"
Old: (value not set)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
\system\
legalnoticetext
New: String: " 您使用了经过反汇编的软件,此行为严重对软件作者侵权!所以部份文件已隐藏在锁定的扇区,如需解锁释放文件,请联系:yibasoftware@yahoo.com.cn
获取相应的解锁软件,否则隐藏的文件将永远尘封起来!即使格式化也于事无补!
Old: String: ""
3、新建注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\windows\command\@
Value: String: "%WINDOWS%\System32\1sass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\svchost.exe
Value: String: "%Documents and Settings%用户名\Application Data
\\MMC.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer\
NoFind
Value: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer\
NoFolderOptions
Value: DWORD: 1 (0x1)
4、删除注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\CheckedValue Value: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\DefaultValue Value: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\HelpID
Value: String: "shell.hlp#51105"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\HKeyRoot
Value: DWORD: 2147483649 (0x80000001)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced
\Folder\Hidden\SHOWALL\RegPath
Value: String: "Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced
\Folder\Hidden\SHOWALL\Text
Value: String: "@shell32.dll,-30500"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced
\Folder\Hidden\SHOWALL\Type
Value: String: "radio"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced
\Folder\Hidden\SHOWALL\ValueName Value: String: "Hidden"
5、添加链接:
Documents and Settings\antiy\「开始」菜单\程序\启动\MMC.exe链接
Value: "%Documents and Settings%\用户名\Application Data\Microsoft\win1ogon.exe" 注:% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
|
| 清除方案: |
| |
| |
发送好友:  | 加入收藏:  责任编辑: 文章作者: | | |
| |
|
|
|
|
|
| |
|
