种病毒名称:gYAef.exe
发现日期: 07/01/26
由于刚得到样本,来不及做脱壳分析,主要把病毒发作症状和手工杀毒方法原本的写出来,以供参考!
========================================================================================
虚拟机上测试:
打开样本gYAef.exe后,症状很明显,所有感染熊猫烧香的特征都包括在内:
即不能打开任务管理器,注册表,超级兔子,冰刃,WINDOWS优化大师;
不过一会儿防火墙关闭,杀软关闭.
下面是截图:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815115675.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815115675.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 pop="Click here to open new window CTRL+Mouse wheel to zoom in/out" resized="true">
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815116342.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815116342.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>
运行后的初步症状如下:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815117721.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815117721.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 pop="Click here to open new window CTRL+Mouse wheel to zoom in/out" resized="true">
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815118982.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815118982.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 pop="Click here to open new window CTRL+Mouse wheel to zoom in/out" resized="true">
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815118387.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815118387.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815118209.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815118209.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
此时机器会很卡,因为后台病毒在下载木马流氓软件,并安装他们:
看这里,安装了一大堆流氓软件,看着就气.....
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815119132.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815119132.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
然后病毒在后台扫描局域网里的其他电脑,我主机上的防火墙记录下来了客户机的情况:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815119297.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815119297.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>
CMD中运行 netstat -an 即可看到病毒开放了很多端口对外扫描,我就不做截图了...
比较震撼的是这个病毒让机器在重启后蓝屏,如下 :
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815119663.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815119663.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
运行--cmd--tasklist 后就可以看到多了很多陌生的进程了:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815119484.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815119484.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
仔细看看,病毒进程有 5 个,不包括病毒后台运行的IEXPLORE.EXE...恐怖吧,明摆着欺负人....
运行 taskkill /f /im 进程名 来强行结束比进程(当然也可以用 ntsd -c q -p PID 来实现,我是为了大家把5个病毒进程看的更清楚,所以都用进程名表示的....)
效果如下:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815119476.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815119476.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815120127.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815120127.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
这时候不可动任何.exe文件,运行任务管理器被禁止了...
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815120789.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815120789.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>
到CMD中输入 regedit 打开注册表,解决任务管理器被禁止的问题(这个就很简单了...菜鸟都会了吧...)
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815120972.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815120972.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
或者直接导入注册表:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
此时最好把任务管理器一直打开着,以后就不要再动它了,因为关掉再开的话可能又会激活病毒,
注册表也是一样,运行一次就一直保留着....
要删除病毒文件,当然要查看隐藏的东西了,病毒还是改了的...意料之中....:
![]()
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815120108.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815120108.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">
