熊猫烧香变种病毒gYAefexe完整手工查杀过程-网络安全专区

熊猫烧香变种病毒gYAefexe完整手工查杀过程

作者：IT168 编辑：李莲 2007-06-21 09:11

或者直接导入注册表:

[Copy to clipboard]

CODE:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

接着,根据进程名称和注册表中的相关启动项的位置查找病毒文件( win+F)
此病毒文件比熊猫烧香的东东多多了，看了你就知道了:

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815120783.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815120783.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815121593.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815121593.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815121220.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815121220.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

病毒在 C:\WINDOWS下和 C:\WINDOWS\SYSTEM32下和 C:\WINDOWS\SYSTEM32\drivers下都有文件,很多....

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815121648.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815121648.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815121782.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815121782.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815122186.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815122186.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815122237.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815122237.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

作者还蛮有意思的, kelnels.exe本来是WINDOWS2000的核心进程的,作者加了个 88.大概是让他完蛋吧,哈哈...

下面的就是此变种病毒的主文件所在地,和熊猫烧香的窝儿是在一个地方哦!!!

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815123762.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815123762.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

以上的文件都删除掉,大部分都能直接删除,有1到2个文件删除不掉，因为它是插入到系统进程中的,下面介绍方法":

不着急,先看看在注册表的另外2个地方是不是还有它的启动相关:
①

[Copy to clipboard]

CODE:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

[Copy to clipboard]

CODE:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

如图:
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815124674.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815124674.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

这里就出现病毒项目了:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下的UERINIT，
Ｃ：\WINDOWS\SYSTEM32\USERINIT.EXE, c:\windows\gyaef11111.exe,rundll32.exe...
删掉!

确保没有异常后退出注册表
其他地方没有发现病毒修改的痕迹...
查看.exe文件关联是正常的,.txt文件关联也同样正常...
HKCU\...\RUN下有一个病毒启动项,删除即可....

这时就出现上面所说的情况了,部分文件删不掉
(别用第三放删除工具,病毒会让它失效.我的UNLOCK就被它弄没了....)

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815126876.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815126876.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

剩下的 3个文件死活删不掉:
2个删不了,一个删了马上恢复:

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815126444.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815126444.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

这时候用到下面的内容:

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815126791.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815126791.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

文件替换来搞定它：

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815126327.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815126327.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

对于结束系统进程也删不掉的文件，还可以这样：
对病毒文件重命名，建立和病毒同名文件，并加上系统属性：

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815127974.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815127974.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

[Copy to clipboard]

CODE:

@echo off
taskkill /f /im explorer.exe
explorer.exe
exit

但对于这个ＤＬＬ文件还一直没搞明白：　cyptimg.exe 或者 cyptig.dll(病毒可能2个都生成,可能只生成一个,因为我做了2次实验,文件有变化...)
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''http://space.hackbase.com/attachments/2007/01/5488119_200701262306391.jpg'');}" alt="" src="http://space.hackbase.com/attachments/2007/01/5488119_200701262306391.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''http://space.hackbase.com/attachments/2007/01/5488119_200701262306392.jpg'');}" alt="" src="http://space.hackbase.com/attachments/2007/01/5488119_200701262306392.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

建立同名文件后的效果:

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''http://space.hackbase.com/attachments/2007/01/5488119_200701262306393.jpg'');}" alt="" src="http://space.hackbase.com/attachments/2007/01/5488119_200701262306393.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

防止病毒运行时候更改,也就到达目的了...
=====================================================================================

接下来是重新启动,这时候可以打开任务管理器,其中也没有病毒进程!

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815127517.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815127517.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

主要就是修复被感染的.exe文件了,
其实现在就可以结束了,因为病毒发挥不了作用.你运行程序时候病毒自己脱壳,不能更改C:\WINDOWS\SYSTEM32\DRIVERS下的同名病毒文件,所以病毒就消失了,同时还原原来的.exe程序

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815127492.jpg'');}" alt="Click here to open new window CTRL+Mouse wheel to zoom in/out" src="/Article/UploadPic/2007-3/200731815127492.jpg" width=716 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0 resized="true">

screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor=''hand''; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" onclick="if(!this.resized) {return true;} else {window.open(''/Article/UploadPic/2007-3/200731815128888.jpg'');}" alt="" src="/Article/UploadPic/2007-3/200731815128888.jpg" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt=''Click here to open new window\nCTRL+Mouse wheel to zoom in/out'';}" border=0>

不过对于修复.exe文件,可以用上现在的专杀工具了....

如果想彻底赶走病毒的残留,你就要花时间把你的所有可执行文件都运行一遍,让病毒脱壳释放出来,
然后再删除你建立的通明病毒文件...

个人觉得留着这些同名文件还可以起到预防作用.....
效果显著 ...

PS: 昨天晚上由于快停电了，所以有点忘了说：
　　该变种会在每个exe文件下生成　desktop_.ini,内容为感染日期
这个我忘了截图,直接用 del /desktop_.ini /F/S/A/Q 即可完全清除!
http://www.hack58.net/Article/60/64/2007/14603.htm

第1页：熊猫烧香变种病毒gYAefexe完整手工查杀过程第2页：熊猫烧香变种病毒gYAefexe完整手工查杀过程

关注我们