病毒

来源：互联网发布：知世故而不世故的出处编辑：程序博客网时间：2024/04/29 12:56

反病毒杀手变种BE危险等级：★★★病毒名称：Worm.Win32.AvKiller.be截获时间：2007-9-26类型：病毒感染的操作系统：Windows XP， Windows NT， Windows Server 2003， Windows 2000威胁情况：传播级别：高全球化传播态势：低清除难度：困难破坏力：高破坏手段：通过IM程序传播，从列表中下载病毒，偷盗用户敏感信息这是一个蠕虫病毒，利用Upack程序进行保护病毒会利用CreateMutex创建一个"system"的互斥，保证系统中只有一个实例在运行，如这个互斥已经存在，则病毒直接退出. 病毒运行后，先利用"LookupPrivilegeValueA"，"AdjustTokenPrivileges"提升自己的运行权限，然后遍历系统所有进程，查找下列进程: "360Safe.exe"， "360tray.exe"，"VsTskMgr.exe"，"UpdaterUI.exe"，"TBMon.exe"， "scan32.exe"，"VPC32.exe"，"VPTRAY.exe"， "KRegEx.exe"，"KRegEx.exe"，"kvsrvxp.kxp"，"kvsrvxp.exe"，"KVWSC.EXE"， "Iparmor.exe"，"AST.EXE"，如发现上述中的进程，则利用"TerminateProcess"关掉进程，使当前系统失去保护. 病毒将自身复制到%SYSTEM32%目录，并将自已重命名为iexplrer.exe和explorer.exe，并利用GetDriveType判断，向可移动存储设备和本地磁盘写入autorun.inf和病毒本身(explorer.exe)，其实autorun.inf的内容如下: [autorun] Open=explorer.exe Shellexecute=explorer.exe Shell/Auto/command=explorer.exe Shell=Auto 病毒接下来，会修改注册表的如下地方 SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/showall/ 将CheckedValue值赋为0 修改这里是为了隐藏文件 HKEY_CLASSES_ROOT//Rising.QuickScan//shell//open//command 将这里的值改为C://windows//system32//iexplorer.exe 使杀毒软件扫描指向病毒. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360safe.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AVP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonxp.kxp/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVWSC.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Navapsvc.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Nod32kui.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Frameworkservice.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Mmsk.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Wuauclt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ast.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WOPTILITIES.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Regedit.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AutoRunKiller.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPC32.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPTRAY.exe/ 病毒会在上述键值内，加入 Debugger = "C:/WINDOWS/system32/iexplorer.exe"子键和键值.被修改后，如果运行上述程序，刚被直接指向到C:/WINDOWS/system32/iexplorer.exe这个病毒上面接下来，病毒会开启一个Iexplore.exe，利用FindWindow查找IEFrame，利用GetWindowThreadProcessId得到进程ID，然后打开该进程后，利用VirtualAlloc申请一段内存空间，利用WriteProcessMemory写入一段代码，代码的作用就是依次从下面的网址下载程序，并保存在C:/winl.pif，C:/winns.pif，C:/system.pif，c:/windows.pif并运行。网址如下: http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%6D%6D%62%65%73%74%39%39%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 上列地址已经失效，所以无法得知是何类型的病毒。最后病毒利用SetTimer设置一个CallBack，每两分钟执行一次，该段代码的作用就是复制自身到%SYSTEM32%目录中，向可移动存储设备和本地磁盘写入autorun.inf和病毒本身，并通过一些即时通信软件(如：QQ等)向对方发送病毒本身，但名字改为一些比较有诱惑力的名字，如：我的性感照片等....