遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2

遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2

endurer 原创 2008-06-22 第1版

(继1)

到 http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。

用FileInfo 提取 pe_xscan 的 log 中红色标记的文件的信息；用 bat_do 打包备份，延时删除，改所选文件名，再延时删除。

下载并安装 瑞星卡卡安全助手，切换到[高级功能]->[系统启动项管理]，

在左边点击[登录项]，在右边找到 F2、O4 项对应的项目，右击，从弹出的菜单里选择删除。

在左边分别点击[服务项]和[驱动]，找到 O23组的对应项， 右击，从弹出的菜单中选择删除。

另外检查发现

文件说明符 : c:/windows/system32/drivers/beep.sys属性 : A---数字签名:否PE文件:是获取文件版本信息大小失败!创建时间 : 2008-6-16 16:30:47修改时间 : 2008-6-16 16:30:48大小 : 2278 字节 2.230 KBMD5 : 57feb7a53fc0fc0d72460c79f6fe4a70SHA1: 426C70291E57437C7F922055D6E9F780582CB6ADCRC32: b4f9768e

（卡巴斯基报为：Backdoor.Win32.Agent.krx[KLAB-5393973]）

也用 bat_do处理了。

用WinRAR删除Windows临时文件夹，IE临时文件夹，c:/windows/prefetch 中可以删除的文件。

重启电脑~

这下电脑工作正常了。

附部分病毒文件信息：

文件 beep.sys 接收于 2008.06.17 11:48:14 (CET) 反病毒引擎 版本 最后更新 扫描结果 AhnLab-V3 2008.6.17.0 2008.06.17 - AntiVir 7.8.0.55 2008.06.17 - Authentium 5.1.0.4 2008.06.17 - Avast 4.8.1195.0 2008.06.16 - AVG 7.5.0.516 2008.06.16 Worm/Agent.N BitDefender 7.2 2008.06.17 - CAT-QuickHeal 9.50 2008.06.16 - ClamAV 0.93.1 2008.06.17 - DrWeb 4.44.0.09170 2008.06.17 - eSafe 7.0.15.0 2008.06.16 - eTrust-Vet 31.6.5881 2008.06.17 - Ewido 4.0 2008.06.16 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 7.60.13501.0 2008.06.17 - Fortinet 3.14.0.0 2008.06.17 - GData 2.0.7306.1023 2008.06.17 - Ikarus T3.1.1.26.0 2008.06.17 - Kaspersky 7.0.0.125 2008.06.17 - McAfee 5318 2008.06.16 - Microsoft 1.3604 2008.06.17 - NOD32v2 3192 2008.06.17 - Norman 5.80.02 2008.06.16 - Panda 9.0.0.4 2008.06.16 - Prevx1 V2 2008.06.17 - Rising 20.49.11.00 2008.06.17 - Sophos 4.30.0 2008.06.17 - Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.17 - TheHacker 6.2.92.352 2008.06.17 - TrendMicro 8.700.0.1004 2008.06.17 - VBA32 3.12.6.7 2008.06.17 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.17 - 附加信息 File size: 2278 bytes MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70 SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035<BR>834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da PEiD..: - PEInfo: PE Structure information( base data )entrypointaddress.: 0x102e6timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008)machinetype.......: 0x14c (I386)( 5 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851.rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525.data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161.reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18( 1 imports ) > ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3( 0 exports )

文件说明符 : D:/test/myRAT.rmvb属性 : -SH-数字签名:否PE文件:是语言 : 中文(中国)文件版本 : 1.0.0.500说明 : 版权 : 备注 : 产品版本 : 1.0.0.0产品名称 : 公司名称 : 合法商标 : 内部名称 : 源文件名 : 创建时间 : 2008-6-16 2:44:19修改时间 : 2008-6-16 10:44:20大小 : 135680 字节 132.512 KBMD5 : 2d12b069fe76521573f6c7335b5b4b3aSHA1: 4CCF4F2AE88DF6B28544AC5628EE5F87157EBB13CRC32: 6a109c0d

卡巴斯基报为：Trojan-Downloader.Win32.Delf.jdo，瑞星报为：Trojan.Win32.Delf.fck

文件 myRAT.rmvb 接收于 2008.06.17 12:03:37 (CET)

反病毒引擎 版本 最后更新 扫描结果 AhnLab-V3 2008.6.17.0 2008.06.17 - AntiVir 7.8.0.55 2008.06.17 BDS/Backdoor.Gen Authentium 5.1.0.4 2008.06.17 W32/OnlineGames.A.gen!Eldorado Avast 4.8.1195.0 2008.06.16 - AVG 7.5.0.516 2008.06.16 - BitDefender 7.2 2008.06.17 - CAT-QuickHeal 9.50 2008.06.16 - ClamAV 0.93.1 2008.06.17 - DrWeb 4.44.0.09170 2008.06.17 BackDoor.Siggen.18 eSafe 7.0.15.0 2008.06.16 - eTrust-Vet 31.6.5881 2008.06.17 - Ewido 4.0 2008.06.16 - F-Prot 4.4.4.56 2008.06.12 W32/OnlineGames.A.gen!Eldorado F-Secure 7.60.13501.0 2008.06.17 - Fortinet 3.14.0.0 2008.06.17 - GData 2.0.7306.1023 2008.06.17 Trojan-Downloader.Win32.Delf.jdo Ikarus T3.1.1.26.0 2008.06.17 Backdoor.Win32.Delf.RAN Kaspersky 7.0.0.125 2008.06.17 Trojan-Downloader.Win32.Delf.jdo McAfee 5318 2008.06.16 - Microsoft 1.3604 2008.06.17 Backdoor:Win32/Delf.RAN NOD32v2 3193 2008.06.17 - Norman 5.80.02 2008.06.16 - Panda 9.0.0.4 2008.06.16 Suspicious file Prevx1 V2 2008.06.17 - Rising 20.49.11.00 2008.06.17 Trojan.Win32.Delf.fck Sophos 4.30.0 2008.06.17 Troj/Delf-FAH Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.17 - TheHacker 6.2.92.352 2008.06.17 - TrendMicro 8.700.0.1004 2008.06.17 - VBA32 3.12.6.7 2008.06.17 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Backdoor.Backdoor.Gen

附加信息 File size: 135680 bytes MD5...: 2d12b069fe76521573f6c7335b5b4b3a SHA1..: 4ccf4f2ae88df6b28544ac5628ee5f87157ebb13 SHA256: 48305730acf26f319facfa169e6eb8b07e1cdcb90e0cd34421e0f4d56422ff7b SHA512: 44ef829d1fc28f1412ca9d4b675e31bb255f35c45bd7d1bddb91955988e57ef3<BR>9be30e2d2db3488f5fb7f306ea95dda97d67078c39a85edd1f22d6f1af9ee24c PEiD..: -

PEInfo: PE Structure information

( base data )entrypointaddress.: 0x41c1b4timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)machinetype.......: 0x14c (I386)

( 7 sections )name viradd virsiz rawdsiz ntrpy md5<BR>CODE 0x1000 0x1b208 0x1b400 6.50 1300615699205731585424971640e87b<BR>DATA 0x1d000 0x20f0 0x2200 4.12 711df5be86fe3c18b34b3d17bd67f542<BR>BSS 0x20000 0x1ab5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>.idata 0x22000 0x1a20 0x1c00 4.74 b0c33623819f6d387b0ad873910e4b82.edata 0x24000 0x87 0x200 1.54 e547a716c28ead40f0a419a6f25e807f<BR>.reloc 0x25000 0x15c8 0x1600 6.70 a65c4f4337ad0f54873701703a63ff27.rsrc 0x27000 0x2d8 0x400 2.39 7495ebf8c9de446dfdcdbb598f5522af<BR><BR>( 22 imports ) <BR>&gt; kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, CreateDirectoryA, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandleuser32.dll: GetKeyboardType, MessageBoxAadvapi32.dll: RegQueryvalueExA, RegOpenKeyExA, RegCloseKeyoleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen<BR>&gt; kernel32.dll: TlsSetvalue, TlsGetvalue, TlsFree, TlsAlloc, LocalFree, LocalAllocadvapi32.dll: SetSecurityDescriptorDacl, RevertToSelf, RegSetvalueExA, RegQueryvalueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumvalueA, RegEnumKeyExA, RegDeletevalueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegevalueA, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, GetUserNameA, DuplicateTokenEx, CreateProcessAsUserA, AdjustTokenPrivilegeskernel32.dll: lstrlenA, lstrcpyW, lstrcpyA, lstrcmpiA, lstrcmpW, WriteFile, WinExec, WaitForSingleObject, UnmapViewOfFile, TerminateProcess, Sleep, SetThreadPriority, SetFileTime, SetFilePointer, SetFileAttributesW, SetFileAttributesA, SetEvent, SetErrorMode, ResumeThread, ReleaseMutex, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MoveFileExA, MoveFileA, MapViewOfFile, LocalFileTimeToFileTime, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalAlloc, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTimeFormatW, GetTickCount, GetThreadPriority, GetTempPathA, GetSystemDirectoryA, GetSystemDefaultLangID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceExA, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetComputerNameA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileW, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingW, CreateFileA, CreateEventA, CloseHandlegdi32.dll: SelectObject, GetSystemPaletteEntries, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBColorTable, DeleteObject, DeleteDC, CreatePalette, CreateHalftonePalette, CreateDIBSection, CreateCompatibleDC, BitBlt<BR>&gt; user32.dll: mouse_event, keybd_event, UnhookWindowsHookEx, TranslateMessage, ShowWindow, SetWindowsHookExA, SetCursorPos, SetClipboardData, SendMessageA, ReleaseDC, PostMessageA, PeekMessageA, OpenClipboard, OemToCharA, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, IsWindowVisible, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowLongA, GetSystemMetrics, GetProcessWindowStation, GetParent, GetMessageA, GetDesktopWindow, GetDC, GetCursorPos, GetClipboardData, GetClassNameA, ExitWindowsEx, EnumWindows, EmptyClipboard, DispatchMessageA, DestroyWindow, CloseWindow, CloseClipboard, CallNextHookExkernel32.dll: Sleepshell32.dll: SHFileOperationAadvapi32.dll: UnlockServiceDatabase, StartServiceA, SetServiceStatus, RegisterServiceCtrlHandlerA, QueryServiceStatus, QueryServiceConfigA, OpenServiceA, OpenSCManagerA, LockServiceDatabase, EnumServicesStatusA, DeleteService, CreateServiceA, ControlService, CloseServiceHandle, ChangeServiceConfigA<BR>&gt; wininet.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandleURLMON.DLL: URLDownloadToFileAshell32.dll: SHGetSpecialFolderPathAimm32.dll: ImmReleaseContext, ImmGetCompositionStringW, ImmGetContext<BR>&gt; ws2_32.dll: WSAIoctl, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, shutdown, setsockopt, send, select, recv, ntohs, ntohl, ioctlsocket, inet_ntoa, inet_addr, htons, htonl, connect, closesocketMSVFW32.DLL: ICSeqCompressFrame, ICSeqCompressFrameEnd, ICSeqCompressFrameStart, ICSendMessage, ICClose, ICOpen, ICInstallAVICAP32.dll: capCreateCaptureWindowA, capGetDriverDescriptionA<BR>&gt; Setupapi.dll: SetupDiClassNameFromGuidA, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsAshell32.dll: ShellExecuteAwininet.dll: InternetGetConnectedStateEx

( 4 exports )Install, InstallEx, ServerMain, ServiceMain

文件说明符 : D:/test/DOVA属性 : -SHR数字签名:否PE文件:是获取文件版本信息大小失败!创建时间 : 2008-6-16 2:44:38修改时间 : 2008-6-16 16:30:50大小 : 231729 字节 226.305 KBMD5 : 76d5a93a77a4b266ce590864fe2cdae4SHA1: E9E2694515A8D0BEF74E5D4094E49DB4DC46E297CRC32: 3c8f8c39

卡巴斯基报为：Backdoor.Win32.Hupigon.clpz

文件 DOVA 接收于 2008.06.17 11:49:53 (CET)

反病毒引擎 版本 最后更新 扫描结果 AhnLab-V3 2008.6.17.0 2008.06.17 Win32/NSAnti.suspicious AntiVir 7.8.0.55 2008.06.17 BDS/Backdoor.Gen Authentium 5.1.0.4 2008.06.17 W32/Hupigon.A.gen!Eldorado Avast 4.8.1195.0 2008.06.16 Win32:Hupigon-ZA AVG 7.5.0.516 2008.06.16 Generic10.ANTC BitDefender 7.2 2008.06.17 MemScan:Backdoor.Hupigon.ZUW CAT-QuickHeal 9.50 2008.06.16 Win32.Packed.NSAnti.r ClamAV 0.93.1 2008.06.17 - DrWeb 4.44.0.09170 2008.06.17 BackDoor.Pigeon.2254 eSafe 7.0.15.0 2008.06.16 suspicious Trojan/Worm eTrust-Vet 31.6.5881 2008.06.17 - Ewido 4.0 2008.06.16 Backdoor.GrayBird.kx F-Prot 4.4.4.56 2008.06.12 W32/Hupigon.A.gen!Eldorado Fortinet 3.14.0.0 2008.06.17 - GData 2.0.7306.1023 2008.06.17 Backdoor.Win32.Hupigon.clpz Ikarus T3.1.1.26.0 2008.06.17 Packed.Win32.Klone.af Kaspersky 7.0.0.125 2008.06.17 Backdoor.Win32.Hupigon.clpz McAfee 5318 2008.06.16 - Microsoft 1.3604 2008.06.17 VirTool:Win32/Obfuscator.A NOD32v2 3193 2008.06.17 - Norman 5.80.02 2008.06.16 W32/Suspicious_N.gen Panda 9.0.0.4 2008.06.16 Suspicious file Prevx1 V2 2008.06.17 Suspicious Rising 20.49.11.00 2008.06.17 - Sophos 4.30.0 2008.06.17 Sus/UnkPacker Sunbelt 3.0.1153.1 2008.06.15 VIPRE.Suspicious Symantec 10 2008.06.17 - TheHacker 6.2.92.352 2008.06.17 - TrendMicro 8.700.0.1004 2008.06.17 - VBA32 3.12.6.7 2008.06.17 suspected of Backdoor.XiaoBird.1 VirusBuster 4.3.26:9 2008.06.12 Packed/NSPack Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Backdoor.Backdoor.Gen

附加信息 File size: 231729 bytes MD5...: 76d5a93a77a4b266ce590864fe2cdae4 SHA1..: e9e2694515a8d0bef74e5d4094e49db4dc46e297 SHA256: 56002d8d72834e91189ac226b809be2968ddcd199edf74486b8baa527ae64c81 SHA512: 8f414f7d1f035e621db966d760dbba76ff18aeb895c62398e1368522094f45f5<BR>7161dfe25018fca5aff40e881adb66169511403d931220017f334e0e1b8ca80f PEiD..: - PEInfo: PE Structure information( base data )entrypointaddress.: 0x4df028timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)machinetype.......: 0x14c (I386)( 3 sections )name viradd virsiz rawdsiz ntrpy md50x1000 0xde000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e0xdf000 0x39000 0x38531 8.00 15910b31c9cfb5449b6989cf64121b8e0x118000 0x88a 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e( 25 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess> USER32.DLL: GetKeyboardType> ADVAPI32.DLL: RegQueryvalueExA> OLEAUT32.DLL: SysFreeString> KERNEL32.DLL: TlsSetvalue> ADVAPI32.DLL: RegSetvalueExA> KERNEL32.DLL: lstrcpyA> MPR.DLL: WNetOpenEnumA> VERSION.DLL: VerQueryvalueA> GDI32.DLL: UnrealizeObject> USER32.DLL: CreateWindowExA> KERNEL32.DLL: Sleep> OLEAUT32.DLL: SafeArrayPtrOfIndex> COMCTL32.DLL: ImageList_SetIconSize> SHELL32.DLL: Shell_NotifyIconA> WININET.DLL: InternetReadFile> ADVAPI32.DLL: StartServiceA> WSOCK32.DLL: WSACleanup> IMAGEHLP.DLL: CheckSumMappedFile> WINMM.DLL: waveOutWrite> AVICAP32.DLL: capCreateCaptureWindowA> MSACM32.DLL: acmFormatChooseA> WS2_32.DLL: WSAIoctl> ADVAPI32.DLL: SetSecurityInfo> AVICAP32.DLL: capGetDriverDescriptionA( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E5A5604431A0EFF889FD0378A1F6E80097A6ED84 packers (Avast): NsPack, NsPack packers (F-Prot): NSPack packers (Authentium): NSPack