易码技术论坛

 找回密码
 加入易码
搜索
查看: 240376|回复: 5

[求助] 好毒啊,又出来了

[复制链接]
发表于 2006-9-19 22:24:33 | 显示全部楼层
[autorun]啊~....
学校教室和机房的电脑,就没有几个机器没这个东西。
这个可以在cmd下面清除的
发表于 2006-9-20 15:54:09 | 显示全部楼层
关进程。自己仔细找找……
发表于 2006-9-21 15:08:10 | 显示全部楼层
Discovered: May 4, 2006
Updated: May 8, 2006 11:13:02 AM ZE9
Type: Trojan Horse
Infection Length: 55,769 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Trojan.Lootseek.AV is a Trojan horse that disables several security services and opens a back door on the compromised computer.


When Trojan.Lootseek.AV is executed, it performs the following actions:

Creates an svchost.exe process and copies itself to the address space of this newly created process.


Copies an embedded executable to the following location:

%UserProfile%\Local Settings\Temp\tmp1.tmp

Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).


Copies itself to the following location:

%Windir%\system\smss.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Copies the tmp1.tmp file to the following location:

%System%\nvsvcd.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Creates the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log

which creates the following service:

Display name: Windows Log
Startup: Automatic


Adds the value:

".nvsvc" = "%WinDir%\System\smss.exe /w"

to the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


Adds svchost.exe to the Windows Firewall's list of authorized processes.


Disables several security services, including the following:

wscsvc
kavsvc
SAVScan
Symantec Core LC
navapsvc
wuauserv


Opens a back door on a random TCP port.


Queries a number of predetermined servers.


-----------------------------------------------------------------------
-----------------------------------------------------------------------
/////////////////////////////////////////////////////////
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

".nvsvc" = "%WinDir%\System\smss.exe /w"


Navigate to and delete the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log


Exit the Registry Editor.
发表于 2006-9-21 15:08:47 | 显示全部楼层
引用第1楼yzk03702006-09-19 22:24发表的“”:
[autorun]啊~....
学校教室和机房的电脑,就没有几个机器没这个东西。
这个可以在cmd下面清除的
同感
 楼主| 发表于 2006-9-23 18:14:50 | 显示全部楼层
晕死,AUTORUN好象没办法在我的FAT硬盘中自动执行。
自己写了个AUTORUN。INF,没运行成功。
 楼主| 发表于 2006-9-19 13:07:26 | 显示全部楼层 |阅读模式
  病毒被杀了,但总自己又重新生成一个新的SETUP.EXE,杀一次出现一次,我估计是中了加了壳的病毒,找不到病毒根源。
相关autorun.inf文件如下:

[autorun]
open=setup.exe
icon=setup.exe,0

以下是病毒文件SETUP.EXE,就是每次杀了之后还会出来的那个XX,请大家帮忙分析,慎重下载:

病毒.rar

39 KB, 下载次数: 12

您需要登录后才可以回帖 登录 | 加入易码

本版积分规则

Archiver|手机版|小黑屋|EMAX Studio

GMT+8, 2021-10-29 01:54 , Processed in 0.020053 second(s), 21 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表