19.exe,pagefile.pif专杀 pagefile.pif病毒 auto.inf

  File: 19.exe

  Size: 33495 bytes

  File Version: 0.00.0204

  Modified: 2007年12月29日, 21:23:18

  MD5: 4B2BE9775B6CA847FB2547DD75025625

  SHA1: 2660F88591AD4DA8849A3A56F357E7DFB9694D45

  CRC32: 2A485241

  编写语言:VB

  1.病毒运行后,衍生如下副本及文件:

  Quote:

  %systemroot%DebugDebugProgram.exe

  %systemroot%system32command.pif

  %systemroot%system32dxdiag.com

  %systemroot%system32finder.com

  %systemroot%system32MSCONFIG.COM

  %systemroot%system32

  egedit.com

  %systemroot%system32

  undll32.com

  %systemroot%1.com

  %systemroot%ExERoute.exe

  %systemroot%explorer.com

  %systemroot%finder.com

  %systemroot%SERVICES.EXE

  D:autorun.inf

  D:pagefile.pif

  2.提升自身权限,试图结束带有如下关键字的进程

  Quote:

  360tray*

  ravmon*

  ccenter*

  trojdie*

  kpop*

  ssistse*

  agentsvr*

  kv*

  kreg*

  iefind*

  iparmor*

  uphc*

  rulewize*

  fygt*

  rfwsrv*

  rfwma*

  trojan*

  svi.exe

  3.篡改很多文件关联方式 使得打开这些文件后会启动病毒

  Quote:

  HKLMSOFTWAREClasses.bfcShellNewCommand: "%SystemRoot%system32

  undll32.com %SystemRoot%system32syncui.dll,Briefcase_Create %2!d! %1"

  HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand: ""C:Program FilesInternet Exploreriexplore.com""

  HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%explorer.com"

  HKLMSOFTWAREClassesdunfileshellopencommand: "%SystemRoot%system32

  undll32.com NETSHELL.DLL,InvokeDunFile %1"

  HKLMSOFTWAREClasseshtmlfileshellprintcommand: "rundll32.com %SystemRoot%system32mshtml.dll,PrintHTML "%1""

  HKLMSOFTWAREClassesinffileshellInstallcommand: "%SystemRoot%System32

  undll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

  HKLMSOFTWAREClassesUnknownshellopenascommand: "%SystemRoot%system32finder.com %SystemRoot%system32shell32.dll,OpenAs_RunDLL %1"(打开未知程序都能启动病毒,汗...)

  HKLMSOFTWAREClientsStartMenuInternetiexplore.pifshellopencommand: ""C:Program Filescommon~1iexplore.pif""

  (修改开始程序上的IE的指向文件)

  HKLMSOFTWAREClasses.lnkShellNewCommand: "rundll32.com appwiz.cpl,NewLinkHere %1"

  HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" %1"

  HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.com shell32.dll,Control_RunDLL "%1",%*"

  HKLMSOFTWAREClassesftpshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" %1"

  HKLMSOFTWAREClasseshtmlfileshellopencommand: ""C:Program FilesInternet Exploreriexplore.com" -nohome"

  HKLMSOFTWAREClasseshtmlfileshellopennewcommand: ""C:Program Filescommon~1iexplore.pif" %1"

  HKLMSOFTWAREClassesHTTPshellopencommand: ""C:Program Filescommon~1iexplore.pif" -nohome"

  HKLMSOFTWAREClassesInternetShortcutshellopencommand: "finder.com shdocvw.dll,OpenURL %l"

  HKLMSOFTWAREClassesscrfileshellinstallcommand: "finder.com desk.cpl,InstallScreenSaver %l"

  HKLMSOFTWAREClassesscriptletfileShellGenerate Typelibcommand: ""C:WINDOWSsystem32finder.com" C:WINDOWSsystem32scrobj.dll,GenerateTypeLib "%1""

  HKLMSOFTWAREClasses elnetshellopencommand: "finder.com url.dll,TelnetProtocolHandler %l"

  HKLMSOFTWAREClientsStartMenuInternet: "iexplore.pif"

  ...

  增加winfiles的新的文件关联指向C:WINDOWSExERoute.exe

  并篡改exe文件关联HKLMSOFTWAREClasses.exe: "winfiles"

  4.修改

  Quote:

  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon

  的{shell}值为Explorer.exe 1

  5.连接网络盗取传奇世界等游戏的帐号密码

  清除方法:

  1.解压缩Icesword 把Icesword.exe改名为Icesword.com运行

  进程一栏 结束%systemroot%SERVICES.EXE

  点击左下角的文件按钮删除如下文件

  %systemroot%DebugDebugProgram.exe

  %systemroot%system32command.pif

  %systemroot%system32dxdiag.com

  %systemroot%system32finder.com

  %systemroot%system32MSCONFIG.COM

  %systemroot%system32

  egedit.com

  %systemroot%system32

  undll32.com

  %systemroot%1.com

  %systemroot%ExERoute.exe

  %systemroot%explorer.com

  %systemroot%finder.com

  %systemroot%SERVICES.EXE

  D:autorun.inf

  D:pagefile.pif

  2.把sreng扩展名改为bat,运行

  系统修复-文件关联 修复

  3.修复系统

  打开系统盘 直接运行%systemroot%system32

  egedit.exe

  把被病毒修改的注册表恢复回来

  Quote:

  HKLMSOFTWAREClasses.lnkShellNewCommand: "rundll32.exe appwiz.cpl,NewLinkHere %1"

  HKLMSOFTWAREClassesApplicationsiexplore.exeshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" %1"

  HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"

  HKLMSOFTWAREClassescplfileshellcplopencommand: "rundll32.exe shell32.dll,Control_RunDLL "%1",%*"

  HKLMSOFTWAREClasseshtmlfileshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" -nohome"

  HKLMSOFTWAREClasseshtmlfileshellopennewcommand: ""C:Program FilesInternet Exploreriexplore.exe" %1"

  HKLMSOFTWAREClassesHTTPshellopencommand: ""C:Program FilesInternet Exploreriexplore.exe" -nohome"

  HKLMSOFTWAREClassesInternetShortcutshellopencommand: "rundll32.exe shdocvw.dll,OpenURL %l"

  HKLMSOFTWAREClassesscrfileshellinstallcommand: "rundll32.exe desk.cpl,InstallScreenSaver %l"

  HKLMSOFTWAREClassesscrfileshellinstallcommand: "rundll32.exe desk.cpl,InstallScreenSaver %l"

  HKLMSOFTWAREClasses elnetshellopencommand: "rundll32.exe url.dll,TelnetProtocolHandler %l"

  HKLMSOFTWAREClasses elnetshellopencommand: "rundll32.exe url.dll,TelnetProtocolHandler %l"

  HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%Explorer.exe"

  HKLMSOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand: ""C:Program FilesInternet Exploreriexplore.exe""

  HKLMSOFTWAREClassesDriveshellfindcommand: "%SystemRoot%Explorer.exe"

  HKLMSOFTWAREClassesdunfileshellopencommand: "%SystemRoot%system32RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"

  HKLMSOFTWAREClasseshtmlfileshellprintcommand: "rundll32.exe %SystemRoot%system32mshtml.dll,PrintHTML "%1""

  HKLMSOFTWAREClassesinffileshellInstallcommand: "%SystemRoot%System32

  undll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"

  HKLMSOFTWAREClassesUnknownshellopenascommand: "%SystemRoot%system32

  undll32.exe %SystemRoot%system32shell32.dll,OpenAs_RunDLL %1"

  删除HKLMSOFTWAREClasseswinfiles整个子键

  修改HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon

  的{shell}值为Explorer.exe