Autorun病毒kocmbcd.exe分析
Autorun病毒kocmbcd.exe分析与专杀2007-05-30 17:44昨天从流氓怕武术论坛上拿到这个样本kocmbcd.exe,卡巴报Virus.Win32.AutoRun.f。分析了一下,顺便写了个专杀(VBS版),文章最后有专杀下载,请看专杀内的简单说明。这个毒有点猖狂,IFEO劫持了许多安全软件,其他倒没什么。看下面分析:
Virus.Win32.AutoRun.f病毒分析
病毒文件:kocmbcd.exe
病毒MD5:825622ba4d3f910bdf6f97f585290b35
病毒大小:38780 字节
病毒类型:Autorun型病毒,通过移动盘传播,似乎具备下载者性质
一、病毒运行后生成如下文件:
%systemroot%/system32/dmecvcm.exe
%systemroot%/system32/iywdqdf.exe
X:/kocmbcd.exe
X:/autorun.inf
注:如果你的操作系统在C盘,那么%systemroot%表示C:/windows,X表示每一个盘符。dmecvcm.exe、iywdqdf.exe与kocmbcd.exe是同一病毒,其中autorun.inf内容如下:
[AutoRun]
open=kocmbcd.exe
shell/open=打开(&O)
shell/open/Command=kocmbcd.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=kocmbcd.exe
二、修改注册表键值:
1、添加如下注册表项以达到IFEO劫持目的,N多安全软件都被劫持了(共110项),每项下都有类型为REG_SZ的键值Debugger,值为:C:/windows/system32/iywdqdf.exe,刚好指向病毒文件iywdqdf.exe。
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FYFireWall.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwmain.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPF.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Navapsvc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Navapw32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avconsol.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/webscanx.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NPFMntor.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/vsstat.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPfwSvc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QQKav.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QQDoctor.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/EGHOST.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.EXE/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/upiea.exe/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.com/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp/
2、添加如下注册表键值以达到随机启动的目的:
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/hhsonxn 值:C:/windows/system32/dmecvcm.exe 类型:REG_SZ
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/kocmbcd 值:C:/windows/system32/iywdqdf.exe 类型:REG_SZ
3、修改如下注册表键值:
HKLM/SYSTEM/CurrentControlSet/Services/AVP/Start 值:4 类型:REG_DWORD
HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Start 值:4 类型:REG_DWORD
HKLM/SYSTEM/CurrentControlSet/Services/helpsvc/Start 值:4 类型:REG_DWORD
HKLM/SYSTEM/CurrentControlSet/Services/wuauserv/Start 值:4 类型:REG_DWORD
HKLM/SYSTEM/CurrentControlSet/Services/wscsvc/Start 值:4 类型:REG_DWORD
三、病毒的其他症状:
病毒进程dmecvcm.exe与iywdqdf.exe互相保护着,结束其中一个进程又会被激活,系统日期被更改到1980年11月15日,卡巴等杀软失效,双击任何盘符都将激活病毒。并且似乎具备下载者性质。为什么说似乎,因为我第一次测试时有发现其他病毒(又是我前几天见到的那几个!),后面测试了3次都没发现,并进行病毒进程的网络行为跟踪也没发现什么异常……
这只Autorun型病毒kocmbcd.exe是弱智型的病毒,没什么值得研究的。不过其IFEO劫持了那么多安全软件我还是第一次遇见……作者真是用心良苦啊,害得我整理这些浪费了不少时间!针对此毒写了一个专杀:Autorun病毒kocmbcd.exe专杀工具(VBS版),点击下载。也可以到我网盘上去找:http://ycosxhack.ys168.com/。有BUG还望指出。想了解专杀的制作可以看这里:病毒专杀VBS模板。
专杀更新:
2007年5月31日早晨更新,专杀包内有简要说明。有朋友反应成功消灭病毒,而有的则失败。为什么?我测试时也是成功。今天早上又做了次更新。请失败的朋友将原因写下来,以便我分析。
2007年5月31日12:00更新,中此毒安全模式会进不了,并在尝试进入时可能出现蓝屏。我已经在专杀工具包内添加“修复XPSP2无法进入安全模式.rar”(文件来自开心企鹅的实验室),是reg文件。另,此毒应该具有下载者性质,似乎有潜伏期。
2007年5月31日13:00更新,病毒杀完后,安全模式还是进入不了,请运行专杀包中的“修复XPSP2无法进入安全模式.rar”中的reg文件修复,如果修复失败,在电脑重启过程中按F8,然后选择“最后一次正确配置”,这样应该可以。专杀包内有简要说明。
专杀声明:有网友(孤单)反映生成的病毒文件名字具有随机性,那么运行我的专杀后,请自己手动删除那些病毒文件,上面有分析,按上面分析的路径去找即可,注册表启动项也一样。不要害怕这只病毒,又不是感染型的(比如被炒得很厉害的熊猫烧香)。杀毒时记得断网……不过,我测试了N遍没发现病毒名字的随机性……
Autorun病毒kocmbcd.exe分析相关推荐
- 行为恶劣的U盘病毒OSO.exe分析与查杀
病毒名:Worm.Pabug.ck 大小:38,132 字节 MD5:2391109c40ccb0f982b86af86cfbc900 加壳方式:FSG2.0 编写语言:Delphi 传播方式:通过移 ...
- Word/Excel文档伪装病毒-kspoold.exe分析
一. 病毒样本基本信息 样本名称:kspoold.exe 样本大小: 285184 字节 样本MD5:CF36D2C3023138FE694FFE4666B4B1B2 病毒名称:Win32/Troja ...
- autorun.inf sxs.exe病毒手动解决方法
autorun.inf sxs.exe病毒手动解决方法 一.确认中已中此病毒: 依次执行 开始--运行--输入"cmd"--输入"X:"(X为盘符可以是D盘,可 ...
- U盘文件夹全变为.exe格式或U盘文件全部消失(U盘AutoRun病毒解决方法)
有时候当我们使用U盘时,可能存在感染AutoRun病毒的风险,尤其是学校机房的电脑,最容易让我们的U盘中招! U盘中了AutoRun病毒后最明显的表现就是U盘显示内存容量占用,打开后确什么东西都没有, ...
- 最新恶意复制型病毒及代码分析
最新恶意复制型病毒及代码分析病毒最大的特点在于中毒后,自动感染你的硬盘根目录,并复制病毒文件.无论你是采用双击,还是右键选择打开,或者运行资源管理器都会自动运行其代码(病毒),所以中此病毒后,新手往往 ...
- 使用Process Monitor对病毒进行行为分析
使用火绒剑/Procss Moniter对病毒进行行为分析. Process Monitor是一个经典的进程行为分析软件,火绒剑作为火绒的一个工具,专门作为病毒行为分析的工具,非常好用,本文以熊猫烧香 ...
- 警惕恶性U盘病毒HDM.exe
作者:清新阳光 ([url]http://hi.[/url]baidu.com/newcenturysun) 日期:2007/12/01 ...
- U盘病毒GHO.exe
U盘病毒GHO.exe(兼答rav*mon.exe,rav*mon.dat等***群的清除) 此病毒是原来分析过的niu.exe的变种 具体分析如下: File: GHO.exe Size: 2795 ...
- 免费使用《Autorun病毒防御者》
如今的电脑上已经看不到软驱了,也就是说软盘已经退出历史的舞台,取而代之的是U盘,而U盘的普及使用引来了***的青睐,常言道:病从口入,USB接口就是电脑的入口,要是插上带有***的U盘那就如同在电脑体 ...
- 迈克菲实验室:Flame病毒的深度分析
今年五月份发现的Flame病毒(又名Flamer.Skywiper或火焰病毒)对伊朗能源部门进行了猛烈的网络***,Flame病毒的出现引起了人们对于网络间谍活动和网络战争的高度关注.伊朗方面认为,F ...
最新文章
- Delphi XE5 常用功具与下载
- 《Android传感器开发与智能设备案例实战》——导读
- 婚纱摄影小程序能带来订单吗?小程序如何做营销?
- python实现记事本的查找功能_Python + PyQt4 实现记事本功能
- 学习笔记(11月08日)--异常
- 高德在提升定位精度方面的探索和实践
- 回文判断(栈+队列)
- C Linux 多线程入门
- OO2019第一次作业总结
- 聚类算法评价指标学习笔记
- Atitit 遍历文件夹目录解决方案与规范 attilax总结 1. 规范 2 1.1. 注意的不要同时改变文件夹内容,增删文件。这样获取到的目录list不会变化 2 1.2. 主义中文名称文件读写
- Opencv查找轮廓并绘制
- 一个专注PR剪辑视频的PR模板网站PRmuban.com
- dell t640 添加硬盘_Dell EMC PowerEdge T640详解
- Qt 窗口属性简介之Qt::WA_DeleteOnClose
- Android学习日志1---在AndroidStudio启动Android 模拟器(ADV)发生的失败
- win10硬盘锁怎么解除_win10系统如何解锁bitlocker的硬盘加密
- ES新建模板时的错误 Client error: `PUT http://127.0.0.1:9200/_template/tmp` resulted in a `400 Bad Request`
- python爬虫实训心得_python实训心得体会
- java 剪切 图片 BufferedImage