警告!有人利用Windows Server 2003 R2安装盘传播木马、QQ盗号器!! 图片: 警告!有人利用Windows Server 2003 R2安装盘传播QQ盗号器!! 网上下载的Windows Server 2003 R2安装盘发现有人修改了光盘根目录下的AUTORUN.INF文件,只要插入光盘(包括虚拟光驱)就会运行光盘根目录下的AUTORUN.exe(与微软的SETUP.EXE同样的图标,一模一样的版权信息!)。运行AUTORUN.exe后除了会启动微软的SETUP.EXE之外,将拷贝2个隐藏系统属性的文件:SHELLAPI.DLL;REGINF.EXE到系统的SYSTEM32目录,并在注册表把REGINF.EXE添加为启动项目,还把病毒伪装成系统服务: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000000 "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\ 53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,65,\ 00,67,00,69,00,6e,00,66,00,2e,00,65,00,78,00,65,00,22,00,00,00 "DisplayName"="Wmi Hardware Management" "ObjectName"="LocalSystem" "Description"="Monitors all hardwares and event trace providers that are configured to publish Windows Management Instrumentation (WMI) or event trace information. If this service is disabled, any services that explicitly depend on it will fail to start." [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiHardwareSrv\Enum] "0"="Root\\LEGACY_WMIHARDWARESRV\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 SHELLAPI.DLL负责把REGINF.EXE(伪装成win2003的语言包,版本为SP1)挂钩到系统进程LSASS.exe中,然后LSASS.exe不断尝试访问211.158.6.107(尼金时代)。REGINF.EXE启动后会在SYSTEM32目录随机生成一个*TMP*.EXE文件,这两个程序互相保护,任何一个被中止或者删除,另一个就拷贝自身并重新启动。 开始用毒霸查不出病毒,改用KV2006才发现原来是QQ盗号器!! 注意:此小人还在利用算号器、激活器等形式,大面积的通过BT和电骡传播病毒!!!希望大家提高警惕,不要让这种无耻小人得逞!!!
如果在刚开机的时候发现“reginf.exe”的进程,或者查看系统服务,其中有一个“Wmi Hardware Management”的服务,则你已经中招。 以下是本人的清除过程,请参考。如有纰漏,请指出。如果大虾有更快捷的方法,也请告诉小弟。 系统环境:Windows Server 2003 Enterprise Edition SP1 English 杀毒软件:VirusScan Enterprise 8.0i+Antispyware Module〔Patch11,06-02-11〕带附加病毒库。 防火墙:Mcafee Desktop Firewall 8.5 Fixpatch2 中毒原因:安装SQL Server 2005所致 必备工具:Autoruns、杀软(VirusScan Enterprise 8.0i+Antispyware Module)、防火墙(Mcafee Desktop Firewall) 1/ 打开Mcafee VirusScan控制台,添加自定义有害程序策略; 2/ 打开任务管理器,结束“reginf.exe”和"lsass.exe",lsass.exe为正常系统进程,结束后会出错,如果你用的是Mcafee Desktop Firewall,将弹出如图的对话框,别理它; 如果你使用的不是Mcafee Desktop Firewall,可能直接弹出关机倒计时窗口,别紧张,打开“运行”,输入:shutdown -a 有可能这样: 3/ 打开“我的电脑”,进入系统的System32目录,打开“显示隐藏文件”和“显示被保护的系统文件”。搜索,打开搜索系统文件和隐藏文件。Mcafee会自动清理。 4/ 打开autoruns,分别删除对应“登陆”和“服务”两类自动运行项目。 删除服务: 5/ 重新启动,有可能Mcafee还会提示有,再次打开autoruns,重复第四步。 Over。