今天在网上查ldconfig的资料,结果ZA忽然出现说orz.exe想通过Explorer.EXE上网,当时感觉有问题就把它拒绝了,然后又弹出说Windows Explorer要访问外部网络也拒绝了。
此时感觉不对,已经知道有问题了,只是奇怪为啥会这样。先查找文件,结果在C:\Documents and Settings\用户名\Local Settings\Temp目录下找到这一文件。上网查了一下说是利用Flash9.0的一个漏洞搞的,查了一下Firefox确实用的9.0的一个比较老的版本:
You have version 9,0,47,0 installed |
但此时不知道是哪个网站,反正病毒已经运行了,再运行也无所谓,所以就把新打开的两个网页各刷新一次,结果发现问题出在这里:
http://www.91linux.com/html/article/program/cpp/20090101/15191.html |
刷新后ZA又出现提示,拒绝后发现orz.exe已经更新。同一时间还在同一目录下生成另外两个文件;在被拒绝上网之前生成一个大小为0的随机文件名,拒绝之后又被删除了。按说Firefox本身已经被设置为写RAM盘位置X:\FFCache\Cache了,这两个时间相同的文件很可能和病毒都有关系,不过没进一步分析。
后来升级为Flash 10之后再测试不出问题了。
用好久没用过的ClamWin扫描这个文件认不出来,但随便扫描了一下内存却发现问题:
Scan Started Fri May 15 21:50:26 2009
-------------------------------------------------------------------------------
*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***
*** Scanned 51 processes - 594 modules ***
*** Computer Memory Scan Completed ***
C:\WINDOWS\system32\qmid.dll: Trojan.Spy-13381 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 549445
Engine version: 0.94.1
Scanned directories: 0
Scanned files: 645
Infected files: 1
Data scanned: 393.35 MB
Time: 145.500 sec (2 m 25 s)
--------------------------------------
Completed
-------------------------------------- |
看了一下文件生成时间,是紧跟在orz.exe后生成的;试着删除却被拒绝了,所以知道病毒还是生效了。
用tasklist /m查看进程,结果发现这个dll已经注入了许多程序中,如:
firefox.exe 2484 ntdll.dll, kernel32.dll, js3250.dll,
nspr4.dll, ADVAPI32.dll, RPCRT4.dll,
Secur32.dll, WSOCK32.dll, WS2_32.dll,
msvcrt.dll, WS2HELP.dll, WINMM.dll,
GDI32.dll, USER32.dll, xpcom_core.dll,
plc4.dll, plds4.dll, SHELL32.dll,
SHLWAPI.dll, ole32.dll, VERSION.dll,
smime3.dll, nss3.dll, softokn3.dll,
ssl3.dll, xpcom_compat.dll, comdlg32.dll,
COMCTL32.dll, OLEAUT32.dll, WINSPOOL.DRV,
IMM32.DLL, LPK.DLL, USP10.dll, uxtheme.dll,
sm19help.dll, WININET.DLL, Normaliz.dll,
iertutil.dll, sm28help.dll, sm49help.dll,
fgmgr.dll, nview.dll, PSAPI.DLL,
NTMARTA.DLL, SAMLIB.dll, WLDAP32.dll,
NVWRSZHC.DLL, MSCTF.dll, msctfime.ime,
SETUPAPI.dll, CLBCATQ.DLL, COMRes.dll,
myspell.dll, qmid.dll, mswsock.dll,
hnetcfg.dll, wshtcpip.dll, iphlpapi.dll,
jar50.dll, DNSAPI.dll, winrnr.dll,
qfaservices.dll, FULLSOFT.DLL, msimtf.dll,
xpsp2res.dll, spellchk.dll, msimg32.dll,
rasadhlp.dll, freebl3.dll, nssckbi.dll,
hkvolkey.dll, CRYPT32.dll, MSASN1.dll,
urlmon.dll, mlang.dll, WINTRUST.dll,
IMAGEHLP.dll, wdmaud.drv, msacm32.drv,
MSACM32.dll, midimap.dll, schannel.dll,
NETAPI32.dll, USERENV.dll, RASAPI32.dll,
rasman.dll, TAPI32.dll, rtutils.dll,
msv1_0.dll, sensapi.dll, nvwddi.dll,
NPSWF32.dll, mscms.dll |
开始想可以是利用了AppInit_DLLs,但在注册表中却怎么也搜索不到qmid.dll。在网上查了一下,有提到这个的,但大小什么都不对,应该是新变种。它提到的WinSock2给了一些提示,折腾了一会儿总算发现它是用二进制的,字符串搜索没查到:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000027]
"PackedCatalogItem"=hex:43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,\
32,5c,71,6d,69,64,2e,64,6c,6c,00,2e,64,6c,6c,00,6b,73,74,61,74,69,6f,6e,5c,\
76,73,6f,63,6b,6c,69,62,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,\
|
然后把000000000027删除。为了防止病毒会回写注册表,删除之后隔段时间查了一下,发现没有;但还是把所有使用了这一DLL的进程直接杀掉了。然后重启计算机,这个文件可以删除了。 |