论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2003-03-07 16:26 |只看该作者 |倒序浏览

那天bingbing提到iexplore.exe,我当时还真以为把iexplore.exe错看成iexplorer.exe了,今天同事的norton发现iexplore.exe有病毒,仔细看了一下才发现原来IE就是iexplore.exe,真是笨死了.

发现带病毒的文件是\winnt\system32\iexplore.exe, 而不是\program files\internet explorer\iexplore.exe, 并且防毒软件对它既不能清除也不能隔离, 所以处理办法是:
1.搜索注册表中有关system32\iexplore.exe字符串的项并删除.
2.在安全模式下删除\winnt\system32\iexplore.exe文件.

文库|博客

无花果

丰衣足食

论坛徽章:: 0

2楼 [报告]

发表于 2003-03-07 17:52 |只看该作者

关于iexplore.exe

链接: http://www.der-keiler.de/Mailing-Lists/securityfocus/incidents/2001-10/0151.html

Trojan Program Thread
From: Mike Peterson (slidefx@yahoo.com)
Date: 10/19/01

Previous message: Alfred Huger: "Recovered copy of the ssh exploit binary or source"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--------------------------------------------------------------------------------

Message-ID: <20011019190326.63559.qmail@web13108.mail.yahoo.com>;
Date: Fri, 19 Oct 2001 12:03:26 -0700 (PDT)
From: Mike Peterson <slidefx@yahoo.com>;
Subject: Trojan Program Thread
To: incidents@securityfocus.com

It looks like the mystery Trojan is Mini Oblivion by
the Rat Pack. I have passed the iexplore.exe to
Symantec.

General Description was that
iexplore.exe was placed in c:\winnt\system32
Five registry keys were found
HKEY_LOCAL_MACHINE....Windows\CurrentVersion\Run\Default
Web browser "C:\winnt\system32\iexplore.exe"
HKEY_LOCAL_MACHINE....Windows\CurrentVersion\RunServices\Default
web browser "C:\winnt\system32\iexplore.exe"
HKEY_LOCAL_MACHINE....WindowsNT\CurrentVersion\Winlogon\Shell
"explorer.exe iexplore.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Run "iexpIore.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Load "iexpIore.exe"

Thanks for everyone who responded.

Web Page for Mini Oblivion
http://www.sinred.com/trojans/minioblivion.shtml
(Not written by me)

>; Does anyone have information on a IRC Trojan with
>; the
>; following characteristics.
>;
>; Opens IRC channels on 6667 and connects to some IRC
>; channel on 6668.
>;
>; It sets a registry key
>;
>;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
>; web browser = "c:\winnt\system32\iexplore.exe"
>;
>; And changes the shell
>;
>;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shel
>; l
>; changes it from "Explorer.exe" to "Explorer.exe
>; iexplore.exe"
>;
>; I found a 9 KB file named iexplore.exe in
>; c:\winnt\system32 and also found the iexplore.exe
>; process running.

__________________________________________________