电脑中了kocmbcd.exe(Virus.Win32.AutoRun.f)病毒怎么办?

电脑中了kocmbcd.exe(Virus.Win32.AutoRun.f)病毒怎么办?

 

Virus.Win32.AutoRun.f病毒分析

病毒文件:kocmbcd.exe
病毒MD5:825622ba4d3f910bdf6f97f585290b35
病毒大小:38780 字节
病毒类型:Autorun型病毒,通过移动盘传播,似乎具备下载者性质

一、病毒运行后生成如下文件:
%systemroot%system32dmecvcm.exe
%systemroot%system32iywdqdf.exe
X:kocmbcd.exe
X:autorun.inf

注:如果你的操作系统在C盘,那么%systemroot%表示C:windows,X表示每一个盘符。dmecvcm.exe、iywdqdf.exe与kocmbcd.exe是同一病毒,其中autorun.inf内容如下:

[AutoRun]
open=kocmbcd.exe
shellopen=打开(&O)
shellopenCommand=kocmbcd.exe
shellopenDefault=1
shellexplore=资源管理器(&X)
shellexploreCommand=kocmbcd.exe

二、修改注册表键值:

1、添加如下注册表项以达到IFEO劫持目的,N多安全软件都被劫持了(共110项),每项下都有类型为REG_SZ的键值Debugger,值为:C:windowssystem32iywdqdf.exe,刚好指向病毒文件iywdqdf.exe。

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsruniep.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFW.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFYFireWall.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrfwmain.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrfwsrv.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPF.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsnod32kui.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsnod32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavconsol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionswebscanx.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNPFMntor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvsstat.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPfwSvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavTask.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMon.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmsk.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsWoptiClean.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQKav.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQDoctor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsEGHOST.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiparmo.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsadam.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAppSvc32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsautoruns.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavgrssvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAvMonitor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSvcHst.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFileDsty.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFTCleanerShell.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsHijackThis.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsisPwdSvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASMain.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASTask.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVDX.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSetup.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISLnchr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMailMon.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMFilter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32X.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKsLoader.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvfwMcl.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvolself.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvupload.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvwsc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch9x.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchX.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsloaddll.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMagicSet.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcconsol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmqczj.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsnod32krn.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFWLiveUpdate.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQHSET.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMonD.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavStub.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRegClean.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrfwcfg.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsAgent.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsaupd.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssafelive.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsscan32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsshcfg32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSmartUp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSREng.EXE
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssymlcsvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysSafe.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanDetector.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanwall.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUIHost.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAgent.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAttachment.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxCfg.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxFwHlp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxPol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUpLive.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsupiea.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.com
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKaScrScn.SCR
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRepair.com
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVCenter.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP_1.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvReport.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVScan.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVStub.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP_1.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojDie.kxp

2、添加如下注册表键值以达到随机启动的目的:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunhhsonxn 值:C:windowssystem32dmecvcm.exe 类型:REG_SZ
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunkocmbcd 值:C:windowssystem32iywdqdf.exe 类型:REG_SZ

3、修改如下注册表键值:

HKLMSYSTEMCurrentControlSetServicesAVPStart 值:4 类型:REG_DWORD
HKLMSYSTEMCurrentControlSetServicesSharedAccessStart 值:4 类型:REG_DWORD
HKLMSYSTEMCurrentControlSetServiceshelpsvcStart 值:4 类型:REG_DWORD
HKLMSYSTEMCurrentControlSetServiceswuauservStart 值:4 类型:REG_DWORD
HKLMSYSTEMCurrentControlSetServiceswscsvcStart 值:4 类型:REG_DWORD

三、病毒的其他症状:

病毒进程dmecvcm.exe与iywdqdf.exe互相保护着,结束其中一个进程又会被激活。并且似乎具备下载者性质。为什么说似乎,因为我第一次测试时有发现其他病毒(又是我前几天见到的那几个!),后面测试了3次都没发现,并进行病毒进程的网络行为跟踪也没发现什么异常……

这只Autorun型病毒kocmbcd.exe是弱智型的病毒,没什么值得研究的。不过其IFEO劫持了那么多安全软件我还是第一次遇见……作者真是用心良苦啊,害得我整理这些浪费了不少时间!针对此毒写了一个专杀:Autorun病毒kocmbcd.exe专杀工具(VBS版),下载地址:down.45it.com。有BUG还望指出。

电脑软硬件应用网编辑注解:因病毒可能更新,如专杀失效,建议按照上文进入注册表进行手动删除解决。

 
推荐阅读