如何分析并解决Trojan.DL.Mnless.ajp的病毒?

如何分析并解决Trojan.DL.Mnless.ajp的病毒?

 

File: eploeree.exe
Size: 11776 bytes
MD5: A1181A46E690DEE626EB9FAF12264DF0
SHA1: 3EF9797B0523E9BD79A349BAE80BEDC667DF41EA
CRC32: D67BEC7E
加壳方式 PECompact 2.x

运行后

在C盘根目录下生成iede2.exe

增加HKLMSOFTWAREMicrosoftActive SetupInstalled Components{926A036A-158B-047A-E269-D148B0369C14}指向C:iede2.exe

控制IE连接网络下载木马

http://www.h-xx.com/1/1.exe
http://www.h-xx.com/2/2.exe
http://www.h-xx.com/3/3.exe
http://www.h-xx.com/5/5.exe
http://www.h-xx.com/6/6.exe
http://www.h-xx.com/7/7.exe
http://www.h-xx.com/8/8.exe
http://www.h-xx.com/9/9.exe
http://www.h-xx.com/10/10.exe
http://www.h-xx.com/11/11.exe
http://www.h-xx.com/12/12.exe
http://www.h-xx.com/13/13.exe
http://www.h-xx.com/14/14.exe
http://www.h-xx.com/15/15.exe

到C盘根目录下 分别命名为win12.exe~win162.exe

全部木马植入完毕后

生成如下文件

C:WINDOWSsystem32driversusbine.sys
C:WINDOWSsystem32AVPSrv.dll
C:WINDOWSsystem32ctfnom.exe
C:WINDOWSsystem32dh2103.dll
C:WINDOWSsystem32msdebug.dll
C:WINDOWSsystem32MsIMMs32.dll
C:WINDOWSsystem32netsrvcs.dll
C:WINDOWSsystem32nwizAsktao.dll
C:WINDOWSsystem32nwizAsktao.exe
C:WINDOWSsystem32nwizdh.exe
C:WINDOWSsystem32nwizhx2.dll
C:WINDOWSsystem32nwizhx2.exe
C:WINDOWSsystem32RemoteDbg.dll
C:WINDOWSsystem32windds32.dll
C:WINDOWSsystem32windhcp.ocx
C:WINDOWSsystem32WinForm.dll
C:WINDOWSsystem32WMIApiSrv.dll
C:WINDOWSsystem32ztinetzt.exe
C:WINDOWSAVPSrv.exe
C:WINDOWSMsIMMs32.exe
C:WINDOWSWinForm.exe

sreng日志如下

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

<MsIMMs32><C:WINDOWSMsIMMs32.exe> []
<WinForm><C:WINDOWSWinForm.exe> []
<AVPSrv><C:WINDOWSAVPSrv.exe> []

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
<twin><C:WINDOWSsystem32ctfnom.exe> [Microsoft Corporation]

服务[Windows DHCP Service / WinDHCPsvc][Stopped/Auto Start]
<C:WINDOWSsystem32rundll32.exe windhcp.ocx,input><Microsoft Corporation>
[WMI Performance API / WMIApiSrv][Stopped/Auto Start]
<C:WINDOWSsystem32rundll32.exe WMIApiSrv.dll,input><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Stopped/Auto Start]
<C:WINDOWSsystem32rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Win32 Display Driver / Win32DDS][Stopped/Auto Start]
<C:WINDOWSsystem32rundll32.exe windds32.dll,input><Microsoft Corporation>
[Wireless Service / WZCSRVC][Stopped/Auto Start]
<C:WINDOWSsystem32rundll32.exe netsrvcs.dll,input><Microsoft Corporation>

解决方法

安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)

打开sreng (就是你扫日志的软件)
启动项目 注册表 删除如下项目 (如果有哪项你认识或者确认不是病毒 请不要删除)
<MsIMMs32><C:WINDOWSMsIMMs32.exe> []
<WinForm><C:WINDOWSWinForm.exe> []
<AVPSrv><C:WINDOWSAVPSrv.exe> []
<twin><C:WINDOWSsystem32ctfnom.exe> [Microsoft Corporation]
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
Windows DHCP Service / WinDHCPsvc
WMI Performance API / WMIApiSrv
Win32 Debug Service / MSDebugsvc
Win32 Display Driver / Win32DDS
Wireless Service / WZCSRVC
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除C:WINDOWSsystem32driversusbine.sys
C:WINDOWSsystem32AVPSrv.dll
C:WINDOWSsystem32ctfnom.exe
C:WINDOWSsystem32dh2103.dll
C:WINDOWSsystem32msdebug.dll
C:WINDOWSsystem32MsIMMs32.dll
C:WINDOWSsystem32netsrvcs.dll
C:WINDOWSsystem32nwizAsktao.dll
C:WINDOWSsystem32nwizAsktao.exe
C:WINDOWSsystem32nwizdh.exe
C:WINDOWSsystem32nwizhx2.dll
C:WINDOWSsystem32nwizhx2.exe
C:WINDOWSsystem32RemoteDbg.dll
C:WINDOWSsystem32windds32.dll
C:WINDOWSsystem32windhcp.ocx
C:WINDOWSsystem32WinForm.dll
C:WINDOWSsystem32WMIApiSrv.dll
C:WINDOWSsystem32ztinetzt.exe
C:WINDOWSAVPSrv.exe
C:WINDOWSMsIMMs32.exe
C:WINDOWSWinForm.exe
如果装有QQ请把QQ 安装文件夹中的Timplatform.exe删除 把Timplatfrom.exe重命名为Timplatform.exe

以上提到的软件均可到down.45it.com下载