Email-Worm.Win32.Zhelatin.bb

病毒名称： Email-Worm.Win32.Zhelatin.bb

病毒类型： 蠕虫

文件 MD5： 89ABF35C87A2E20E63CA484364E055C8

公开范围： 完全公开

危害等级： 4

文件长度： 9,310 字节

感染系统： Win98 以上系统

开发工具： Microsoft Visual C++ 6.0 - 7.0

加壳类型： 未知壳

命名对照： 驱逐舰 [Trojan.Packed.46]

AntiVir [TR/Small.DBY.BE]

病毒描述：

该病毒属蠕虫类，病毒运行后衍生大量病毒文件，修改注册表，添加启动项，以达到随机启动的目的，连接网络，下载病毒文件，采用 Ring0 环技术，该病毒会搜索计算机中的 E-mail 地址，自动发送邮件，并在邮件附件中添加病毒为附件。

行为分析：

1 、 病毒运行后衍生大量病毒文件：

%WINDIR%pp.exe

%WINDIR%via.exe

%WINDIR%xpupdate.exe

%WINDIR%comdlg64.dll

%system32%adirka.dll

%system32%adirka.exe

%system32%adirss.exe

%system32%dd.exe so.bitsCN.com网管资料库任你搜

%system32%dlh9jkd1q1.exe

%system32%dlh9jkd1q2.exe

%system32%dlh9jkd1q5.exe

%system32%dlh9jkd1q6.exe

%system32%dlh9jkd1q7.exe

%system32%dlh9jkd1q8.exe

%system32%driversetchosts

%system32%kernels32.exe

%system32%lnwin.exe

%system32%ma.exe.exe

%system32%max1d641.exe

%system32%

aduhm.dll

%system32%pfxzmtaim.dll

%system32%pfxzmtforum.dll

%system32%pfxzmtgtal.dll

%system32%pfxzmticq.dll

%system32%pfxzmtsmt.dll

%system32%pfxzmtsmtspm.dll

%system32%pfxzmtwbmail.dll

%system32%pfxzmtymsg.dll

%system32%pkfy.dll

%system32%pp.exe.exe

%system32%qvx5gamet2.exe

%system32%qvxga6met3.exe

%system32%qvxga7met4.exe

%system32%

svp32_2.dll www.bitsCN.net中国网管博客

%system32%sfxzmtforum.dll

%system32%sfxzmtsmt.dll

%system32%sfxzmtsmtspm.dll

%system32%sfxzmtwbmail.dll

%system32%sm.exe

%system32%spoolsvv.exe

%system32%sporder.dll

%system32%vexg4am1et2.exe

%system32%vexg6ame4.exe

%system32%vexga1me4t1.exe

%system32%vexga3me2.exe

%system32%vexga4m1et4.exe

%system32%vexga4me1.exe

%system32%vexga5me3.exe

%system32%wincom32.ini

%system32%zlbw.dll

%system32%zu.exe.exe

%Documents and Settings%\commanderLocal SettingsTemp31.tmp

%Documents and Settings%\commanderLocal SettingsTemp33.tmp

%Documents and Settings%\commanderLocal SettingsTempmkeylfa.exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5CHUFWD67ma[1].exe blog.bitsCN.com网管博客等你来搏

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5CHUFWD67sm[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5GHAR4PU360787[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Udd[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Upp[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Upp[2].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5REFBTNJN20509[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5REFBTNJNvia[1].exe

%Documents and Settings%\commanderLocal Settings so.bitsCN.com网管资料库任你搜

Temporary Internet Files Content.IE5REFBTNJNzu[1].exe

2 、连接网络，下载病毒文件并自动运行：

http://8*.9*.1*8.1*8/20509.exe

http://8*.9*.1*8.1*8/60787.exe

http://8*.9*.1*8.1*8/soft/1.exe

http://2*8.6*.2*.1*0/test1.exe

http://2*8.6*.2*.1*0/soft/2.exe

http://8*.9*.1*8.1*8/20509.exe

http://2*8.6*.2*.1*0/soft/3.exe

http://www.g*yst*g*y.com/task/taskmgr32.exe

3 、修改注册表：

修改的注册表键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDrWatsonNumberOfCrashes

新 : DWORD: 2 (0x2)

旧 : DWORD: 1 (0x1)

新建的注册表键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

键值 : 字串: "System"="C:WINDOWSsystem32kernels32.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

键值 : 字串: "System"="C:WINDOWSsystem32kernels32.exe"

bitsCN全力打造网管学习平台

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

键值 : 字串: "Windows update loader"="C:Windowsxpupdate.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersion

WinlogonNotifyA3dxq

键值 : 字串: "DllName"="C:WINDOWSsystem32a3dxq.dll"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRuntime

键值 : 字串: "ImagePath"="??C:WINDOWSSystem32drivers

untime.sys"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "DllName"="C:WINDOWSsystem32a3dxq.dll"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "Startup"="Startup"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT dl.bitsCN.com网管软件下载

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "Impersonate"=1 (0x1)

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer

键值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)

HKEY_CURRENT_USER

键值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDirect3D

键值 : 字串: "c"=0 (0)

4 、采用 Ring0 技术，加载内核驱动模块：

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRuntime

键值 : 字串: "ImagePath"="??C:WINDOWSSystem32drivers

untime.sys"

5 、该病毒搜索计算机中的 E-mail 地址，自动发送邮件，在邮件附件中包含病毒体。

注： % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:WinntSystem32 ， windows95/98/me 中默认的安装路径是 C:WindowsSystem ， windowsXP 中默认的安装路径是 C:WindowsSystem32 。

需要什么来搜一搜吧so.bitsCN.com

--------------------------------------------------------------------------------

清除方案：

1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、 手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用 安天木马防线 “进程管理”关闭病毒进程

(2) 删除病毒文件

%WINDIR%pp.exe

%WINDIR%via.exe

%WINDIR%xpupdate.exe

%WINDIR%comdlg64.dll

%system32%adirka.dll

%system32%adirka.exe

%system32%adirss.exe

%system32%dd.exe

%system32%dlh9jkd1q1.exe

%system32%dlh9jkd1q2.exe

%system32%dlh9jkd1q5.exe

%system32%dlh9jkd1q6.exe

%system32%dlh9jkd1q7.exe

%system32%dlh9jkd1q8.exe

%system32%driversetchosts

%system32%kernels32.exe play.bitsCN.com累了吗玩一下吧

%system32%lnwin.exe

%system32%ma.exe.exe

%system32%max1d641.exe

%system32%

aduhm.dll

%system32%pfxzmtaim.dll

%system32%pfxzmtforum.dll

%system32%pfxzmtgtal.dll

%system32%pfxzmticq.dll

%system32%pfxzmtsmt.dll

%system32%pfxzmtsmtspm.dll

%system32%pfxzmtwbmail.dll

%system32%pfxzmtymsg.dll

%system32%pkfy.dll

%system32%pp.exe.exe

%system32%qvx5gamet2.exe

%system32%qvxga6met3.exe

%system32%qvxga7met4.exe

%system32%

svp32_2.dll

%system32%sfxzmtforum.dll

%system32%sfxzmtsmt.dll

%system32%sfxzmtsmtspm.dll

%system32%sfxzmtwbmail.dll

%system32%sm.exe

%system32%spoolsvv.exe feedom.net关注网管是我们的使命

%system32%sporder.dll

%system32%vexg4am1et2.exe

%system32%vexg6ame4.exe

%system32%vexga1me4t1.exe

%system32%vexga3me2.exe

%system32%vexga4m1et4.exe

%system32%vexga4me1.exe

%system32%vexga5me3.exe

%system32%wincom32.ini

%system32%zlbw.dll

%system32%zu.exe.exe

%Documents and Settings%\commander

Local SettingsTemp31.tmp

%Documents and Settings%\commander

Local SettingsTemp33.tmp

%Documents and Settings%\commander

Local SettingsTempmkeylfa.exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5CHUFWD67ma[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5CHUFWD67sm[1].exe

blog.bitsCN.com网管博客等你来搏

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5GHAR4PU360787[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Udd[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Upp[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5L2B9958Upp[2].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5REFBTNJN20509[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5REFBTNJNvia[1].exe

%Documents and Settings%\commanderLocal Settings

Temporary Internet Files Content.IE5REFBTNJNzu[1].exe

feedom.net国内最早的网管网站

(3) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

修改的注册表键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDrWatson

NumberOfCrashes

新 : DWORD: 2 (0x2)

旧 : DWORD: 1 (0x1)

新建的注册表键值：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRun

键值 : 字串: "System"="C:WINDOWSsystem32kernels32.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRun

键值 : 字串: "System"="C:WINDOWSsystem32kernels32.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindows

CurrentVersionRun

键值 : 字串: "Windows update loader"=

"C:Windowsxpupdate.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNT

bitsCN全力打造网管学习平台

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "DllName"="C:WINDOWSsystem32a3dxq.dll"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesRuntime

键值 : 字串: "ImagePath"=

"??C:WINDOWSSystem32drivers runtime.sys"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "DllName"="C:WINDOWSsystem32a3dxq.dll"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "Startup"="Startup"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT

CurrentVersionWinlogonNotifyA3dxq

键值 : 字串: "Impersonate"=1 (0x1)

HKEY_CURRENT_USERSoftwareMicrosoftWindows

so.bitsCN.com网管资料库任你搜

CurrentVersionExplorer

键值 : 字串: "RTimestamp"=1791431567 (0x6ac7138f)

HKEY_CURRENT_USER

键值 : 字串: "WindowsSubVersion"=21656171 (0x14a726b)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDirect3D

键值 : 字串: "c"=0 (0)