病毒名称: Email-Worm.Win32.Warezov.ev
病毒类型: 蠕虫
文件 MD5: E8071DCA2CEA7FEF2316FA749BFD478C
公开范围: 完全公开
危害等级: 4
文件长度: 32,772 字节
感染系统: windows98以上版本
开发工具: Microsoft Visual C++ 6.0 - 7.0
加壳类型: 未知壳
命名对照: 驱逐舰[win32.hllm.limar]
BitDefender [Trojan.Downloader]
病毒描述:
该病毒属蠕虫类,病毒运行后衍生病毒文件,修改注册表,添加启动项,以达到随机启动的目的;连接网络,以自身为邮件附件发送email。关闭自动更新功能。
行为分析:
1、病毒运行后衍生病毒文件:
%WINDOWS%crsdata.tmp
%WINDOWS%dskdata.tmp
%WINDOWS%dssdata.tmp
%WINDOWS%msserrv32.c
%WINDOWS%msserrv32.dat
%WINDOWS%msserrv32.exe
%WINDOWS%msserrv32.s
%WINDOWS%msserrv32.wax
%WINDOWS%msserrv32.z
%WINDOWS%msserv32.c
%WINDOWS%msserv32.dat
%WINDOWS%msserv32.exe
%WINDOWS%msserv32.s
%WINDOWS%msserv32.wax
%WINDOWS%msserv32.z
%WINDOWS%skmn32.exe
%system32%conscdfv.exe
%system32%dmocwebc.dll
%system32%e1.dll
%system32%elrsnfkyhp.exe
%system32%iyuvkbdb.exe
%system32%uxthwmer.dll
%system32%uxthwmer.exe
%system32%winmfaul.dll
2、修改注册表,添加启动项,以达到随机启动的目的:
新建键值:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
键值: 字串: "msserrv32"="C:WINDOWSmsserrv32.exe s"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
键值: 字串: "msserv32"="C:WINDOWSmsserv32.exe s"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWinlogonNotifyuxthwmer
键值: 字串: " DllName "="C:WINDOWSsystem32uxthwmer.dll"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent
VersionWindowsUpdateReportingEventCache9482f4b4-
e343-43b6-b170-9a65bc822c77
键值: 字串: "CurrentCacheFile "="C:WINDOWSSoftware
DistributionEventCache.bin"
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession Manager
键值: 字串: "PendingFileRenameOperations "="??C:WINDOWSsystem32elrsnfkyhp.exe..??c:docume~1comman~1"
修改键值:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWindows
新建键值: 字串: "AppInit_DLLs "="e1.dll winmfaul.dll"
原键值: 字串: "AppInit_DLLs "=""
删除键值:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv
键值: 字串: "Description "="允许下载并安装 Windows 更新。如果此服务被禁用,计算机将不能使用 Windows Update 网站的自动更新功能。"
3、关闭自动更新功能:
删除键值:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv
键值: 字串: "Description "="允许下载并安装 Windows 更新。如果此服务被禁用,计算机将不能使用 Windows Update 网站的自动更新功能。"
4、连接网络,以自身为邮件附件发送email:
Host: www2.endfunjdaswuinjdeshihus.com:8081
submit@virusview.net
hoto@ipbcn.org
gfplus@softhome.net
bik78@mail.ru
bmd2chen@tom.com
shag@apsvans.com
ayaoo@etang.com
ollydbg@t-online.de
hacnho@hotmail.com
mario555@pisem.net
oriontrooper@yahoo.com
smoke@freenet.am
bmd2chen@tom.com.thank
sibaway7@yahoo.com
… …
Host: www1.endfunjdaswuinjdeshihus.com:8081
3dzvirani@lineone.net
3djazz123@hotmail.com
3dmary_jetha@yahoo.ca
atchareeyas@yahoo.com
gogoa@loxinfo.co.th
apinya_chantavaro@yahoo.com
phprw@mahidol.ac.th
punnapar@hotmail.com
vin_5n@hotmail.com
surinthorn@projectorworld.co.th
off_santana@hotmail.com
eapa@hotmail.com
0iqc00m16uaiyy@champ.ims.csloxinfo.com
0iqd00lwyzaip8@champ.ims.csloxinfo.com
ko@minornet.com
0iqh0007or7ugd@champ.ims.csloxinfo.com
0iqh0006hsw5nj@champ.ims.csloxinfo.com
isook_ko@minornet.com
risook_ko@minornet.com
……
Host:www1.endfunjdaswuinjdeshihus.com:8081
t6dd7ed587ec42c48cab10@sgermrly01.ekurhuleninet.com
adrift@africaonline.co.zw
kaomac@intenda.co.za
ebark47@yahoo.com
ebay_packrat@yahoo.com
ebf1961@yahoo.com
ebmacn@yahoo.com
ebony492002usa@yahoo.com
ebonywiggins2003@yahoo.com
ebosidean@yahoo.com
ebrainard61@yahoo.com
ebrawdy103@yahoo.com
ebrew@alltel.net
ebreyne@cableone.net
ebwatson2003@yahoo.com
……
Host:www2.endfunjdaswuinjdeshihus.com:8081
submit@virusview.net
hoto@ipbcn.org
gfplus@softhome.net
bik78@mail.ru
bmd2chen@tom.com
shag@apsvans.com
ayaoo@etang.com
ollydbg@t-online.de
hacnho@hotmail.com
mario555@pisem.net
oriontrooper@yahoo.com
smoke@freenet.am
bmd2chen@tom.com.thank
sibaway7@yahoo.com
……
Host: www2.endfunjdaswuinjdeshihus.com:8081
ubmit@virusview.net
hoto@ipbcn.org
gfplus@softhome.net
bik78@mail.ru
bmd2chen@tom.com
shag@apsvans.com
ayaoo@etang.com
ollydbg@t-online.de
hacnho@hotmail.com
mario555@pisem.net
oriontrooper@yahoo.com
smoke@freenet.am
bmd2chen@tom.com.thank
sibaway7@yahoo.com
……
注:% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:WinntSystem32,windows95/98/me中默认的安装路径是C:WindowsSystem,windowsXP中默认的安装路径是C:WindowsSystem32。
--------------------------------------------------------------------------------
清除方案:
1、使用安天木马防线可彻底清除此病毒(推荐)。
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1) 使用安天木马防线“进程管理”关闭病毒进程
Msserw32.exe
6.tmp
Uxthwmer.exe
Ijtconf.exe
Brwconf.exe
Deiconf.exe
(2) 删除病毒文件
%WINDOWS%crsdata.tmp
%WINDOWS%dskdata.tmp
%WINDOWS%dssdata.tmp
%WINDOWS%msserrv32.c
%WINDOWS%msserrv32.dat
%WINDOWS%msserrv32.exe
%WINDOWS%msserrv32.s
%WINDOWS%msserrv32.wax
%WINDOWS%msserrv32.z
%WINDOWS%msserv32.c
%WINDOWS%msserv32.dat
%WINDOWS%msserv32.exe
%WINDOWS%msserv32.s
%WINDOWS%msserv32.wax
%WINDOWS%msserv32.z
%WINDOWS%skmn32.exe
%system32%conscdfv.exe
%system32%dmocwebc.dll
%system32%e1.dll
%system32%elrsnfkyhp.exe
%system32%iyuvkbdb.exe
%system32%uxthwmer.dll
%system32%uxthwmer.exe
%system32%winmfaul.dll
(3) 恢复病毒修改的注册表项目,删除病毒添加的注册表项
新建键值:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
键值: 字串: "msserrv32"="C:WINDOWS
msserrv32.exe s"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
键值: 字串: "msserv32"="C:WINDOWS
msserv32.exe s"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWinlogonNotifyuxthwmer
键值: 字串: " DllName "="C:WINDOWSsystem32
uxthwmer.dll"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionWindowsUpdateReportingEventCache
9482f4b4-e343-43b6-b170-9a65bc822c77
键值: 字串: "CurrentCacheFile "="C:WINDOWS
SoftwareDistributionEventCache
.bin"
HKEY_LOCAL_MACHINESYSTEMControlSet001Control
Session Manager
键值: 字串: "PendingFileRenameOperations "="??C:WINDOWSsystem32elrsnfkyhp.exe..??c:
docume~1comman~1"
修改键值:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
新建键值: 字串: "AppInit_DLLs "="e1.dll winmfaul.dll"
原键值: 字串: "AppInit_DLLs "=""
删除键值:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv
键值: 字串: "Description "="允许下载并安装 Windows 更新。如果此服务被禁用,计算机将不能使用 Windows Update 网站的自动更新功能。
