Worm.Win32.Fujack.b

   

   病毒名称：Worm.Win32.Fujack.b
中文名称：熊猫烧香变种
病毒类型：蠕虫类
文件 MD5：5635121EEFE47333D00FFF1FD4A5021F
公开范围：完全公开
危害等级：高
文件长度：57,344 字节
感染系统：Win98以上系统
开发工具：Borland Delphi 6.0 - 7.0 [Overlay]
加壳工具：ARVID&＃39;&＃39;s TDR file
命名对照：驱逐舰[Win32.HLLP.Whboy]
　　　　　瑞星[Worm.Nimaya.av]
  
病毒描述：
　　该病毒运行后，病毒衍生文件到系统目录下，添加注册表自动运行项以随机引导病毒体。在各逻辑盘创建autorun.inf文件，诱使用户双击从而运行病毒体。插入病毒线程到系统进程中，运行病毒进程spcolsv.exe，拦截进程调用API，关闭“任务管理器”等应用程序。该病毒可能过局域网传播。
  
行为分析：
1、衍生下列副本与文件

C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.dll

2、新建注册表键值：

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\upxdn
Value: String: "%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\Des cription
Value: String: "为远程计算机注册并更新 IP 地址。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\DisplayName
Value: String: "Windows DHCP Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
\ImagePath
Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
%WINDOWS%\system32\\rundll32.exe windhcp.ocx,start.

3、更改注册表键值：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ShellExecuteHooks\
Value: String: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\InProcServer32\@
Value: String: "C:\ProgramFiles\CommonFiles\MicrosoftShared\MSINFO\70311012.dll"
\system32\mswsock.dl

3、访问http://wan**a.9966.org//down.txt页面获得下载病毒体地址：

wan**a.9966.org(60.19*.1*4.219)
http://wan**a.9966.org/zaq4.exe
http://wan**a.9966.org/zaq1.exe
http://wan**a.9966.org/zaq2.exe
http://wan**a.9966.org/zaq3.exe
http://wan**a.9966.org/zaq5.exe
http://wan**a.9966.org/zaq6.exe
http://wan**a.9966.org/zaq9.exe
http://wan**a.9966.org/zaq10.exe
http://wan**a.9966.org/zaq7.exe

注：% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32，windows95/98/me中默认的安装路径是C:\Windows\System，windowsXP中默认的安装路径是C:\Windows\System32。
  

--------------------------------------------------------------------------------
清除方案：
  1、使用安天木马防线可彻底清除此病毒(推荐)

2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线“进程管理”关闭病毒进程

spcolsv.exe
zaq5.exe

(2) 删除病毒释放文件

C:\autorun.inf
C:\setup.exe
C:\ALASTART.EXE
%Program Files%\Desktop_.ini
%Windir%\zaq2.exe
%Windir%\zaq4.exe
%Windir%\zaq5.exe
%Windir%\zaq6.exe
%Windir%\zaq10.exe
%System32%\XpIcfOpt.dll
%System32%\WSD_SOCK32.dll
%System32%\windhcp.ocx
%System32%\shse.dll
%System32%\kava.dll
%System32%\cmd1.dll
%System32%\dirvers\ws2ifsl.sys
%System32%\dirvers\spcolsv.exe
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dll
%Program Files%Common Files\Microsoft\Shared\MSInfo\70311012.dat
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.exe
%Documents and Settings%\当前用户名\Local Settings\Temp\upxdn.dll

(3) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\svcshare
Value: String: "%WinDir%\system32\drivers\spcolsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
Value: String: "%WinDir%\zaq10.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\dat
Value: String: "%WinDir%\zaq4.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\msccrt
Value: String: "%WinDir%\zaq2.exe"HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft
\Windows\CurrentVersion\Run\RavMonHelp
Value: String: "%WinDir%\zaq5.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\upxdn
Value:String:"%\DOCUME~1%\COMMAN~1\LOCALS~1\Temp\upxdn.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer
\Advanced\Folder\Hidden\SHOWALL\CheckedValue
New: DWORD: 0 (0)
Old: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WINDir%\syste m32\WSD_SOCK32.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes%SystemRoot%