SpamTool.Win32.Agent.u的清除方法 SpamTool.Win32.Agent.u的行为分析

行为分析

  衍生下列副本与文件

  %System32%\mfolpnzbz.dll

  修改下列驱动文件

  %System32%\mfolpnzbz.dll

  %System32%\dirvers\ndis.sys

  新建注册表键值

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntldr.sys\DisplayName

  Value: Type: REG_EXPAND_SZ Length: 10 (0xa) bytes ntldr.sys.

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntldr.sys\ImagePath

  Value: Type: REG_EXPAND_SZ Length: 17 (0x11) bytes C:\ntldr.sys .

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\DisplayName

  Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境 "

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\ImagePath

  Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes

  \SystemRoot\System32\drivers\ws2ifsl.sys.

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000012\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000013\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000014\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000015\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\rsvpsp.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000016\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\rsvpsp.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000017\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000018\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000019\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000020\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000021\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000022\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000023\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

  Value: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  修改下列注册表

  修改下列注册表键值,破坏 LSP 。并可实现检测网络启动自身与搜集用户信息:

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\rsvpsp.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\rsvpsp.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\

  Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

  New: Type: REG_BINARY Length: 888 (0x378) bytes

  C:\WINDOWS\System32\mfolpnzbz.dll

  Old: Type: REG_BINARY Length: 888 (0x378) bytes

  %SystemRoot%\system32\mswsock.dll

  邮件

  包含一张带有链接的图片,诱使用户点击:链接地址为某男性药品网站首页:

  病毒可能发送带有附件的邮件

  伪造邮件

  向下列搜索引擎地址提交查询信息,从而获得相关邮件信息,进而伪造邮件:

  注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\Winnt\System32 , windows95/98/me 中默认的安装路径是 C:\Windows\System , windowsXP 中默认的安装路径是 C:\Windows\System32 。

清除方法

  1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

  2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。

  (1) 使用 安天木马防线 "进程管理"关闭病毒进程

  删除下列新建项:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

  ntldr.sys

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\

  Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\

  …………..

  …………..

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\

  Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\

  恢复下列修改项

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\

  Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\

  PackedCatalogItem

  …………..

  …………..

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\

  Parameters\Protocol_Catalog9\Catalog_Entries\0000000000011\

  PackedCatalogItem

  恢复键值为

  %SystemRoot%\system32\mswsock.dll

  (2) 重新启动计算机

  (3) 删除病毒衍生文件:

  %System32%\mfolpnzbz.dll

  %System32%\dirvers\ndis.sys

本文网址:http://wwv.uv68.com/a/2021/04/47509.html

. 广告区