磁碟机病毒的现象
最近看到很多朋友说中了一种超强超无敌的病毒,中毒后,一般用户基本没办法修复。在联络多个网友分析后发现,中的是磁碟机病毒,该病毒有多个变种,如果本文介绍的方法不能解决的,请在论坛发贴求助,主题中最好带“磁碟机”字样,以便论坛版主、管理员、毒霸研发人员跟进。
为让朋友们彻底了解磁碟机病毒的现象,我将染毒测试的全过程描述出来,供大家参考
因为一旦中了磁碟机病毒,几乎所有主流杀毒软件都会被这个病毒废掉,防毒很容易,中毒后则会给你带来不尽的麻烦。相信很多普通用户中了该病毒的唯一出路就是重装,测试环境用了winxp sp3虚拟机,未安装任何杀毒软件。
1.测试前的准备:
我事先下载了AV终结者专杀,毒霸2008安装包,毒霸打狗棒(机器狗专杀),Autoruns,Process Explorer,冰刃,Sreng,还下载了修复安全模式的注册表脚本。作为普通用户,可能在中毒前,手里根本没有这些工具。
建议用正常电脑上网。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_98f98c114be3623e259figrr8aJ88WlS.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_98f98c114be3623e259figrr8aJ88WlS.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
2.运行病毒后,机器本无异常,习惯性的打开任务管理器,立即发现慢了很多。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_110fbd07e37bc63fd992l3ll81Ql3IZw.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_110fbd07e37bc63fd992l3ll81Ql3IZw.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
3.没多久,发现弹出多个钓鱼网站。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_711589085379b5d6265fr4zRgwRR0DZg.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_711589085379b5d6265fr4zRgwRR0DZg.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0 imgzoom(this);?>
攻击安全软件
4.双击桌面上毒霸2008的安装程序,很快该程序卡死,本次安装没有任何进展,安装程序也不会自己关闭。
5.登录毒霸官网下载清理专家安装包,结果发现刚一开始下载,IE的进程条就不动了,病毒应该是对杀毒厂商的网站进行了攻击。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_32ea68465c0ad066f119dtAtqt4iEHfO.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_32ea68465c0ad066f119dtAtqt4iEHfO.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
6.尝试从其它下载站点下载安装包成功
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_19b92545bb8d35b1c4e3QAF6W7zKnfPf.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_19b92545bb8d35b1c4e3QAF6W7zKnfPf.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0 imgzoom(this);?>
7.安装清理专家成功,但清理专家打开后就死掉,无法正常运行。
8.尝试安全模式下运行清理专家,结果重启到安全模式就蓝屏重启。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_4ee5f168db3910f5328c5cp09VwgFFZ9.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_4ee5f168db3910f5328c5cp09VwgFFZ9.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
病毒难以删除
9.运行autoruns,发现Appinit_dlls有异常加载,文件为c:windowssystem32dnsq.dll,这个正是磁碟机病毒注入的dll文件,在很多系统进程中都有注入,强行删除或结束该线程会立即导致蓝屏重启。
尝试用autoruns删除病毒修改的加载项,刷新后很快发现又回来了,证明在清除病毒前,修改注册表键是毫无用处的。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_1fcef0e52e6265d525f6rUsU4lXoPwZQ.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_1fcef0e52e6265d525f6rUsU4lXoPwZQ.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
10.准备使用Process Explorer,结果很快该程序失去响应。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_2413412f53124a9c1971ermAuVk8phJP.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_2413412f53124a9c1971ermAuVk8phJP.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
11.运行AV终结者专杀,发现安全模式被破坏,硬盘根目录有autorun.inf,以及(AV终结者变种av_killer.j的感染信息)
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_5b26e99856e030ccd4d5PVLYhf4pS4RE.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_5b26e99856e030ccd4d5PVLYhf4pS4RE.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
12.运行冰刃和Sreng均宣告失败,运行毒霸打狗棒未发现任何异常,以此可以排除机器狗病毒。
运行磁碟机病毒专杀工具
13.运行磁碟机病毒专杀,发现9个病毒特征。当然,选择清除病毒。程序最后提示需要重启,可以尝试立即重启。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_fc737a5406e641d41ca30io5YwQqJ3LD.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_fc737a5406e641d41ca30io5YwQqJ3LD.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
注意:如果是最新的变种,可能重启后,还会有中毒现象。应该重新运行磁碟机病毒专杀,程序提示重启时,暂不重启,双击“一键修复安全模式的注册表文件”,或者重新启动AV终结者专杀或清理专家。以修复安全模式引导系统。
在本例中,磁碟机专杀清除了全部病毒,重启后,未再发现中毒现象。
14.再次运行金山清理专家,查杀恶意软件,把病毒造成的其它破坏全部修复。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_ee42ebca2e2d3315d9c3Vn1h30DOnHzP.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_ee42ebca2e2d3315d9c3Vn1h30DOnHzP.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
15.尝试重启到安全模式,这次成功了。
screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.style.cursor='hand'; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" onclick="if(!this.resized) {return true;} else {window.open('http://bbs.duba.net/attachments/month_0802/20080228_5bfa0fbad78bf1096b4d4FBV3w7yQ1QQ.png');}" height=375 alt="" src="http://bbs.duba.net/attachments/month_0802/20080228_5bfa0fbad78bf1096b4d4FBV3w7yQ1QQ.png" width=500 onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new windownCTRL+Mouse wheel to zoom in/out';}" border=0>
特别提醒:
从磁碟机病毒的现象来看,普通用户在没有获得磁碟机专杀,或专杀无效的情况下,几乎只有重装系统一条路。
网友评论