bs3ol8kd2.exe是什么病毒？太厉害了！

病毒名称(中文):AV终结者变种65536病毒别名:威胁级别:★★☆☆☆病毒类型:木马下载器病毒长度:13824影响系统:Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

这是AV终结者的一个变种。它会恢复系统SSDT表，关闭杀软进程或映像劫持杀软的进程。该毒会将自己注入到系统进程中运行，以防止被删除，同时会建立大量的AUTO文件，实现自动传播。

1)搜索当进程中是否含有PID为4的进程，没有退出。判断是否为NT系统。

2)判断当前目录下AUTORUN.INF是否存在，存在，获取当前文件路径的前3个字节，并打开。判断是否从autorun.inf打开。

3)创建SHALONG互斥体，并判断是否存在，存在则退出。

4)将当前文件设置为隐藏和系统。

5)删除以下文件

c:\windows\system32\mfc71.dll

C:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll

d:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll

f:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll

c:\windows\system32\drivers\etc\hosts、

c:\winnt\system32\drivers\etc\hosts。

6)搜索当前进程中是否含有safeboxTray.exe(360保险箱)，有了将其进程关闭。

7)将系统时间设置为2004年。

8)运行cacls.exec:\windows\system32\packet.dll/e/peveryone:f

cacls.exec:\windows\system32\pthreadVC.dll/e/peveryone:f

cacls.exec:\windows\system32\wpcap.dll/e/peveryone:f

cacls.exec:\windows\system32\drivers\npf.sys/e/peveryone:f

cacls.exec:\windows\system32\npptools.dll/e/peveryone:f

cacls.exec:\windows\system32\drivers\acpidisk.sys/e/peveryone:f

cacls.exec:\windows\system32\wanpacket.dll/e/peveryone:f

cacls.exec:\DocumentsandSettings\AllUsers\「开始」菜单\程序\启动/e/peveryone:f

cacls.exec:\windows\system32\drivers\etc\hosts/e/peveryone:f

cacls.exec:\windows\system32\ftp.exe/e/peveryone:f

将这些文件设置为everyone完全控制。

9)调用sfc_os.dll的第五个导出函数，将%sys32dir%\drivers\beep.sys、%sys32dir%\spoolsv.exe、%sys32dir%\dllcache\spoolsv.exe的文件保护关闭。

10)将beep.sys的服务设置为SERVICE_CONTROL_STOP，并将其文件属性设置为Normal。

11)解密数据段的数据，将其写入beep.sys，并开启beep服务，其功能为恢复ssdt.

12)搜索当前进程中是否含有以下进程，有了关闭。

wuauclt.exeEsuSafeguard.exeVsTskMgr.exeAvp.EXEIparmor.exeKVWSC.ExEkvsrvxp.exekvsrvxp.kxpKvXP.kxpKRegEx.exeAntiArp.exeVPTRAY.exeVPC32.exescan32.exeFrameworkService.exeKASARP.exenod32krn.exenod32kui.exeTBMon.exerfwmain.exeRavStub.exerfwstub.exerfwProxy.exerfwsrv.exeUpdaterUI.exekissvc.exekav32.exekwatch.exeKAVPFW.EXEkavstart.exekmailmon.exeGFUpd.exeRavxp.exeGuardField.exeRAVMOND.EXERAVMON.EXECenter.EXERSTray.exeRAv.exeRuniep.exe360rpt.EXE360tray.exe360Safe.exe

13)关闭以下杀毒软件的服务。

NortonAntiVirusServerMcAfeeFramework服务SymantecAntiVirus

DefinitionWatcherSymantecAntiVirusDriversServicesSymantecAntiVirusKingsoftInternetSecurityCommonServiceKPfwSvcKWhatchsvcMcShieldsharedaccess

14)比较当前运行路径是否为%sys32dir%\spoolsv.exe,不是的话，将%sys32dir%\spoolsv.exe移到c:\ttmm.tep,并将自己复制到%sys32dir%\spoolsv.exe和%sys32dir%\dllcache\spoolsv.exe

15)调用cmd.exe/cnet1startserver,开启server服务。

16)隐藏方式打开IE，并将自己下载函数注入到其进程中。

⑴将%sys32dir%\urlmon.dll复制到%sys32dir%\aktwkss.dll

⑵获取函数UrldownloadtofileA,下载以下文件，并运行。

/dd/x.gif到C:\ProgramFiles\ccd.pif

/dd/1.gif到C:\ProgramFiles\11.pif

/dd/2.gif到C:\ProgramFiles\22.pif

/dd/3.gif到C:\ProgramFiles\33.pif

/dd/4.gif到C:\ProgramFiles\44.pif

/dd/5.gif到C:\ProgramFiles\55pif

/dd/6.gif到C:\ProgramFiles\66.pif

/dd/7.gif到C:\ProgramFiles\77.pif

/dd/8.gif到C:\ProgramFiles\88.pif

/dd/9.gif到C:\ProgramFiles\99.pif

/dd/10.gif到C:\ProgramFiles\1010.pif

17)添加注册表启动键值

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\internetnet:"C:\WINDOWS\system32\spoolsv.exe"

18)添加映像劫持

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\360rpt.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\360safe.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\360safebox.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\360tray.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\ANTIARP.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\ArSwp.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Ast.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\AutoRun.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\AutoRunKiller.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\AvMonitor.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\AVP.COM\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\AVP.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\CCenter.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Frameworkservice.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\GFUpd.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\GuardField.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\HijackThis.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\IceSword.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Iparmor.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KASARP.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\kav32.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KAVPFW.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\kavstart.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\kissvc.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\kmailmon.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KPfwSvc.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KRegEx.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KVMonxp.KXP\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KVSrvXP.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\KVWSC.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\kwatch.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Mmsk.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\msconfig.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Navapsvc.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\nod32krn.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Nod32kui.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\PFW.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\QQDoctor.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\RAV.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\RavStub.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Regedit.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\rfwmain.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\rfwProxy.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\rfwsrv.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\rfwstub.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\RSTray.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Runiep.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\safeboxTray.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\SREngLdr.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\TrojanDetector.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\Trojanwall.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\TrojDie.KXP\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\VPC32.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\VPTRAY.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\ImageFileExecutionOptions\WOPTILITIES.EXE\debugger:

"C:\WINDOWS\system32\dllcache\spoolsv.exe"

19)修改隐藏显示

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL下键值CheckedValue改为0x1（0x2为显示）

20)删除以下键值破坏安全模式。

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"

21)遍历c到z的盘符，发现该驱动器为Fixed，将自己复制到其根目录命名HGZP.PIF，并创建对应的autorun.inf,将文件设置为系统，隐藏。

22)搜索窗口，发现以下字符串的窗口则发送wm_close消息。

杀毒清理 srengworm 卡巴斯基 超级巡警 江民金山

Antivirusfirewall

检测 mcafee 病毒防火墙 主动防御

微点防御 绿鹰木马 瑞星进程 processnod32

专杀安全卫士