一早上班发现中毒了
一个广告木马.
来源: http://securityresponse.symantec.com/avcenter/venc/data/trojan.ourxin.html
病毒名: Trojan.Ourxin
技术细节:
Once Trojan.Ourxin is executed, it performs the following actions:
- Creates the following folders:
- %System%\bakcfs
- %System%\msibm
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following files:
- %System%\bakcfs\CFS7ZD.DLL
- %System%\bakcfs\CFSBHO.DLL
- %System%\bakcfs\cfsupd.dll
- %System%\bakcfs\CFSYS.DLL
- %System%\bakcfs\LINBAK.dll
- %System%\bakcfs\lowlvl.dll
- %System%\msibm\cfs7zd.DLL
- %System%\msibm\cfsbho.dll
- %System%\msibm\cfsupd.dll
- %System%\msibm\cfsys.dll
- %System%\msibm\intro.htm
- %System%\msibm\intro.tpl
- %System%\msibm\linbak.dll
- %System%\msibm\lowlvl.dll
- %System%\msibm\post.htm
- %System%\msibm\post.tpl
- %System%\msibm\Uninstall.exe
The Trojan also creates the following files, which are not executable files despite the file names:
- %System%\ibmuuid_.dll
- %System%\ibmvdr_.dll
- %System%\msuuid_.dll
- %System%\msvendr_.dll
- Adds the value:
"mscfs" = "RUNDLL32 %System%\msibm\cfsys.dll,cfs"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
- Adds the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfs
in an attempt to ensure that the threat can be easily removed. However, the uninstaller does not remove the Trojan completely.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cfsbho.BHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\{16A770A0-0E87-4278-B748-2460D64A8386}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfs
HKEY_USERS\S-1-5-21-1587740722-702901464-1649019846-500\Software\mscfs
- Loads one of its components by executing the following command:
rundll32 %system%\msibm\cfsys.dll,cfs
- Monitors its process rundll32.exe. If this process is ended, the Trojan will attempt to inject the components cfsys.dll and cfsupd.dll into one of the following processes:
- iexplore.exe
- Maxthon.exe
- tm.exe
- TMShell.exe
- TTraveler.exe
- myie.exe
- myie2.exe
- firefox.exe
- netscape.exe
- opera.exe
- qq.exe
- msnmsgr.exe
- Popo.exe
- UC.exe
- YPager.exe
- ICQLite.exe
- gaim.exe
- rtxc.exe
- IMU.exe
- MyIM.exe
- KAV32.exe
- RavCopy.exe
- kvolself.exe
- KVSrvXP.exe
- LuComServer_2_5.exe
- Poco2004.exe
- Thunder.exe
- eph.exe
- p2psrv.exe
- vpp.exe
- BitComet.exe
- BitTorrent.exe
- BitSpirit.exe
- btogether.exe
- kuro.exe
- kugoo.exe
- emule.exe
- Skype.exe
- Dudu.exe
- baiduX.exe
- abc.exe
- rundll32.exe
- mdm.exe
- svchost.exe
- ctfmon.exe
- explorer.exe
- alg.exe
- foxmail.exe
- msimn.exe
- conf.exe
- OUTLOOK.exe
- FlashFXP.exe
- CuteFTP.exe
- LeapFTP.exe
- NetTransport.exe
- netants.exe
- flashget.exe
- ServUTray.exe
- Apache.exe
- ApacheMonitor.exe
- realplay.exe
- wmplayer.exe
- winamp.exe
- foobar2000.exe
- irc.exe
- mirc.exe
- Aol.exe
- AnyQ.exe
- QQMail.exe
- QQexternal.exe
- QQMusic.exe
- TTplayer.exe
- nettv.exe
- stv.exe
- starTV.exe
- Sentinel.exe
- MeteorNetTV-hj.exe
- realsched.exe
- May create backup files in the following folder:
%System%\bakcfs
The Trojan may subsequently restore files from this folder.
- Displays advertisements. It may also log browser activities and send any data it gathers to the following domain:
www.ourxin.com
- The Trojan has the capability to download updates of itself. However, it may contain some bugs and can cause Internet Explorer to crash.
清除方法:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan and delete all the files detected.
- Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.
To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any cha
我来说两句
1 楼 亞 发表于 2006-7-31 From IP: 218.77.44.138
MYIEHELPER 怎么杀啊
卡巴斯基都查不出来~
作者主页:
2 楼 昂宿 发表于 2006-7-5 From IP: 218.80.149.184
总于找到和我一样中了这个的人了
作者主页:
3 楼 烈酒柔情 发表于 2006-6-9 From IP: 222.92.128.5
you should del the folder:bakcfs ,fobide the application autorunnting in "msfconfig".Reboot,del the foler :msibm. ALL IS OK!
作者主页:
4 楼 QQ:568895269 发表于 2006-6-1 From IP: 61.134.9.143
郁闷,这个病毒确实厉害
我用了好多杀病毒,木马软件,都杀不掉
超级够子卸载了很多次也不行,郁闷。
现在准备再试试。
作者主页: