Email-Worm.Win32.Zhelatin.bl

王朝百科·作者佚名  2010-02-19  
宽屏版  字体: |||超大  

Email-Worm.Win32.Zhelatin.bl

病毒名称: Email-Worm.Win32.Zhelatin.bl

中文名称: 泽拉丁变种

病毒类型: 蠕虫类

文件 MD5: 116C0F5BDC126CE5FE8DE20526DAD02F

公开范围: 完全公开

危害等级: 5

文件长度: 加壳后 6,789 字节,脱壳后 21,504 字节

感染系统: Win95以上系统

开发工具: Microsoft Visual C++ 6.0

加壳类型 : UPX变种壳,伪造为下列两层壳信息

FSG v1.10 (Eng) -> dulek/xt

LCC Win32 1.x -> Jacob Navia

病毒描述:

该病毒运行后,从某互联网地址下载病毒病毒体到本机运行,并添加注册表自动运行项与系统服务项、修改 LSP ,以达到随系统启动的目的。通过内建的 SMTP 蠕虫程序连接到互联网 SMTP 服务器,获得需要伪造的邮件信息,进而大量发送垃圾邮件,严重占用网络资源。

行为分析:

1 、衍生下列副本与文件:

%WinDir%pp.exe infected: Email-Worm.Win32.Zhelatin.d

%WinDir%via.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%adirka.dll infected: Email-Worm.Win32.Banwarum.f feedom.net关注网管是我们的使命

%System32%adirka.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%adirss.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%dd.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%lnwin.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%ma.exe.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%pfxzmtaim.dll

%System32%pfxzmtforum.dll

%System32%pfxzmtgtal.dll

%System32%pfxzmticq.dll

%System32%pfxzmtsmt.dll

%System32%pfxzmtsmtspm.dll

%System32%pfxzmtwbmail.dll

%System32%pfxzmtymsg.dll

%System32%pp.exe.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%

svp32_2.dll infected: Email-Worm.Win32.Zhelatin.al

%System32%sfxzmtforum.dll

%System32%sfxzmtsmt.dll

%System32%sfxzmtsmtspm.dll

%System32%sfxzmtwbmail.dll www.bitsCN.net中国网管博客

%System32%sm.exe infected: Email-Worm.Win32.Zhelatin.d

%System32%sporder.dll

%System32%svcp.csv

%System32%wincom32.ini

%System32%winsub.xml

%System32%zlbw.dll

%System32%zu.exe.exeinfected: Email-Worm.Win32.Zhelatin.d

2 、新建注册表键值: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion

Runlnwin.exe Value: String: "%System32%lnwin.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion

Runsysinter Value: String: "%System32% adirss.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion

Runadirka Value: String: "%System32%adirka.exe"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWS2IFSL

DisplayName

Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境"

so.bitsCN.com网管资料库任你搜

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWS2IFSLImagePath

Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes

%System32%driversws2ifsl.sys.

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000012

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000012PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000013

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000013PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

bbs.bitsCN.com国内最早的网管论坛

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000014

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000014PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000015

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000015PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000016

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters www.bitsCN.net中国网管博客

Protocol_Catalog9Catalog_Entries00000000016PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000017

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000017PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000018

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000018PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll blog.bitsCN.com网管博客等你来搏

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000019

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000019PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000020

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000020PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000021

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters feedom.net关注网管是我们的使命

Protocol_Catalog9Catalog_Entries00000000021PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000022

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000022PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000023

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000023PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll blog.bitsCN.com网管博客等你来搏

3 、修改下列注册表键值,破坏 LSP 。并可实现随机启动:

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000001PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000002PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000003PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes www.bitsCN.net中国网管博客

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000004

PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000005PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters play.bitsCN.com累了吗玩一下吧

Protocol_Catalog9Catalog_Entries00000000006PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000007PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000008PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

www.bitsCN.net中国网管博客

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000009PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000010PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000011PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

bitsCN全力打造网管学习平台

rsvp32_2.dll.system32mswsock.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

4、从下列 URL 下载病毒体到本机 %Temporary Internet Files% 目录,并运行病毒体:

[url=http://2*5.2*9.1*9.1*/aff/dir/zu.exe]http://2*5.2*9.1*9.1*/aff/dir/zu.exe

[url=http://2*6.2*5.1*4.1*2/aff/dir/via.exe]http://2*6.2*5.1*4.1*2/aff/dir/via.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/sm.exe]http://2*5.2*9.1*9.1*/aff/dir/sm.exe

[url=http://2*6.2*5.1*4.1*2/aff/dir/pp.exe]http://2*6.2*5.1*4.1*2/aff/dir/pp.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/pp.exe]http://2*5.2*9.1*9.1*/aff/dir/pp.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/ma.exe]http://2*5.2*9.1*9.1*/aff/dir/ma.exe

[url=http://2*5.2*9.1*9.1*/aff/dir/dd.exe]http://2*5.2*9.1*9.1*/aff/dir/dd.exe bitsCN.com中国网管联盟

5 、垃圾邮件可能为下列两种形式,并附有扩展名为 .gif 的附件。鉴于相关信息从互联网获得,极为繁杂,故不列出。

6 、利用下列搜索引擎获得邮件信息:

64.233.1**.1* 美国 加利福尼亚州 Google 公司

注:% System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:WinntSystem32 , windows95/98/me 中默认的安装路径是 C:WindowsSystem , windowsXP 中默认的安装路径是 C:WindowsSystem32 。

清除方案:

1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 ) www.bitsCN.net中国网管博客

2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。

(1) 使用 安天木马防线 “进程管理”关闭病毒进程

adirka.exe

sm.exe

dd.exe

(2) 恢复病毒修改的注册表项目,删除病毒添加的注册表项

删除下列新建项:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunlnwin.exe

Value: String: "%System32%lnwin.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunsysinter

Value: String: "%System32% adirss.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindows

CurrentVersionRunadirka

Value: String: "%System32%adirka.exe"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesWS2IFSL

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2 so.bitsCN.com网管资料库任你搜

ParametersProtocol_Catalog9Catalog_Entries00000000012

…………..

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000023

恢复下列修改项:

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000001

PackedCatalogItem

…………..

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries000000000011

PackedCatalogItem

恢复键值为:

%SystemRoot%system32mswsock.dll

(3) 删除病毒衍生文件:

%WinDir%pp.exe

%WinDir%via.exe

%System32%adirka.dll

%System32%adirka.exe

play.bitsCN.com累了吗玩一下吧

%System32%adirss.exe

%System32%dd.exe

%System32%lnwin.exe

%System32%ma.exe.exe

%System32%pfxzmtaim.dll

%System32%pfxzmtforum.dll

%System32%pfxzmtgtal.dll

%System32%pfxzmticq.dll

%System32%pfxzmtsmt.dll

%System32%pfxzmtsmtspm.dll

%System32%pfxzmtwbmail.dll

%System32%pfxzmtymsg.dll

%System32%pp.exe.exe

%System32%

svp32_2.dll

%System32%sfxzmtforum.dll

%System32%sfxzmtsmt.dll

%System32%sfxzmtsmtspm.dll

%System32%sfxzmtwbmail.dll

%System32%sm.exe

%System32%sporder.dll

%System32%svcp.csv

%System32%wincom32.ini

%System32%winsub.xml

%System32%zlbw.dll

dl.bitsCN.com网管软件下载

%System32%zu.exe.exe

%Temporary Internet Files%/zu.exe

%Temporary Internet Files%/via.exe

%Temporary Internet Files%/sm.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/ma.exe

%Temporary Internet Files%/dd.exe

病毒名称: Email-Worm.Win32.Zhelatin.bl

中文名称: 泽拉丁变种

病毒类型: 蠕虫类

文件 MD5: 116C0F5BDC126CE5FE8DE20526DAD02F

公开范围: 完全公开

危害等级: 5

文件长度: 加壳后 6,789 字节,脱壳后 21,504 字节

感染系统: Win95以上系统

开发工具: Microsoft Visual C++ 6.0

加壳类型 : UPX变种壳,伪造为下列两层壳信息

FSG v1.10 (Eng) -> dulek/xt

LCC Win32 1.x -> Jacob Navia

手工清除请按照行为分析删除对应文件,恢复相关系统设置。

(1) 使用进程管理关闭病毒进程

adirka.exe

sm.exe

dd.exe

(2) 恢复病毒修改的注册表项目,删除病毒添加的注册表项

删除下列新建项:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunlnwin.exe

Value: String: "%System32%lnwin.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionRunsysinter

Value: String: "%System32% adirss.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindows

CurrentVersionRunadirka

Value: String: "%System32%adirka.exe"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesWS2IFSL

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000012

…………..

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000023

恢复下列修改项:

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000001

PackedCatalogItem

…………..

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries000000000011

PackedCatalogItem

恢复键值为:

%SystemRoot%system32mswsock.dll

(3) 删除病毒衍生文件:

%WinDir%pp.exe

%WinDir%via.exe

%System32%adirka.dll

%System32%adirka.exe

%System32%adirss.exe

%System32%dd.exe

%System32%lnwin.exe

%System32%ma.exe.exe

%System32%pfxzmtaim.dll

%System32%pfxzmtforum.dll

%System32%pfxzmtgtal.dll

%System32%pfxzmticq.dll

%System32%pfxzmtsmt.dll

%System32%pfxzmtsmtspm.dll

%System32%pfxzmtwbmail.dll

%System32%pfxzmtymsg.dll

%System32%pp.exe.exe

%System32%

svp32_2.dll

%System32%sfxzmtforum.dll

%System32%sfxzmtsmt.dll

%System32%sfxzmtsmtspm.dll

%System32%sfxzmtwbmail.dll

%System32%sm.exe

%System32%sporder.dll

%System32%svcp.csv

%System32%wincom32.ini

%System32%winsub.xml

%System32%zlbw.dll

%System32%zu.exe.exe

%Temporary Internet Files%/zu.exe

%Temporary Internet Files%/via.exe

%Temporary Internet Files%/sm.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/pp.exe

%Temporary Internet Files%/ma.exe

%Temporary Internet Files%/dd.exe

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
© 2005- 王朝百科 版权所有