中了lisa的毒的朋友们的手工杀毒方法 | libcinet.exe libwinets.dll

lisa的电脑今天中毒了,还传给了不少别人,我一研究居然还是新鲜出炉的变种,8月2日的江民,木马杀手,趋势的专杀工具都还不能查到这个变种……
已经根据CISRT的说明手工清理成功,如果不明白的电话问我吧,号码问lisa
 
【CISRT2007110】通过MSN传播的IRCBotlibcinet.exe libwinets.dll 解决方案

档案编号:CISRT2007110
病毒名称:Backdoor.Win32.IRCBot.acd(Kaspersky)
病毒别名:Win32.Hack.IRCBot.360448 [exe](毒霸)
病毒大小:115,712 字节
加壳方式:PE_Patch NTKrnl      
样本MD5:9d46cda7f47ad85bf970ffb45940e7ad
样本SHA1:6ad1ec62206f16579d8a801c71f93fdedc66ed6a
发现时间:2007.7
更新时间:2007.8.1
关联病毒
传播方式:通过MSN传播

 

病毒向MSN联系人发送消息和伪装成照片的带毒压缩包,当对方联系人接收并打开压缩包中的文件时系统受到感染。病毒发送给MSN联系人的病毒压缩包文件名不固定,如果染毒系统是中文语言病毒则给联系人发送汉语拼音的消息。

病毒被运行后在系统目录创建副本:
%System%libcinet.exe

释放dll注入进程:
%System%libwinets.dll

创建ShellServiceObjectDelayLoad启动方式:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"printers"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"

[HKEY_CLASSES_ROOTCLSID{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}InProcServer32]
@="libwinets.dll"

注:{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}为一串CLSID,病毒产生的这段CLSID不固定,如:{666432A5-B18F-4D60-8B96-D9CD9064A23B}

在系统目录%Windows%生成包含自身副本的ZIP压缩文件,文件名不固定,由以下字符加随机数字组成:

photos-webcam
images0
photos0
album
photo
pictures0

例如:

photo76.zip (photo76.scr)

病毒根据染毒系统的语言给MSN联系人发送相应语言的文字消息,同时发送带毒压缩包:

Look how wasted Paris Hilton is, after shegot jailed :(
You and Me !!! .... look :p
Look at my photos hihi :p
Hey please accept my photos :o !!
A photo with me and my best friend :$ !!
This is me totaly naked :o please dont send to anyone else

bak sana  Paris Hilton ne halegelmis hapiste :(
Sen ve Ben !!! .... BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama

Regarde comment Paris Hilton parait efondr?apr? quelle ai??jeter en prison :(
Toi et moi !!! .... regarde :p
Regarde mes photos :p
Hey sil te plait accepte mes photos :o !!
Une photo de moi et mon meilleur ami :$ !!
Cest moi totalement nu :o sil te plait ne lenvoie a personnedautre

Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.

guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus demknast ist :(
du und ich !!! ....guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem

Guarda come Paris Hilton sprecato ? dopo che era imprijonata:(
Tu ed io !!! .... guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque

Veja como Paris Hilton est?acabada depois de ter sido presa:(
Voc?e eu !!!! .... Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor n? mande isso praningu?

kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
NI HE WO !!! .... QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!

Kolla hur f?st?d Paris Hilton ?, efter att hon f?gslades:(
Du och jag !! .... Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, sn?la :o
En bild p?mig och min b?ta v? :$ !!!
Detta ? jag HELT naken.. :o Skicka inte till n?on annan,sn?la...

Mira c?o Paris Hilton es perdida despu? de ser encarcelada:(
Usted e yo !!! .... Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o por favor no env? paranadie

Lede hvor spild Paris Hilton er efter hun fik f?gsel :(
Jer og Mig !!! ... se :p
Se p?min fotos :p  Hej behageoptage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk tilnogle :o

尝试连接的远程IRC:games.onlinesciencexxx.com

清除步骤
==========

1. 删除病毒的启动方式:

 
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"printers"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"

以及对应的:

CODE:
[HKEY_CLASSES_ROOTCLSID{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}InProcServer32]
@="libwinets.dll"

2. 重新启动计算机

3. 删除文件:
%System%libcinet.exe
%System%libwinets.dll
%userprofile%egos.txt

以及%Windows%目录下文件名由以下字符和随机数字组成,文件大小约114KB的病毒压缩包文件:

photos-webcam
images0
photos0
album
photo
pictures0

例如:
photo76.zip (photo76.scr)

This entry was posted in 未分类. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


eight + 2 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>