首页 | 最新病毒 | 反病毒学院 | qq病毒专杀 | arp病毒 | MSN病毒 | auto病毒专杀 | U盘病毒 | downloader病毒 | 木马查杀 | 计算机病毒 | 最新漏洞   
您的位置: 首页 >> 反病毒学院 >> 阅读资讯:蠕虫后门的判断解决思路

蠕虫后门的判断解决思路

[ 作者:papa | 更新日期:2008-2-24 18:48:57 | 阅读次数: ]

蠕虫后门的判断解决思路

本文以一个本周爆发的一个典型的蠕虫后门程序为例,简述用户遇到此类病毒的处理思路。

该病毒在sysytem32目录下随机释放多个病毒文件:
firewall.exe、winIogon.exe、lssas.exe、logon.exe、spooIsv.exe、winamp.exe等。
(注:winIogon.exe、spooIsv.exe文件名中容易混淆的字母L实际是i)

仿冒安全软件写入run键值,以图随机加载。
如下面示例的键值名称Windows Network Firewall、Windows Logon Application、Local Security Authority Service。



病毒运行后防火墙会有类似如下提示(推荐选择禁止):



如果用户当时错误的选择了允许的话,可以在金山网镖网络活动状态中的结束进程功能结束进程。如图所示:


如果没有网镖一类的防火墙保护的话,可以在命令行下查看网络状态。如图所示:

 



其中黄线标识的PID信息为病毒创建的进程的PID,红线标识的是本机与远程主机的连接状态。高级用户可以在命令行下通过PID值将病毒进程结束。初级用户建议使用清理专家的进程管理器,选择【找出存在风险的进程】后将相关进程批量结束即可。



结束进程后再清理专家在线全面诊断的启动项管理中清除病毒的启动项,且最后删除对应文件即可。


最后病毒利用hosts文件劫持如下安全软件的域名(使用附件中的脚本重置hosts文件即可):

127.0.0.1       localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 vncsvr.com
127.0.0.1 secdreg.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.jotti.org
127.0.0.1 cdn.atwola.com
127.0.0.1 www.atwola.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
127.0.0.1 www.advancedcleaner.com
127.0.0.1 advancedcleaner.com
127.0.0.1 secure.advancedcleaner.com
127.0.0.1 protect.advancedcleaner.com
127.0.0.1 jsp.advancedcleaner.com
127.0.0.1 liveupdatesnet.com
127.0.0.1 www.liveupdatesnet.com
127.0.0.1 theinstalls.com
127.0.0.1 www.theinstalls.com
127.0.0.1 allofyouwant.com
127.0.0.1 www.here4search.biz
127.0.0.1 here4search.biz
127.0.0.1 www.smart-security.biz
127.0.0.1 smart-security.biz
127.0.0.1 www.searchmeup.biz
127.0.0.1 searchmeup.biz
127.0.0.1 www.iwantsearch.net
127.0.0.1 iwantsearch.net
127.0.0.1 www.wideportal.net
127.0.0.1 wideportal.net
127.0.0.1 calc.avsystemcare.com
127.0.0.1 avsystemcare.com
127.0.0.1 content.onerateld.com
127.0.0.1 www.onerateld.com
127.0.0.1 protect.trustedantivirus.com
127.0.0.1 www.trustedantivirus.com
127.0.0.1 iwantsearch.net
127.0.0.1 www.iwantsearch.net
127.0.0.1 mediacount.net
127.0.0.1 www.mediacount.net
127.0.0.1 bin.errorprotector.com
127.0.0.1 www.errorprotector.com
127.0.0.1 br.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 br.winantivirus.com
127.0.0.1 www.winantivirus.com
127.0.0.1 br.winfixer.com
127.0.0.1 www.winfixer.com
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 www.drivecleaner.com
127.0.0.1 cdn.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 cdn.winsoftware.com
127.0.0.1 www.winsoftware.com
127.0.0.1 de.errorsafe.com
127.0.0.1 www.errorsafe.com
127.0.0.1 de.winantivirus.com
127.0.0.1 www.winantivirus.com
127.0.0.1 download.cdn.drivecleaner.com
127.0.0.1 download.cdn.errorsafe.com
127.0.0.1 download.cdn.winsoftware.com
127.0.0.1 download.errorsafe.com
127.0.0.1 download.systemdoctor.com
127.0.0.1 download.winantispyware.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 download.winfixer.com
127.0.0.1 drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 errorprotector.com
127.0.0.1 errorsafe.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 fr.winfixer.com
127.0.0.1 go.drivecleaner.com
127.0.0.1 go.errorsafe.com
127.0.0.1 go.winantispyware.com
127.0.0.1 go.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.errorsafe.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 instlog.winfixer.com
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 secure.errorsafe.com
127.0.0.1 secure.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 secure.winantivirus.com
127.0.0.1 support.winantivirus.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.errorsafe.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 utils.winfixer.com
127.0.0.1 winantispyware.com
127.0.0.1 winantivirus.com
127.0.0.1 winfixer.com
127.0.0.1 winfixer2006.com
127.0.0.1 winsoftware.com
127.0.0.1 www.drivecleaner.com
127.0.0.1 www.errorprotector.com
127.0.0.1 www.errorsafe.com
127.0.0.1 www.systemdoctor.com
127.0.0.1 www.utils.winfixer.com
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 www.winantispam.com
127.0.0.1 www.winantispy.com
127.0.0.1 www.winantispyware.com
127.0.0.1 www.winantivirus.com
127.0.0.1 www.winantiviruspro.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 www.winfixer.com
127.0.0.1 www.winfixer2006.com
127.0.0.1 www.winsoftware.com
127.0.0.1 www.usagc.org
127.0.0.1 www.prospywareremover.com
127.0.0.1 prospywareremover.com
127.0.0.1 www.noadware.com--e.com
127.0.0.1 noadware.com--e.com
127.0.0.1 www.wwwadawear.com
127.0.0.1 wwwadawear.com
127.0.0.1 www.free-spyware-scan.org
127.0.0.1 free-spyware-scan.org
127.0.0.1 www.spybotfinder.com
127.0.0.1 spybotfinder.com
127.0.0.1 www.the-spyware-zone.com
127.0.0.1 the-spyware-zone.com
127.0.0.1 www.digitalreservoir.com
127.0.0.1 digitalreservoir.com
127.0.0.1 www.free-spyware.net
127.0.0.1 free-spyware.net
127.0.0.1 www.spyware-control.com
127.0.0.1 spyware-control.com
127.0.0.1 www.computerspywarecheck.com
127.0.0.1 computerspywarecheck.com
127.0.0.1 www.compare-spyware.com
127.0.0.1 compare-spyware.com
127.0.0.1 www.spywareremoval.ws
127.0.0.1 spywareremoval.ws
127.0.0.1 www.ridadware.org
127.0.0.1 ridadware.org
127.0.0.1 www.elimiware.com
127.0.0.1 elimiware.com
127.0.0.1 www.nomorespyware.net
127.0.0.1 nomorespyware.net
127.0.0.1 www.123-spyware-remover.com
127.0.0.1 123-spyware-remover.com
127.0.0.1 www.spyware-adware-removal.net
127.0.0.1 spyware-adware-removal.net
127.0.0.1 www.spytoaster.com
127.0.0.1 spytoaster.com
127.0.0.1 www.spywareno.com
127.0.0.1 spywareno.com
127.0.0.1 www.3bsoftware.com
127.0.0.1 3bsoftware.com
127.0.0.1 www.softwaredoctor.com
127.0.0.1 softwaredoctor.com
127.0.0.1 doubleclick.net
127.0.0.1 doubleclick.com
127.0.0.1 adhostcenter.com
127.0.0.1 adtrade.net
127.0.0.1 www.adcycle.com
127.0.0.1 advertising.com
127.0.0.1 servedby.advertising.com
127.0.0.1 commission-junction.com
127.0.0.1 dayrates.com
127.0.0.1 ad-flow.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 popuptraffic.com
127.0.0.1 fastclick.com
127.0.0.1 fastclick.net
127.0.0.1 adserving.cpxinteractive.com
127.0.0.1 www.usafis.org
127.0.0.1 brazauskas.info
127.0.0.1 centralgate.biz
127.0.0.1 clickfast.biz
127.0.0.1 code.jcash.biz
127.0.0.1 code.trasferimento.biz
127.0.0.1 cyber-search.biz
127.0.0.1 download.accessmedia.tv
127.0.0.1 download.jupitersatellites.biz
127.0.0.1 exeloads.info
127.0.0.1 forlink.biz
127.0.0.1 game4all.biz
127.0.0.1 get-access.host.sk
127.0.0.1 musah.info
127.0.0.1 picshunter.us
127.0.0.1 prevedtraf.biz
127.0.0.1 search-biz.biz
127.0.0.1 searchx.cc
127.0.0.1 s-pics.biz
127.0.0.1 snow410.info
127.0.0.1 sp2admin.biz
127.0.0.1 traff5all.biz
127.0.0.1 traffbest.biz
127.0.0.1 traffbucks.biz
127.0.0.1 traffmoney.biz
127.0.0.1 ultra-search.biz
127.0.0.1 www.lattefresco.biz
127.0.0.1 www.picshunter.us
127.0.0.1 www.procounter.biz
127.0.0.1 www.searchx.cc
127.0.0.1 www.s-pics.biz
127.0.0.1 www.sp2admin.biz
127.0.0.1 www.spamcatchero.biz
127.0.0.1 www.traff4ppc.biz
127.0.0.1 www.zgallery.us
127.0.0.1 ybbwxlxytz.biz
127.0.0.1 yepjnddqpq.biz
127.0.0.1 yhvoo.eseconsult.info
127.0.0.1 zchxsikpgz.biz
127.0.0.1 zgallery.us
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
127.0.0.1 inetpc.net
127.0.0.1 mp0.inetpc.net
127.0.0.1 m.proxyisp.info
127.0.0.1 proxyisp.info
127.0.0.1 vncsvr.com
127.0.0.1 ns2.darksheekz.info
127.0.0.1 darksheekz.info
127.0.0.1 pcsecuritylab.com
127.0.0.1 liveupdatesnet.com
127.0.0.1 rhythmswing.org
127.0.0.1 www.rhythmswing.org
127.0.0.1 pool.hybridtx.com
127.0.0.1 hybridtx.com
127.0.0.1 in1.smtp.messagingengine.com
127.0.0.1 messagingengine.com
127.0.0.1 h.gtld-servers.net
127.0.0.1 gtld-servers.net
127.0.0.1 mail7.digitalwaves.co.nz
127.0.0.1 netau.dk
127.0.0.1 www.netau.dk
127.0.0.1 eircd.zief.pl
127.0.0.1 zief.pl
127.0.0.1 proxim.ircgalaxy.pl
127.0.0.1 proxima.ircgalaxy.pl
127.0.0.1 ircgalaxy.pl
127.0.0.1 proxim.ntkrnlpa.info
127.0.0.1 ntkrnlpa.info
127.0.0.1 dep.mvl0an7.com
127.0.0.1 mvl0an7.com
127.0.0.1 dhcp.vncsvr.com

小结:
目前防火墙程序对于网络蠕虫、后门程序等安全威胁会起到纯粹意义的反病毒程序无法替代的防护作用。
毒霸2008互联网安全套装为个人家庭用户提供了尽可能全面安全防护解决方案。

附件

Fix_Hosts.rar (177 Bytes)

www.newjian.com


Tags:蠕虫后门
来源:爱毒霸
上一篇:QQ广告管家 一键去除QQ广告  下一篇:eREAD弹弹看Win32.Hack.RPolyCrypt.a.36864
您的评论
用户名:新注册) 密码: 匿名评论 [所有评论]

·用户发表意见仅代表其个人意见,并且承担一切因发表内容引起的纠纷和责任
·本站管理人员有权在不通知用户的情况下删除不符合规定的评论信息或留做证据
·请客观的评价您所看到的资讯,提倡就事论事,杜绝漫骂和人身攻击等不文明行为
热点资讯

精彩推荐

     

最新资讯

随机推荐