Java Script下载木马,反映是偶的Web讯雷被打开了。。。。。。。(卸载Web讯雷,换讯雷5后问题解决)
估计是网页内的Java造成的(google广告,友站链接都有可能。。。。)
至于LZ是自己感染了蠕虫导致,解决方法如下:
comrecfg.exe,fat32.sys
wxptdi.sys,sysEventw.cfg
病毒名称: Worm.Win32.Downloader.cg
病毒类型:下载者
命名对照:
瑞星 Trojan.Win32.Mnless.zyt
AVAST Win32:Downloader-RR [Wrm]
行为分析:
增加启动项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run "comrepl32"
Type: REG_SZ
Data: C:\windows\system32\com\comrecfg.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PciHardDisk "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\system32\fat32.sys
修改注册表破坏防火墙等。
连接http://www.68yu.cn/listo.txt读取下载列表,释放和下载以下文件:
c:\Program Files\lsass0.exe
Date: 12-13-2007 1:09 PM
Size: 15,872 bytes
c:\Program Files\lsass1.exe
Date: 12-13-2007 1:09 PM
Size: 19,076 bytes
c:\Program Files\lsass2.exe
Date: 12-13-2007 1:09 PM
Size: 16,176 bytes
c:\Program Files\lsass3.exe
Date: 12-13-2007 1:09 PM
Size: 13,943 bytes
c:\Program Files\lsass4.exe
Date: 12-13-2007 1:09 PM
Size: 16,752 bytes
c:\Program Files\lsass5.exe
Date: 12-13-2007 1:09 PM
Size: 17,212 bytes
c:\Program Files\lsass6.exe
Date: 12-13-2007 1:09 PM
Size: 17,312 bytes
c:\Program Files\lsass7.exe
Date: 12-13-2007 1:09 PM
Size: 16,188 bytes
c:\Program Files\lsass8.exe
Date: 12-13-2007 1:09 PM
Size: 15,920 bytes
c:\Program Files\lsass9.exe
Date: 12-13-2007 1:09 PM
Size: 42,289 bytes
c:\Program Files\lsassa.exe
Date: 12-13-2007 1:09 PM
Size: 30,329 bytes
c:\Program Files\lsassb.exe
Date: 12-13-2007 1:09 PM
Size: 18,900 bytes
c:\Program Files\lsassc.exe
Date: 12-13-2007 1:09 PM
Size: 18,612 bytes
c:\Program Files\lsassd.exe
Date: 12-13-2007 1:09 PM
Size: 16,521 bytes
c:\Program Files\lsasse.exe
Date: 12-13-2007 1:09 PM
Size: 17,003 bytes
c:\Program Files\lsassf.exe
Date: 12-13-2007 1:09 PM
Size: 17,092 bytes
c:\Program Files\lsassh.exe
Date: 12-13-2007 1:09 PM
Size: 52,529 bytes
c:\Program Files\lsassi.exe
Date: 12-13-2007 1:09 PM
Size: 176,813 bytes
c:\Program Files\lsassj.exe
Date: 12-13-2007 1:09 PM
Size: 15,932 bytes
c:\WINDOWS\system32\wxptdi.sys
Date: 12-13-2007 1:09 PM
Size: 77,824 bytes
c:\WINDOWS\system32\Com\comrecfg.exe
Date: 12-13-2007 1:09 PM
Size: 9,216 bytes
c:\WINDOWS\system32\config\sysEventw.cfg
Date: 12-13-2007 1:09 PM
Size: 200 bytes
解决方案:
删除注册表启动项目:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "comrepl32"
Type: REG_SZ
Data: C:\windows\system32\com\comrecfg.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PciHardDisk "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\system32\fat32.sys
用SRENG修复系统设置。
并删除以下文件:
c:\Program Files\lsass0.exe
c:\Program Files\lsass1.exe
c:\Program Files\lsass2.exe
c:\Program Files\lsass3.exe
c:\Program Files\lsass4.exe
c:\Program Files\lsass5.exe
c:\Program Files\lsass6.exe
c:\Program Files\lsass7.exe
c:\Program Files\lsass8.exe
c:\Program Files\lsass9.exe
c:\Program Files\lsassa.exe
c:\Program Files\lsassb.exe
c:\Program Files\lsassc.exe
c:\Program Files\lsassd.exe
c:\Program Files\lsasse.exe
c:\Program Files\lsassf.exe
c:\Program Files\lsassh.exe
c:\Program Files\lsassi.exe
c:\Program Files\lsassj.exe
c:\WINDOWS\system32\wxptdi.sys
c:\WINDOWS\system32\Com\comrecfg.exe
c:\WINDOWS\system32\config\sysEventw.cfg
[ 本帖最后由 司徒苍月 于 2007-12-16 13:01 编辑 ]
