遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2

原创

PurpleEndurer 2022-12-12 15:14:24 博主文章分类：系统维护 ©著作权

文章标签 microsoft structure c imagelist vba 文章分类 运维

©著作权归作者所有：来自51CTO博客作者PurpleEndurer的原创作品，请联系作者获取转载授权，否则将追究法律责任

遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2

endurer 原创 2008-06-22 第1版

(继1)

到 http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。

用FileInfo 提取 pe_xscan 的 log 中红色标记的文件的信息；用 bat_do 打包备份，延时删除，改所选文件名，再延时删除。

下载并安装瑞星卡卡安全助手，切换到[高级功能]->[系统启动项管理]，

在左边点击[登录项]，在右边找到 F2、O4 项对应的项目，右击，从弹出的菜单里选择删除。

在左边分别点击[服务项]和[驱动]，找到 O23组的对应项，右击，从弹出的菜单中选择删除。

另外检查发现

文件说明符 : c:/windows/system32/drivers/beep.sys 属性 : A--- 数字签名:否 PE文件:是获取文件版本信息大小失败! 创建时间 : 2008-6-16 16:30:47 修改时间 : 2008-6-16 16:30:48 大小 : 2278 字节 2.230 KB MD5 : 57feb7a53fc0fc0d72460c79f6fe4a70 SHA1: 426C70291E57437C7F922055D6E9F780582CB6AD CRC32: b4f9768e

（卡巴斯基报为：Backdoor.Win32.Agent.krx[KLAB-5393973]）

也用 bat_do处理了。

用WinRAR删除Windows临时文件夹，IE临时文件夹，c:/windows/prefetch 中可以删除的文件。

重启电脑~

这下电脑工作正常了。

附部分病毒文件信息：

文件 beep.sys 接收于 2008.06.17 11:48:14 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.6.17.0	2008.06.17	-
AntiVir	7.8.0.55	2008.06.17	-
Authentium	5.1.0.4	2008.06.17	-
Avast	4.8.1195.0	2008.06.16	-
AVG	7.5.0.516	2008.06.16	Worm/Agent.N
BitDefender	7.2	2008.06.17	-
CAT-QuickHeal	9.50	2008.06.16	-
ClamAV	0.93.1	2008.06.17	-
DrWeb	4.44.0.09170	2008.06.17	-
eSafe	7.0.15.0	2008.06.16	-
eTrust-Vet	31.6.5881	2008.06.17	-
Ewido	4.0	2008.06.16	-
F-Prot	4.4.4.56	2008.06.12	-
F-Secure	7.60.13501.0	2008.06.17	-
Fortinet	3.14.0.0	2008.06.17	-
GData	2.0.7306.1023	2008.06.17	-
Ikarus	T3.1.1.26.0	2008.06.17	-
Kaspersky	7.0.0.125	2008.06.17	-
McAfee	5318	2008.06.16	-
Microsoft	1.3604	2008.06.17	-
NOD32v2	3192	2008.06.17	-
Norman	5.80.02	2008.06.16	-
Panda	9.0.0.4	2008.06.16	-
Prevx1	V2	2008.06.17	-
Rising	20.49.11.00	2008.06.17	-
Sophos	4.30.0	2008.06.17	-
Sunbelt	3.0.1153.1	2008.06.15	-
Symantec	10	2008.06.17	-
TheHacker	6.2.92.352	2008.06.17	-
TrendMicro	8.700.0.1004	2008.06.17	-
VBA32	3.12.6.7	2008.06.17	-
VirusBuster	4.3.26:9	2008.06.12	-
Webwasher-Gateway	6.6.2	2008.06.17	-

附加信息
File size: 2278 bytes
MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70
SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad
SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a
SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035<BR>834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x102e6 timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851 .rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525 .data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51 INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161 .reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18 ( 1 imports ) > ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3 ( 0 exports )

文件说明符 : D:/test/myRAT.rmvb 属性 : -SH- 数字签名:否 PE文件:是语言 : 中文(中国) 文件版本 : 1.0.0.500 说明 : 版权 : 备注 : 产品版本 : 1.0.0.0 产品名称 : 公司名称 : 合法商标 : 内部名称 : 源文件名 : 创建时间 : 2008-6-16 2:44:19 修改时间 : 2008-6-16 10:44:20 大小 : 135680 字节 132.512 KB MD5 : 2d12b069fe76521573f6c7335b5b4b3a SHA1: 4CCF4F2AE88DF6B28544AC5628EE5F87157EBB13 CRC32: 6a109c0d

卡巴斯基报为：Trojan-Downloader.Win32.Delf.jdo，瑞星报为：Trojan.Win32.Delf.fck

文件 myRAT.rmvb 接收于 2008.06.17 12:03:37 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.6.17.0	2008.06.17	-
AntiVir	7.8.0.55	2008.06.17	BDS/Backdoor.Gen
Authentium	5.1.0.4	2008.06.17	W32/OnlineGames.A.gen!Eldorado
Avast	4.8.1195.0	2008.06.16	-
AVG	7.5.0.516	2008.06.16	-
BitDefender	7.2	2008.06.17	-
CAT-QuickHeal	9.50	2008.06.16	-
ClamAV	0.93.1	2008.06.17	-
DrWeb	4.44.0.09170	2008.06.17	BackDoor.Siggen.18
eSafe	7.0.15.0	2008.06.16	-
eTrust-Vet	31.6.5881	2008.06.17	-
Ewido	4.0	2008.06.16	-
F-Prot	4.4.4.56	2008.06.12	W32/OnlineGames.A.gen!Eldorado
F-Secure	7.60.13501.0	2008.06.17	-
Fortinet	3.14.0.0	2008.06.17	-
GData	2.0.7306.1023	2008.06.17	Trojan-Downloader.Win32.Delf.jdo
Ikarus	T3.1.1.26.0	2008.06.17	Backdoor.Win32.Delf.RAN
Kaspersky	7.0.0.125	2008.06.17	Trojan-Downloader.Win32.Delf.jdo
McAfee	5318	2008.06.16	-
Microsoft	1.3604	2008.06.17	Backdoor:Win32/Delf.RAN
NOD32v2	3193	2008.06.17	-
Norman	5.80.02	2008.06.16	-
Panda	9.0.0.4	2008.06.16	Suspicious file
Prevx1	V2	2008.06.17	-
Rising	20.49.11.00	2008.06.17	Trojan.Win32.Delf.fck
Sophos	4.30.0	2008.06.17	Troj/Delf-FAH
Sunbelt	3.0.1153.1	2008.06.15	-
Symantec	10	2008.06.17	-
TheHacker	6.2.92.352	2008.06.17	-
TrendMicro	8.700.0.1004	2008.06.17	-
VBA32	3.12.6.7	2008.06.17	-
VirusBuster	4.3.26:9	2008.06.12	-
Webwasher-Gateway	6.6.2	2008.06.17	Trojan.Backdoor.Backdoor.Gen

附加信息
File size: 135680 bytes
MD5...: 2d12b069fe76521573f6c7335b5b4b3a
SHA1..: 4ccf4f2ae88df6b28544ac5628ee5f87157ebb13
SHA256: 48305730acf26f319facfa169e6eb8b07e1cdcb90e0cd34421e0f4d56422ff7b
SHA512: 44ef829d1fc28f1412ca9d4b675e31bb255f35c45bd7d1bddb91955988e57ef3<BR>9be30e2d2db3488f5fb7f306ea95dda97d67078c39a85edd1f22d6f1af9ee24c
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x41c1b4 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5<BR>CODE 0x1000 0x1b208 0x1b400 6.50 1300615699205731585424971640e87b<BR>DATA 0x1d000 0x20f0 0x2200 4.12 711df5be86fe3c18b34b3d17bd67f542<BR>BSS 0x20000 0x1ab5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>.idata 0x22000 0x1a20 0x1c00 4.74 b0c33623819f6d387b0ad873910e4b82 .edata 0x24000 0x87 0x200 1.54 e547a716c28ead40f0a419a6f25e807f<BR>.reloc 0x25000 0x15c8 0x1600 6.70 a65c4f4337ad0f54873701703a63ff27 .rsrc 0x27000 0x2d8 0x400 2.39 7495ebf8c9de446dfdcdbb598f5522af<BR><BR>( 22 imports ) <BR>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, CreateDirectoryA, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle user32.dll: GetKeyboardType, MessageBoxA advapi32.dll: RegQueryvalueExA, RegOpenKeyExA, RegCloseKey oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen<BR>> kernel32.dll: TlsSetvalue, TlsGetvalue, TlsFree, TlsAlloc, LocalFree, LocalAlloc advapi32.dll: SetSecurityDescriptorDacl, RevertToSelf, RegSetvalueExA, RegQueryvalueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumvalueA, RegEnumKeyExA, RegDeletevalueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegevalueA, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, GetUserNameA, DuplicateTokenEx, CreateProcessAsUserA, AdjustTokenPrivileges kernel32.dll: lstrlenA, lstrcpyW, lstrcpyA, lstrcmpiA, lstrcmpW, WriteFile, WinExec, WaitForSingleObject, UnmapViewOfFile, TerminateProcess, Sleep, SetThreadPriority, SetFileTime, SetFilePointer, SetFileAttributesW, SetFileAttributesA, SetEvent, SetErrorMode, ResumeThread, ReleaseMutex, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MoveFileExA, MoveFileA, MapViewOfFile, LocalFileTimeToFileTime, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalAlloc, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTimeFormatW, GetTickCount, GetThreadPriority, GetTempPathA, GetSystemDirectoryA, GetSystemDefaultLangID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceExA, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetComputerNameA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileW, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingW, CreateFileA, CreateEventA, CloseHandle gdi32.dll: SelectObject, GetSystemPaletteEntries, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBColorTable, DeleteObject, DeleteDC, CreatePalette, CreateHalftonePalette, CreateDIBSection, CreateCompatibleDC, BitBlt<BR>> user32.dll: mouse_event, keybd_event, UnhookWindowsHookEx, TranslateMessage, ShowWindow, SetWindowsHookExA, SetCursorPos, SetClipboardData, SendMessageA, ReleaseDC, PostMessageA, PeekMessageA, OpenClipboard, OemToCharA, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, IsWindowVisible, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowLongA, GetSystemMetrics, GetProcessWindowStation, GetParent, GetMessageA, GetDesktopWindow, GetDC, GetCursorPos, GetClipboardData, GetClassNameA, ExitWindowsEx, EnumWindows, EmptyClipboard, DispatchMessageA, DestroyWindow, CloseWindow, CloseClipboard, CallNextHookEx kernel32.dll: Sleep shell32.dll: SHFileOperationA advapi32.dll: UnlockServiceDatabase, StartServiceA, SetServiceStatus, RegisterServiceCtrlHandlerA, QueryServiceStatus, QueryServiceConfigA, OpenServiceA, OpenSCManagerA, LockServiceDatabase, EnumServicesStatusA, DeleteService, CreateServiceA, ControlService, CloseServiceHandle, ChangeServiceConfigA<BR>> wininet.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle URLMON.DLL: URLDownloadToFileA shell32.dll: SHGetSpecialFolderPathA imm32.dll: ImmReleaseContext, ImmGetCompositionStringW, ImmGetContext<BR>> ws2_32.dll: WSAIoctl, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, shutdown, setsockopt, send, select, recv, ntohs, ntohl, ioctlsocket, inet_ntoa, inet_addr, htons, htonl, connect, closesocket MSVFW32.DLL: ICSeqCompressFrame, ICSeqCompressFrameEnd, ICSeqCompressFrameStart, ICSendMessage, ICClose, ICOpen, ICInstall AVICAP32.dll: capCreateCaptureWindowA, capGetDriverDescriptionA<BR>> Setupapi.dll: SetupDiClassNameFromGuidA, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA shell32.dll: ShellExecuteA wininet.dll: InternetGetConnectedStateEx ( 4 exports ) Install, InstallEx, ServerMain, ServiceMain

文件说明符 : D:/test/DOVA 属性 : -SHR 数字签名:否 PE文件:是获取文件版本信息大小失败! 创建时间 : 2008-6-16 2:44:38 修改时间 : 2008-6-16 16:30:50 大小 : 231729 字节 226.305 KB MD5 : 76d5a93a77a4b266ce590864fe2cdae4 SHA1: E9E2694515A8D0BEF74E5D4094E49DB4DC46E297 CRC32: 3c8f8c39

卡巴斯基报为：Backdoor.Win32.Hupigon.clpz

文件 DOVA 接收于 2008.06.17 11:49:53 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.6.17.0	2008.06.17	Win32/NSAnti.suspicious
AntiVir	7.8.0.55	2008.06.17	BDS/Backdoor.Gen
Authentium	5.1.0.4	2008.06.17	W32/Hupigon.A.gen!Eldorado
Avast	4.8.1195.0	2008.06.16	Win32:Hupigon-ZA
AVG	7.5.0.516	2008.06.16	Generic10.ANTC
BitDefender	7.2	2008.06.17	MemScan:Backdoor.Hupigon.ZUW
CAT-QuickHeal	9.50	2008.06.16	Win32.Packed.NSAnti.r
ClamAV	0.93.1	2008.06.17	-
DrWeb	4.44.0.09170	2008.06.17	BackDoor.Pigeon.2254
eSafe	7.0.15.0	2008.06.16	suspicious Trojan/Worm
eTrust-Vet	31.6.5881	2008.06.17	-
Ewido	4.0	2008.06.16	Backdoor.GrayBird.kx
F-Prot	4.4.4.56	2008.06.12	W32/Hupigon.A.gen!Eldorado
Fortinet	3.14.0.0	2008.06.17	-
GData	2.0.7306.1023	2008.06.17	Backdoor.Win32.Hupigon.clpz
Ikarus	T3.1.1.26.0	2008.06.17	Packed.Win32.Klone.af
Kaspersky	7.0.0.125	2008.06.17	Backdoor.Win32.Hupigon.clpz
McAfee	5318	2008.06.16	-
Microsoft	1.3604	2008.06.17	VirTool:Win32/Obfuscator.A
NOD32v2	3193	2008.06.17	-
Norman	5.80.02	2008.06.16	W32/Suspicious_N.gen
Panda	9.0.0.4	2008.06.16	Suspicious file
Prevx1	V2	2008.06.17	Suspicious
Rising	20.49.11.00	2008.06.17	-
Sophos	4.30.0	2008.06.17	Sus/UnkPacker
Sunbelt	3.0.1153.1	2008.06.15	VIPRE.Suspicious
Symantec	10	2008.06.17	-
TheHacker	6.2.92.352	2008.06.17	-
TrendMicro	8.700.0.1004	2008.06.17	-
VBA32	3.12.6.7	2008.06.17	suspected of Backdoor.XiaoBird.1
VirusBuster	4.3.26:9	2008.06.12	Packed/NSPack
Webwasher-Gateway	6.6.2	2008.06.17	Trojan.Backdoor.Backdoor.Gen

附加信息
File size: 231729 bytes
MD5...: 76d5a93a77a4b266ce590864fe2cdae4
SHA1..: e9e2694515a8d0bef74e5d4094e49db4dc46e297
SHA256: 56002d8d72834e91189ac226b809be2968ddcd199edf74486b8baa527ae64c81
SHA512: 8f414f7d1f035e621db966d760dbba76ff18aeb895c62398e1368522094f45f5<BR>7161dfe25018fca5aff40e881adb66169511403d931220017f334e0e1b8ca80f
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4df028 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0xde000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xdf000 0x39000 0x38531 8.00 15910b31c9cfb5449b6989cf64121b8e 0x118000 0x88a 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 25 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.DLL: GetKeyboardType > ADVAPI32.DLL: RegQueryvalueExA > OLEAUT32.DLL: SysFreeString > KERNEL32.DLL: TlsSetvalue > ADVAPI32.DLL: RegSetvalueExA > KERNEL32.DLL: lstrcpyA > MPR.DLL: WNetOpenEnumA > VERSION.DLL: VerQueryvalueA > GDI32.DLL: UnrealizeObject > USER32.DLL: CreateWindowExA > KERNEL32.DLL: Sleep > OLEAUT32.DLL: SafeArrayPtrOfIndex > COMCTL32.DLL: ImageList_SetIconSize > SHELL32.DLL: Shell_NotifyIconA > WININET.DLL: InternetReadFile > ADVAPI32.DLL: StartServiceA > WSOCK32.DLL: WSACleanup > IMAGEHLP.DLL: CheckSumMappedFile > WINMM.DLL: waveOutWrite > AVICAP32.DLL: capCreateCaptureWindowA > MSACM32.DLL: acmFormatChooseA > WS2_32.DLL: WSAIoctl > ADVAPI32.DLL: SetSecurityInfo > AVICAP32.DLL: capGetDriverDescriptionA ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E5A5604431A0EFF889FD0378A1F6E80097A6ED84
packers (Avast): NsPack, NsPack
packers (F-Prot): NSPack
packers (Authentium): NSPack