autorun病毒(PegeFile.pif/Trojan.PSW.Win32.Agent.mk)

autorun病毒(PegeFile.pif/)

2007-06-19 18:06

病毒名字：（Rising） 样本名：PegeFile.pif 加壳：UPX (原帖地址)请保留，因为此页内容可能会修改 文件大小：16,945 字节 MD5:A3AEB72FCDEEB46C04936564419C7275 SHA1:0F1719C33EA1E8E0B492A00BD3049BC20FB49A26 简单写了，这个病毒其实是一个 Download 病毒，运行后会继续下载其他的病毒！（Rising命名错误） 病毒运行后首先释放自己和库文件到： C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll 向所有分区释放： X:\PegeFile.pif X:\autorun.inf 病毒将库文件注入到 explorer.exe 进程，伺机作案。 若是可以链接网络，它会下载以下病毒到用户的机器上，（很多。。。） C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe C:\WINDOWS\system32\ztinetzt.exe C:\WINDOWS\system32\ztinetzt.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll C:\WINDOWS\system32\Ravasktao.exe C:\WINDOWS\system32\Ravasktao.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp C:\Program Files\Internet Explorer\PLUGINS\System64.Sys C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe C:\WINDOWS\system32\Drivers\usbinte.sys C:\WINDOWS\system32\visin.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe C:\WINDOWS\system32\mydata.exe C:\WINDOWS\system32\moyu103.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe C:\WINDOWS\system32\wuclmi.exe C:\WINDOWS\system32\wincfg.exe C:\WINDOWS\system32\mvdbc.exe C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\npf_mgm.exe C:\WINDOWS\system32\daemon_mgm.exe C:\WINDOWS\system32\NetMonInstaller.exe C:\WINDOWS\system32\rpcapd.exe C:\WINDOWS\system32\capinstall.exe 修改注册表：    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "wosa" = %TEMP%WOSO.EXE "mhsa" = %TEMP%MHSO.EXE "Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE "rxsa" = %TEMP%RXSO.EXE "qjsa" = %TEMP%QJSO.EXE "Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE "tlsa" = %TEMP%TLSO.EXE "dasa" = %TEMP%DASO.EXE "wlsa" = %TEMP%WLSO.EXE "wgsa" = %TEMP%WGSO.EXE      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "visin" = %SYSTEM%\VISIN.EXE    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{0EA66AD2-CF26-2E23-532B-B292E22F3266}" = "{754FB7D8-B8FE-4810-B363-A788CD060F1F}" =      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm (Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF (Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd (Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0EA66AD2-CF26-2E23-532B-B292E22F3266}      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{754FB7D8-B8FE-4810-B363-A788CD060F1F}      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}

2007-06-24 22:56

安装信得过的杀毒软件，
首先断开网络
然后全盘杀毒或者 逐一删除上文中 橙色 标记的文件和注册表键值

 

 

 

 

 

 

 

 

 

 

病毒名字：（瑞星报毒名称）
　　样本名：PegeFile.pif
　　以下解决步骤参考网友ixigua的分析：

　　一：1.到下载费尔木马强制删除器工具.zip,解压缩打开PowerRmv.exe,在文件名处依次输入

C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll 以及所有分区下的PegeFile.pif和autorun.inf文件

,并勾选"抑制文件再次生成"最后点击清除来删除该文件。

　　二：ctrl＋alt＋del打开任务管理器，结束explorer.exe 进程然后删除以下文件（参考步骤一）

C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe C:\WINDOWS\system32\ztinetzt.exe C:\WINDOWS\system32\ztinetzt.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll C:\WINDOWS\system32\Ravasktao.exe C:\WINDOWS\system32\Ravasktao.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp C:\Program Files\Internet Explorer\PLUGINS\System64.Sys C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe C:\WINDOWS\system32\Drivers\usbinte.sys C:\WINDOWS\system32\visin.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe C:\WINDOWS\system32\mydata.exe C:\WINDOWS\system32\moyu103.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe C:\WINDOWS\system32\wuclmi.exe C:\WINDOWS\system32\wincfg.exe C:\WINDOWS\system32\mvdbc.exe C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\npf_mgm.exe C:\WINDOWS\system32\daemon_mgm.exe C:\WINDOWS\system32\NetMonInstaller.exe C:\WINDOWS\system32\rpcapd.exe C:\WINDOWS\system32\capinstall.exe

　　三：开始菜单－运行－输入“regedit”打开注册表删除以下标橙色的项

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "wosa" = %TEMP%WOSO.EXE "mhsa" = %TEMP%MHSO.EXE "Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE "rxsa" = %TEMP%RXSO.EXE "qjsa" = %TEMP%QJSO.EXE "Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE "tlsa" = %TEMP%TLSO.EXE "dasa" = %TEMP%DASO.EXE "wlsa" = %TEMP%WLSO.EXE "wgsa" = %TEMP%WGSO.EXE        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "visin" = %SYSTEM%\VISIN.EXE    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{0EA66AD2-CF26-2E23-532B-B292E22F3266}" = "{754FB7D8-B8FE-4810-B363-A788CD060F1F}" =        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm (Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF (Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd (Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0EA66AD2-CF26-2E23-532B-B292E22F3266}        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{754FB7D8-B8FE-4810-B363-A788CD060F1F}        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}

 

007-07-30 17:43

显然是病毒，这个你就不用怀疑了！ 我机器不能中了这个毒，不过现在已经解决了。 大概的过程是这样的： 查看的时候我发现每一个盘都有这样的文件，我想都没有想，就用瑞星杀了下，OO？？情况和你的完全一样，它都没有什么反应！ 没有办法了，就只好用手来来了。 用了个bat，先用记事本编辑，在保存为以.bat结尾的文件即可。 再双击运行它。 ==============开始，不要复制=================================== @echo off title kill autorun.inf rem Made By numax %date% ::    个人主页：[url]http://hi.baidu.com/numax[/url] ::    欢迎光临！！！！ FOR %%a IN ( C: D: E: F: G: H: I: J: K: L:    ) DO ( cls if exist %%a ( del /f/q/a %%a\autorun.inf del /f/q/a %%a\pegefile.pif md %%a\autorun.inf md %%a\autorun.inf md %%a\autorun.inf\JAYVEN..\ md %%a\autorun.inf\SOPHIA..\ echo [.ShellClassInfo]>%%a\autorun.inf\desktop.ini echo CLSID={20D04FE0-3AEA-1069-A2D8-08002B30309D}>>%% a\autorun.inf\desktop.ini echo InfoTip=用于防治一些病毒，请不要删除它>>%% a\autorun.inf\desktop.ini attrib +s +h +r %%a\autorun.inf\desktop.ini attrib +s +h +r %%a\autorun.inf ) ) cls ========================结束，不要复制================== 同时，也可以用autorun,processexplorer,syscheck,xdelbox等工具辅助查杀。 最后清理注册表，工作就算完成了。 对于类似的病毒，可应在： 运行中：“gpedit.msc” 关闭硬件自动运行。 ##################### ##################### 病毒名字：（Rising） 样本名：PegeFile.pif 加壳：UPX (原帖地址)请保留，因为此页内容可能会修改 文件大小：16,945 字节 MD5:A3AEB72FCDEEB46C04936564419C7275 SHA1:0F1719C33EA1E8E0B492A00BD3049BC20FB49A26 简单写了，这个病毒其实是一个 Download 病毒，运行后会继续下载其他的病毒！（Rising命名错误） 病毒运行后首先释放自己和库文件到： C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll 向所有分区释放： X:\PegeFile.pif X:\autorun.inf 病毒将库文件注入到 explorer.exe 进程，伺机作案。 若是可以链接网络，它会下载以下病毒到用户的机器上，（很多。。。） C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe C:\WINDOWS\system32\ztinetzt.exe C:\WINDOWS\system32\ztinetzt.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll C:\WINDOWS\system32\Ravasktao.exe C:\WINDOWS\system32\Ravasktao.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp C:\Program Files\Internet Explorer\PLUGINS\System64.Sys C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe C:\WINDOWS\system32\Drivers\usbinte.sys C:\WINDOWS\system32\visin.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe C:\WINDOWS\system32\mydata.exe C:\WINDOWS\system32\moyu103.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe C:\WINDOWS\system32\wuclmi.exe C:\WINDOWS\system32\wincfg.exe C:\WINDOWS\system32\mvdbc.exe C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\npf_mgm.exe C:\WINDOWS\system32\daemon_mgm.exe C:\WINDOWS\system32\NetMonInstaller.exe C:\WINDOWS\system32\rpcapd.exe C:\WINDOWS\system32\capinstall.exe 修改注册表：    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "wosa" = %TEMP%WOSO.EXE "mhsa" = %TEMP%MHSO.EXE "Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE "rxsa" = %TEMP%RXSO.EXE "qjsa" = %TEMP%QJSO.EXE "Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE "tlsa" = %TEMP%TLSO.EXE "dasa" = %TEMP%DASO.EXE "wlsa" = %TEMP%WLSO.EXE "wgsa" = %TEMP%WGSO.EXE       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "visin" = %SYSTEM%\VISIN.EXE    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{0EA66AD2-CF26-2E23-532B-B292E22F3266}" = "{754FB7D8-B8FE-4810-B363-A788CD060F1F}" =       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm (Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF (Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd (Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0EA66AD2-CF26-2E23-532B-B292E22F3266}       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{754FB7D8-B8FE-4810-B363-A788CD060F1F}       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}