最近還挺流行這種資料夾病毒

http://www.twbbs.net.tw/3245929.html最近還挺流行這種資料夾病毒話說這病毒是台灣製造的它具有盜帳的功能 所以 應該算是個後門現在就為大家說明 這病毒的行為吧...病毒執行後 產生 MICRO.exe並執行產生 C:\WINDOWS\system32\microsoftshell.exe執行後下載 C:\Documents and Settings\"使用者名稱"\Local Settings\Temp\F.exeC:\Documents and Settings\"使用者名稱"\Local Settings\Temp\FLS-1.exeC:\Documents and Settings\"使用者名稱"\Local Settings\Temp\FLS-2.exeC:\Documents and Settings\"使用者名稱"\Local Settings\Temp\FLS-3.exeC:\Documents and Settings\"使用者名稱"\Local Settings\Temp\FLS-4.exeC:\Documents and Settings\"使用者名稱"\Local Settings\Temp\FLS-5.exe依序執行F.exe 產生C:\ProgramFiles\Common Files\Adobe\Updater5\Adobe_update.exeC:\WINDOWS\system32\dllcache\MediaPlayer.dll\Desktop.iniC:\WINDOWS\system32\dllcache\MediaPlayer.dll\flash8.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\k-lite.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\Media.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Desktop.iniC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Media.batC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Media.vbsC:\WINDOWS\system32\dllcache\MediaPlayer.dll\mscon.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\services.exeC:\WINDOWS\system32\dllcache\MediaPlayer.dll\winlogon.exeC:\WINDOWS\system32\dllcache\microsoftshell.exeC:\WINDOWS\system32\MediaPlayer_update.exeC:\WINDOWS\system32\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof(可能是隨機)C:\WINDOWS\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof(可能是隨機)建立程序cmd.exemicrosoftshell.exeAdobe_update.exeGG.exe執行 FLS-1.exe產生檔案C:\WINDOWS\system32\dllcache\MediaPlayer.dll\Desktop.iniC:\WINDOWS\system32\dllcache\MediaPlayer.dll\flash8.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\k-lite.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\Media.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Desktop.iniC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Media.batC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Media.vbsC:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\wmp.vbsC:\WINDOWS\system32\dllcache\MediaPlayer.dll\mscon.wavC:\WINDOWS\system32\dllcache\MediaPlayer.dll\services.exeC:\WINDOWS\system32\dllcache\MediaPlayer.dll\winlogon.exeC:\WINDOWS\system32\MediaPlayer_update.exe建立程序GG.exeMediaPlayer.exe建立登陸檔值[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]MediaPlayer = "C:\WINDOWS\system32\MediaPlayer_update.exe執行 FLS-2.exe產生檔案C:\program files\common files\microsoft shared\msinfo\(隨機).aviC:\program files\common files\microsoft shared\msinfo\QrGbCQq7NF.delC:\program files\common files\microsoft shared\msinfo\QrGbCQq7NF.doc(隨機).avi 會 Hook 以下程序explorer.exemsmsgs.exedllhost.exesdnsmain.exesvchost.exe建立服務"Media_Service" "Running" "C:\WINDOWS\system32\svchost.exe -k netsvcs" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIA_SERVICE\0000\Control]*NewlyCreated* = 0x00000000 ActiveService = "Media_Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIA_SERVICE\0000]Service = "Media_Service" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "Media_Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIA_SERVICE]NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Media_Service\Enum]0 = "Root\LEGACY_MEDIA_SERVICE\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Media_Service\Parameters]ServiceDLL = [pathname with a string SHARE]\bvMApVbh.avi" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIA_SERVICE\0000\Control]*NewlyCreated* = 0x00000000 ActiveService = "Media_Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIA_SERVICE\0000]Service = "Media_Service" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "Media_Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIA_SERVICE]NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Media_Service\Enum]0 = "Root\LEGACY_MEDIA_SERVICE\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Media_Service\Parameters]ServiceDLL = [pathname with a string SHARE]\bvMApVbh.avi" 執行 FLS-3.exe產生檔案C:\ProgramFiles\Common Files\Adobe\Updater5\Adobe_Update.exeC:\WINDOWS\system\Adobe.dll\data\Desktop.iniC:\WINDOWS\system\Adobe.dll\data\dir.mp4C:\WINDOWS\system\Adobe.dll\data\doc.mp4C:\WINDOWS\system\Adobe.dll\data\pdf.mp4C:\WINDOWS\system\Adobe.dll\data\ppt.mp4C:\WINDOWS\system\Adobe.dll\data\rar.mp4C:\WINDOWS\system\Adobe.dll\data\txt.mp4C:\WINDOWS\system\Adobe.dll\data\xls.mp4C:\WINDOWS\system\Adobe.dll\data\zip.mp4C:\WINDOWS\system\Adobe.dll\Desktop.ini C:\WINDOWS\system\Adobe.dll\OSPUM.exe\Adobe.batC:\WINDOWS\system\Adobe.dll\OSPUM.exe\Adobe.vbsC:\WINDOWS\system\Adobe.dll\OSPUM.exe\Desktop.iniC:\WINDOWS\system\Adobe.dll\svchost.exe建立進程svchost.exe建立登陸檔值[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Adobe_update = "%ProgramFiles%\Common Files\Adobe\Updater5\Adobe_Update.exe" 修改登陸檔[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]HKeyRoot = 0x80000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]HKeyRoot = 0x80000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]HKeyRoot = 0x80000002 執行 FLS-4.exe建立進程FLS-4.exe執行 FLS-5.exeC:\ProgramFiles\Common Files\Internet Explorer 8\IExplorer8.exe建立登陸檔值[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Iexplorer8 = C:\ProgramFiles\Common Files\Internet Explorer 8\IExplorer8.exe===============================================================================行為整理:執行後下載東西 複製完畢後接下來會利用 C:\WINDOWS\system\Adobe.dll\svchost.exe(複製的 CMD.EXE)開啟C:\WINDOWS\system\Adobe.dll\OSPUM.exe\Adobe.bat尋找有"移除" 字樣的磁碟做隱藏隨身碟裡檔案和資料夾並複製C:\WINDOWS\system\Adobe.dll\data\尋找附檔名 為 txt rar zip pdf doc xls ppt 的檔案下手進行隱藏正常檔案複製 dir.mp4doc.mp4 等等檔案取代正常檔案引誘別人點擊所以並且每一個 .mp4 的檔案都是 某一附檔名檔案圖示 的.EXE 執行檔...並且用 loop 的方式不斷修改 登陸檔[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]Hidden = 2HideFileExt = 1實現 保持隱藏 及保持不顯示附檔名的狀態...C:\WINDOWS\system32\dllcache\MediaPlayer.dll\services.exe負責鍵盤測錄 程序監控等任務並紀錄於C:\WINDOWS\system32\dllcache\MediaPlayer.dll\Media\"電腦開啟日期"\mid00.mid (鍵盤紀錄資料)C:\WINDOWS\system32\dllcache\MediaPlayer.dll\Media\"電腦開啟日期"\mid01.mid (程序紀錄資料)並且利用 C:\WINDOWS\system32\dllcache\MediaPlayer.dll\winlogon.exe (複製的 CMD.EXE)呼叫 C:\WINDOWS\system32\dllcache\MediaPlayer.dll\MSCOB.exe\Media.bat利用 FTP.EXE 從事上傳 紀錄檔到 ftp://ftp.g.ho.st用來盜帳...並且隨開機自動啟動...===============================================================================那要如何預防呢如果在正常情況下開啟別以為這是正常的喔事實上 這個已經被取代了有兩種方法可以辨別如果在別的電腦使用後1.使用 WinRAR這是就可以把 正常檔案和病毒檔案分辨出來了...2.開啟檔案前 在每個檔案或資料夾按右鍵 > 內容看他的格式...如果是 應用程式如果是 那就 100 % 是毒了...從這裡看到 它不只取代資料夾唷要注意喔你可以把檔案給刪了但是 之後你應該會說 那檔案要怎麼辦了...開啟 Notepad 記事本輸入以下指令 存成 fix.bat================================================@echo offattrib -s -h -r "你要救的檔案 or 資料夾 1"attrib -s -h -r "你要救的檔案 or 資料夾 2"......================================================