今天打开电脑,然后跑去刷牙洗脸,回来发现系统自动打开了一堆网页。嘿!中毒了!莫名的兴奋啊!好久没中毒了。今天哥就陪你这丫的玩玩。
关闭傲游浏览器,升级瑞星到最新,用icesword、hijackthis扫描了一下,发现可疑项E:\WINDOWS\System32\wuauclr.exe。
在分析电脑问题过程中,关闭浏览器后,每过一段时间又会自动打开网页。找到system32目录下的wuauclr.exe,发现在该目录下还有一个文件wuauclt.exe(这个是微软自动升级用的程序)。咳,病毒制作者惯用的伎俩,把程序名命名的跟微软系统文件的文件名相似到以假乱真的地步。通过查看文件属性可以发现wuauclr.exe没有文件版本信息,而wuauclt.exe有文件版本信息,显示为微软的文件,Windows update autoupdate client。
强行结束进程wuauclr.exe,系统不再自动打开网页。用瑞星扫描wuauclr.exe没有发现病毒。上传文件到irustotal进行扫描,扫描结果如下:
| File wuauclr.exe received on 2010.03.07 06:12:17 (UTC) | |||
| Antivirus | Version | Last Update | Result</TD< tr> |
| a-squared | 4.5.0.50 | 2010.03.06 | -</TD< tr> |
| AhnLab-V3 | 5.0.0.2 | 2010.03.06 | -</TD< tr> |
| AntiVir | 8.2.1.180 | 2010.03.05 | -</TD< tr> |
| Antiy-AVL | 2.0.3.7 | 2010.03.05 | -</TD< tr> |
| Authentium | 5.2.0.5 | 2010.03.06 | -</TD< tr> |
| Avast | 4.8.1351.0 | 2010.03.06 | -</TD< tr> |
| Avast5 | 5.0.332.0 | 2010.03.06 | -</TD< tr> |
| AVG | 9.0.0.787 | 2010.03.06 | -</TD< tr> |
| BitDefender | 7.2 | 2010.03.07 | -</TD< tr> |
| CAT-QuickHeal | 10.00 | 2010.03.06 | -</TD< tr> |
| ClamAV | 0.96.0.0-git | 2010.03.06 | -</TD< tr> |
| Comodo | 4091 | 2010.02.28 | -</TD< tr> |
| DrWeb | 5.0.1.12222 | 2010.03.07 | -</TD< tr> |
| eSafe | 7.0.17.0 | 2010.03.04 | -</TD< tr> |
| eTrust-Vet | 35.2.7342 | 2010.03.05 | -</TD< tr> |
| F-Prot | 4.5.1.85 | 2010.03.06 | -</TD< tr> |
| F-Secure | 9.0.15370.0 | 2010.03.07 | -</TD< tr> |
| Fortinet | 4.0.14.0 | 2010.03.06 | -</TD< tr> |
| GData | 19 | 2010.03.07 | -</TD< tr> |
| Ikarus | T3.1.1.80.0 | 2010.03.06 | -</TD< tr> |
| Jiangmin | 13.0.900 | 2010.03.07 | -</TD< tr> |
| K7AntiVirus | 7.10.990 | 2010.03.04 | -</TD< tr> |
| Kaspersky | 7.0.0.125 | 2010.03.07 | -</TD< tr> |
| McAfee | 5912 | 2010.03.06 | -</TD< tr> |
| McAfee+Artemis | 5912 | 2010.03.06 | -</TD< tr> |
| McAfee-GW-Edition | 6.8.5 | 2010.03.07 | Heuristic.BehavesLike.Win32.Suspicious.L</TD< tr> |
| Microsoft | 1.5502 | 2010.03.06 | -</TD< tr> |
| NOD32 | 4921 | 2010.03.06 | -</TD< tr> |
| Norman | 6.04.08 | 2010.03.06 | -</TD< tr> |
| nProtect | 2009.1.8.0 | 2010.03.06 | -</TD< tr> |
| Panda | 10.0.2.2 | 2010.03.06 | Suspicious file</TD< tr> |
| PCTools | 7.0.3.5 | 2010.03.04 | Downloader.Generic</TD< tr> |
| Prevx | 3.0 | 2010.03.07 | High Risk Cloaked Malware</TD< tr> |
| Rising | 22.37.06.03 | 2010.03.07 | -</TD< tr> |
| Sophos | 4.51.0 | 2010.03.07 | -</TD< tr> |
| Sunbelt | 5776 | 2010.03.07 | -</TD< tr> |
| Symantec | 20091.2.0.41 | 2010.03.07 | Downloader</TD< tr> |
| TheHacker | 6.5.1.9.223 | 2010.03.07 | -</TD< tr> |
| TrendMicro | 9.120.0.1004 | 2010.03.07 | -</TD< tr> |
| VBA32 | 3.12.12.2 | 2010.03.05 | -</TD< tr> |
| ViRobot | 2010.3.5.2214 | 2010.03.05 | -</TD< tr> |
| VirusBuster | 5.0.27.0 | 2010.03.06 | -</TD< tr> |
| Additional information | |||
| File size: 57344 bytes | |||
| MD5...: 719a9d661af7f037894aebe3ffc94d20 | |||
| SHA1..: 1a7d0b15495ad52119f30a9c73ba09461762d464 | |||
| SHA256: c47c2c00c14ff190f7fc22d96b6899173d58c86ed4db76998fd24150e00c70ac | |||
| ssdeep: 768:NPIVqGcWC0Lu7KJ6v0GEuSUDgTn11fbh3F3j5bz7lIfs:eNeKJ6vzzSIgb11 f113Vlu | |||
| PEiD..: - | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x338f timedatestamp.....: 0x4b927222 (Sat Mar 06 15:17:54 2010) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x8187 0x9000 6.27 8993c5fd96af248c7dc0adaa81f139a8 .rdata 0xa000 0xb8a 0x1000 4.37 f4f9a316e7053b2515b4cdecdcda4d57 .data 0xb000 0x47c0 0x3000 1.27 84384a50ee421201ae8d55c04ad2973f ( 3 imports ) > KERNEL32.dll: CloseHandle, ReadFile, WriteFile, CreateFileA, WaitNamedPipeA, FreeLibrary, GetProcAddress, LoadLibraryA, GetPrivateProfileStringA, GetModuleFileNameA, GetTempPathA, GetSystemDirectoryA, CreateEventA, OpenEventA, DeleteFileA, MoveFileExA, Sleep, WritePrivateProfileStringA, GetVolumeInformationA, GetFileSize, CompareStringW, CompareStringA, FlushFileBuffers, GetStringTypeW, HeapFree, HeapAlloc, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, WideCharToMultiByte, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, RtlUnwind, GetLastError, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, SetStdHandle, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, SetEnvironmentVariableA > USER32.dll: wsprintfA > NETAPI32.dll: Netbios ( 0 exports ) | |||
| RDS...: NSRL Reference Data Set - | |||
| pdfid.: - | |||
| trid..: Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) | |||
| sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned | |||
| <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D8F86ACF0039E38BE0FB00C9591BA700E4B3A926' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D8F86ACF0039E38BE0FB00C9591BA700E4B3A926</a> | |||
