病毒名称:Trojan.Win32.Delf.ads(Kaspersky)
病毒大小:141,824 字节
样本MD5:ef2e009208e0efef05d149ee06388dd3
样本SHA1:45e43fb7bd4eb62d524927f5be71240a74c9bb6b
发现时间:2007.7
更新时间:2007.7
传播方式:通过MSN传播
技术分析
==========
变种: MSN传播病毒Backdoor.Win32.IRCBot.acd解决方法
通过MSN传播的IRCBot photo album.zip rdshost.dll 解决方案
MSN传播病毒Backdoor.Win32.IRCBot.acd解决方法
MSN病毒firewallav.dll printers.exe 解决方案
MSN病毒images.zip winlog32.exe 解决方案
通过MSN传播的IRCBot msn.exe libcintles3.dll 解决方案
通过MSN传播的IRCBot intlprinters.exe libcintles3.dll 解决方案
通过MSN传播的IRCBot msn.exe notice.dll 解决方案
通过MSN传播的IRCBot msnmsg.exe pic.zip 解决方案
病毒向MSN联系人发送消息和伪装成照片的带毒压缩包,当对方联系人接收并打开压缩包中的文件时系统受到感染。 病毒被运行后在系统目录生成包含自身副本的ZIP压缩文件: %Windows%\pic.zip
压缩包内文件名是IMG34814.pif。
创建一个副本:
%Windows%\msnmsg.exe
创建启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Genuine Logon"="msnmsg.exe"
试图使用c:\a.bat批处理停止“安全中心”和“WinVNC”服务:
@echo off
net stop "Security Center"
net stop winvnc4
del c:\a.bat
向MSN联系人发送消息和伪装成照片的带毒压缩包%Windows%\images.zip:
Hey :-), I just took this picture, sexy isnt it :-P?
What do you think of my photo editing skills?
Which one do you like in this pic, the black one or the blue one?
This is what happens when you eat to many chips :-P
Look what i made out of cans!! haah :-P!
:-p this was halarious at that party a while back
Hey I have a new pic, what do ya think?
Check this out this pic is so freaking cool
Hahahaha, do you remember this picture? :-O Check this out! Nearly laughed my ass off!!
hey wats up.. have you seen this pic of harry potter?
尝试连接的远程IRC:down.basecore.info
Mutex:LANSSS
清除步骤
========== �
1. 删除病毒的启动项(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Genuine Logon"="msnmsg.exe" 2. 重新启动计算机
3. 删除病毒文件(如遇提示无法删除文件,到down.45it.com下载费尔木马强制删除器工具进行强制删除):
%Windows%\pic.zip �
%Windows%\msnmsg.exe
