遭遇Windows Update.exe/Trojan.Win32.Autoit.fc，情se發布器.exe/AdWare.Win32.Undef.eko

最後更新：2018-12-05 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

endurer 原創
2009-05-19 第1版

一位朋友的電腦最近出現了奇怪的毛病，請偶幫忙檢修。

開啟電腦進入Windows案頭後，感覺電腦很卡，除了超級巡警視窗，開啟其它視窗都像是不停地自動在進行前景程式和背景程式的切換，一閃一閃的，很難操作。

開啟工作管理員，檢查進程的CPU佔用率，發現CPU使用率100%，其中進程Windows Update.exe佔用了70%左右。

重啟電腦到“帶命令列提示的安全模式”，運行pe_xscan掃描log並分析，發現如下可疑項：

pe_xscan 09-04-28 by Purple Endurer
2009-05-19 14:12:4
Windows XP Service Pack 3(5.1.2600)
MSIE:6.0.2900.5512
管理使用者組
帶命令列提示的安全模式

F2 - REG: system.ini: UserInit = ＜C:/WINDOWS/system32/userinit.exe,C:/WINDOWS/system32/Windows Update.exe＞

O30 - IeOpenHomePage = "C:/Program Files/Internet Explorer/iexplore.exe" hxxp://www.52**4*16.com

另外在c:/ 發現情se發布器.exe，WMP的表徵圖，可疑。

用FileInfo提取檔案資訊，用bat_do打包備份後刪除。

用HijackThis修複F2項。

O30項說明註冊表中的

[HKEY_CLASSES_ROOT/CLSID/{871C5380-42A0-1069-A2EA-08002B30309D}/shell/OpenHomePage/Command，

的值被修改了，手工把後面的網址去掉就行了。

附：惡意程式檔案資訊

檔案說明符 : C:/WINDOWS/system32/Windows Update.exe
屬性 : A---
數位簽章:否
PE檔案:是
語言 : 中文(中國)
檔案版本 : 1.0
說明 : Windows Update
著作權 : http://www.microsoft.com/
備忘 : Windows Update
建立時間 : 2009-2-22 2:41:3
修改時間 : 2009-2-22 2:41:14
大小 : 325939 位元組 318.307 KB
MD5 : 422221553bcd2e13612719068973b69a
SHA1: F56611D1BE5E7AB17B3F3A9D7997D153AABE34FC
CRC32: 457d6ebf

檔案 Windows_Update.exe.del 接收於 2009.05.19 08:16:07 (CET)

反病毒引擎	版本	最後更新	掃描結果
a-squared	4.0.0.101	2009.05.19	MalwareScope.Backdoor.Hupigon.3!IK
AhnLab-V3	5.0.0.2	2009.05.19	-
AntiVir	7.9.0.168	2009.05.19	TR/Crypt.CFI.Gen
Antiy-AVL	2.0.3.1	2009.05.18	Trojan/Win32.StartPage
Authentium	5.1.2.4	2009.05.19	-
Avast	4.8.1335.0	2009.05.18	-
AVG	8.5.0.336	2009.05.18	-
BitDefender	7.2	2009.05.19	-
CAT-QuickHeal	10.00	2009.05.15	Trojan.Agent.ATV
ClamAV	0.94.1	2009.05.19	-
Comodo	1157	2009.05.08	-
DrWeb	5.0.0.12182	2009.05.19	-
eSafe	7.0.17.0	2009.05.18	Suspicious File
eTrust-Vet	31.6.6509	2009.05.18	-
F-Prot	4.4.4.56	2009.05.18	-
F-Secure	8.0.14470.0	2009.05.19	-
Fortinet	3.117.0.0	2009.05.18	-
GData	19	2009.05.19	-
Ikarus	T3.1.1.49.0	2009.05.19	MalwareScope.Backdoor.Hupigon.3
K7AntiVirus	7.10.737	2009.05.16	-
Kaspersky	7.0.0.125	2009.05.19	-
McAfee	5619	2009.05.18	-
McAfee+Artemis	5619	2009.05.18	-
McAfee-GW-Edition	6.7.6	2009.05.19	Trojan.Crypt.CFI.Gen
Microsoft	1.4602	2009.05.19	-
NOD32	4085	2009.05.19	-
Norman	6.01.05	2009.05.18	Smalltroj.LZEA
nProtect	2009.1.8.0	2009.05.19	-
Panda	10.0.0.14	2009.05.18	Bck/Agent.LQR
PCTools	4.4.2.0	2009.05.18	-
Prevx	3.0	2009.05.19	-
Rising	21.30.10.00	2009.05.19	Trojan.Win32.Autoit.fc
Sophos	4.41.0	2009.05.19	-
Sunbelt	3.2.1858.2	2009.05.18	-
Symantec	1.4.4.12	2009.05.19	-
TheHacker	6.3.4.1.327	2009.05.19	-
TrendMicro	8.950.0.1092	2009.05.19	-
ViRobot	2009.5.19.1740	2009.05.19	-
VirusBuster	4.6.5.0	2009.05.18	-

附加資訊
File size: 325939 bytes
MD5...: 422221553bcd2e13612719068973b69a
SHA1..: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc
SHA256: 1b44aa550df933bad777a956201d7d1d6a52b4d369fef4024fe2795ace8b8b93
SHA512: 7c50b7bf3b05055a414ea1a652f7fe583f434f66e053d6d87a6eec1e50e9a61b f1bb1f08951f38dd6dd922c78d3990f2196aa7e6a80b7cceb9ab26b41358e5d5
ssdeep: 6144:PlZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76wf6Lss34yRwV:PHLUMuiv9Rg fSjAzRt7fCpjU
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (43.8%) Win32 EXE Yoda's Crypter (38.1%) Win32 Executable Generic (12.2%) Generic Win/DOS Executable (2.8%) DOS Executable Generic (2.8%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xab0e0 timedatestamp.....: 0x4951fa17 (Wed Dec 24 09:00:07 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x6b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x6c000 0x40000 0x3f400 7.93 e946dee236b5ce856d3776cb75eea917 .rsrc 0xac000 0x5000 0x4e00 5.26 cb3d8421caed79623919b9748aef2c18 ( 16 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: AddAce > COMCTL32.dll: ImageList_Remove > COMDLG32.dll: GetSaveFileNameW > GDI32.dll: BitBlt > MPR.dll: WNetGetConnectionW > ole32.dll: CoInitialize > OLEAUT32.dll: - > PSAPI.DLL: EnumProcesses > SHELL32.dll: DragFinish > USER32.dll: GetDC > USERENV.dll: LoadUserProfileW > VERSION.dll: VerQueryValueW > WININET.dll: FtpOpenFileW > WINMM.dll: timeGetTime > WSOCK32.dll: - ( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set -
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX 主　題： RE: 422221553bcd2e13612719068973b69a---Windows Update.exe [KLAN-30650641] 寄件者： newvirus@kaspersky.com 日　期： 2009-5-19 16:33:44 Hello, WindowsUpdate.exe_.unp - Trojan-Downloader.Win32.Agent.bydr New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help. Please quote all when answering. -- Best regards, Pavel Firsov Virus analyst, Kaspersky Lab. e-mail: newvirus@kaspersky.com http://www.kaspersky.com/ http://www.kaspersky.com/virusscanner - free online virus scanner. http://www.kaspersky.com/helpdesk.html - technical support.

檔案說明符 : C:/情se發布器.exe
屬性 : A---
數位簽章:否
PE檔案:是
語言 : 中文(中國)
檔案版本 : 1.0.0.0
說明 : 電影播放器
著作權 : 電影播放器
備忘 : 電影播放器
建立時間 : 2009-2-16 19:56:51
修改時間 : 2009-2-22 3:5:32
大小 : 327051 位元組 319.395 KB
MD5 : 110230c200611c32ed487b9fec1e6076
SHA1: 5481AFA2BEDD051D70F39DE1FA0060F507A0345F
CRC32: 7ac87b88

檔案 _______________.exe.del 接收於 2009.05.19 08:27:22 (CET)

反病毒引擎	版本	最後更新	掃描結果
a-squared	4.0.0.101	2009.05.19	Trojan.AgentMB!IK
AhnLab-V3	5.0.0.2	2009.05.19	-
AntiVir	7.9.0.168	2009.05.19	TR/Crypt.CFI.Gen
Antiy-AVL	2.0.3.1	2009.05.18	-
Authentium	5.1.2.4	2009.05.19	-
Avast	4.8.1335.0	2009.05.18	Win32:Crypt-DOC
AVG	8.5.0.336	2009.05.18	-
BitDefender	7.2	2009.05.19	Gen:Trojan.Heur.3106677233
CAT-QuickHeal	10.00	2009.05.15	Trojan.Agent.ATV
ClamAV	0.94.1	2009.05.19	-
Comodo	1157	2009.05.08	-
DrWeb	5.0.0.12182	2009.05.19	-
eSafe	7.0.17.0	2009.05.18	Suspicious File
eTrust-Vet	31.6.6509	2009.05.18	-
F-Prot	4.4.4.56	2009.05.18	-
F-Secure	8.0.14470.0	2009.05.19	-
Fortinet	3.117.0.0	2009.05.18	-
GData	19	2009.05.19	Gen:Trojan.Heur.3106677233
Ikarus	T3.1.1.49.0	2009.05.19	Trojan.AgentMB
K7AntiVirus	7.10.737	2009.05.16	-
Kaspersky	7.0.0.125	2009.05.19	-
McAfee	5619	2009.05.18	-
McAfee+Artemis	5619	2009.05.18	-
McAfee-GW-Edition	6.7.6	2009.05.19	Trojan.Crypt.CFI.Gen
Microsoft	1.4602	2009.05.19	-
NOD32	4085	2009.05.19	-
Norman	6.01.05	2009.05.18	Smalltroj.LQVY
nProtect	2009.1.8.0	2009.05.19	-
Panda	10.0.0.14	2009.05.18	-
PCTools	4.4.2.0	2009.05.18	-
Prevx	3.0	2009.05.19	Medium Risk Malware
Rising	21.30.10.00	2009.05.19	AdWare.Win32.Undef.eko
Sophos	4.41.0	2009.05.19	-
Sunbelt	3.2.1858.2	2009.05.18	-
Symantec	1.4.4.12	2009.05.19	Downloader
TheHacker	6.3.4.1.327	2009.05.19	-
TrendMicro	8.950.0.1092	2009.05.19	-
VBA32	3.12.10.5	2009.05.19	-
ViRobot	2009.5.19.1740	2009.05.19	-
VirusBuster	4.6.5.0	2009.05.18	-

附加資訊
File size: 327051 bytes
MD5...: 110230c200611c32ed487b9fec1e6076
SHA1..: 5481afa2bedd051d70f39de1fa0060f507a0345f
SHA256: f6bfe2e9e5c2a3dd29c9aa622b0c8723922a0df012b4772b7aab8721ab76a370
SHA512: 2e10bfcd2e10bf7b9e108f19205ee32b382babafcfc62c881c63e1b5b7eac0bb 7fa584f7228677d2c6029d7abd3161743a1cef31556b697d857a73c63420a269
ssdeep: 6144:plZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76wQ0qapLibDi:pHLUMuiv9Rgf SjAzRt74bW
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (43.8%) Win32 EXE Yoda's Crypter (38.1%) Win32 Executable Generic (12.2%) Generic Win/DOS Executable (2.8%) DOS Executable Generic (2.8%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xae0e0 timedatestamp.....: 0x4951fa17 (Wed Dec 24 09:00:07 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x6e000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x6f000 0x40000 0x3f400 7.93 1de6866c729aedc69f7e1b0f019b0210 .rsrc 0xaf000 0x8000 0x7600 5.78 e127ca9f0d06f723c60cb7833d91f99a ( 16 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: AddAce > COMCTL32.dll: ImageList_Remove > COMDLG32.dll: GetSaveFileNameW > GDI32.dll: BitBlt > MPR.dll: WNetGetConnectionW > ole32.dll: CoInitialize > OLEAUT32.dll: - > PSAPI.DLL: EnumProcesses > SHELL32.dll: DragFinish > USER32.dll: GetDC > USERENV.dll: LoadUserProfileW > VERSION.dll: VerQueryValueW > WININET.dll: FtpOpenFileW > WINMM.dll: timeGetTime > WSOCK32.dll: - ( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set -
packers (Kaspersky): PE_Patch.UPX, UPX
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=BD2396B38BD33D88FDA604CBF58D55006644A0D9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=BD2396B38BD33D88FDA604CBF58D55006644A0D9</a>
packers (F-Prot): UPX

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More