• 欢迎访问金刀客博客!
  • 2024,春节快乐!

假冒记事本U盘病毒-Notepad.exe

病毒分析 admin 10383次浏览 已收录 0个评论

Notepad.exe这是一个U盘传播的病毒,1.44M,不知道加了多少壳的东西,策划那故乡图标伪装成文件夹,启动后会自动打开所在的文件夹,并没有判断自己是否在分区根目录。这个病毒运行后至少有3分钟才会连接网络,需要点耐心,哈哈。
特征:
1,运行Notepad.exe后,%SYSTEMROOT%system32建立随机命名文件夹935F0D,释放C:\WINDOWS\system32\935F0D\96B69A.EXE,
2,在%USERPROFILE%「开始」菜单\程序\启动中建立图标为文件夹文件名为空格的快捷方式,指向c:\windows\system32\935f0d\96b69a.exe
3,添加启动到HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,指向c:\windows\system32\935f0d\96b69a.exe
4,下载病毒http://twocannon250.com.cn/o.gif并随机命名为NT-EEA96FB9.EXE,释放到c:\windows\system32\935f0d\winocreg.exe,c:\windows\system32\935f0d\F0D363.EXE
5,访问2个网页
http://hidatabase.cn/ul.htm

dfg4tgurl{79,38,44,193,0,102,174,46,250,134,104,116,161,192,40,11,51,233,229,224,121,219,205,183,163,35,204,225,220,222,174,125,238,187,143,193,26,194,177,227,55,191,10,174,79,28,172,239,36,220,70,223,215,86,58,23,74,35,20,232,138,210,134,173,17,27,15,16,189,21,156,102,252,9,207,87,164,143,209,186,55,14,51,106,208,84,13,236,77,171,193,46,229,125,119,94,215,107,239,195,221,237,40,244,246,57,147,63,58,19,200,120,21,148,21,214,170,229,2,251,37,54,199,140,35,172,25,69,236,48,19,170,42,80,226,236,143,254,44,129,11,242,101,31}

http://hidatabase.cn/ol.htm

5rtgfforder{177,224,116,197,104,196,222,40,140,201,129,57,168,216,162,249,154,30,11,158,63,92,206,13,158,57,188,43,158,85,148,241,175,135,213,100,155,32,56,138,48,234,95,0,7,228,74,23,151,108,110,120,61,31,85,92,185,60,224,197,6,55,58,202,250,134,104,116,161,192,40,11,182,253,207,106,61,166,112,31,77,202,130,87,52,173,95,139,231,111,218,104,57,244,147,66,114,77,39,114,228,65,93,176,80,47,8,2,143,150,51,49,71,85,49,12,62,90,102,129,51,178,97,164,100,75,196,99,134,44,139,54,204,69,7,244,246,107,133,174,101,253,189,232,57,127,204,15,135,36,50,180,227,227,8,99,152,119,55,130,180,9,65,49,159,151,49,71,102,235,187,198,97,160,94,188,42,192,171,27,161,142,191,186,238,187,77,203,201,61,143,99,221,134,191,215,193,231,200,252,100,36,200,130,86,240,77,99,6,242,0,211,33,44,186,95,36,134,120,91,89,127,216,47,194,242,85,62,228,161,250,51,15,131,105,70,63,60,105,204,173,59,114,89,163,158,147,230,244,125,8,54,13,26,56,87,242,101,189,204,8,138,39,65,27,50,207,75,19,48,172,199,42,16,207,42,152,134,180,17,247,199,108,5,178,238,216,71,7,133,50,7,19,173,175,133,137,182,109,222,93,242,158,52,160,185,249,65,248,193,0,220,198,33,108,31,224,233,86,244,215,128,110,170,227,149,63,232,145,21,199,181,200,205,202,73,111,135,42,181,101,110,140,123,99,67,48,42,162,229,70,209,20,81,63,23,22,128,132,226,48,51,131,169,204,50,207,245,220,156,188,108,39,100,195,192,199,24,160,95,126,97,29,247,201,42,13,26,230,255,51,134,148,113,244,184,82,118,11,203,136,162,242,63,62,67,82,242,0,180,175,155,23,230,64,134,45,36,184,196,5,79,90,17,95,235,184,110,90,124,232,250,252,240,158,81,255,6,192,222,222,12,1,118,49,149,137,42,49,232,229,133,3,12,110,195,79,208,41,215,250,86,7,85,207,113,71,44,14,33,15,174,165,129,41,64,132,22,111,96,250,17,249,86,47,60,212,148,79,219,123,156,9,171,241,3,146,106,244,44,92,114,74,141,77,141,35,196,15,67,67,107,11,133,82,183,45,97,217,221,153,191,60,94,227,9,39,217,156,220,41,45,107,85,18,145,63,48,121,227,24,225,49,140,167,187,232,6,28,228,43,167,137,42,72,37,134,4,217,228,211,113,63,107,71,178,52,30,0,152,224,254,183,123,83,67,190,72,92,165,13,140,241,112,201,50,229,106,0,194,169,126,43,41,231,87,188,103,24,88,149,206,248,87,216,193,216,220,202,120,242,98,52,41,54,133,183,111,219,191,116,236,156,72,84,124,204,178,162,107,149,73,84,227,233,212,22,21,248,250,127,151,32,46,213,226,226,182,50,213,92,20,144,137,209,19,26,18,241,12,220,125,174,104,228,81,225,207,247,52,87,222,100,36,200,130,86,240,77,99,35,69,192,201,111,154,148,247,5,178,132,16,112,203,235,250,14,91,57,77,28,205,191,15,65,239,70,101,110,151,218,43,90,72,12,130,205,108,3,220,154,240,13,68,150,17,62,115,233,118,221,192,35,70,151,199,141,234,171,75,87,52,54,116,109,132,77,185,145,181,132,98,84,57,125,171,194,2,241,173,46,168,229,158,125,171,24,99,3,108,79,111,215,63,49,239,128,224,54,106,37,101,86,154,116,249,219,115,25,101,180,220,238,246,164,226,176,93,235,71,146,118,235,131,66,4,4,74,183,241,159,237,189,98,93,124,135,122,75,84,57,131,34,115,143,198,70,45,149,19,100,144,206,234,238,158,147,254,76,127,191,56,80,43,245,55,225,223,39,109,59,71,244,175,142,59,234,220,172,149,27,166,244,4,117,29,70,226,192,240,12,33,248,144,110,85,130,84,111,147,213,47,139,218,17,159,159,15,13,84,175,121,130,16,205,150,150,38,63,50,222,56,114,160,232,220,22,33,195,13,105,84,39,138,173,92,164,141,64,61,250,175,145,154,109,19,60,132,50,107,134,4,174,168,54,100}

用icesword删除之就ok了.


金刀客博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明假冒记事本U盘病毒-Notepad.exe
喜欢 (8)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到