来自美国的专家U盘上带下来这么一个病毒,My God,害得我重装系统,国内似乎没有发现如何处理这种病毒的方法。
The following is information about the latest variant of the trojan/malware labled RookIE by Snort IDS.What we have learned so far is that RookIE and the
associated malware will copy itself to any media mounted on the
infected system. On my test system it created the following files:
- autorun.inf
- d9c.bat which is executed by autorun.inf
- l6w2eaih.exe
This enables it to reinfect a cleaned computer as
well as automatically infect any system which has autorun enabled upon
mounting of the drive if the user mounting the drive is logged in with a
privileged account. It apparently has no effect when a drive is mounted
via an unprivileged account.
I've determined there are at least two ways to
detect if this version of the RookIE trojan is infecting a system, once
rooted antivirus is useless.
- What really gives it away is the fact the
RookIE rootkit will keep reselecting the "Hide protected operating
system files radio button" in Tools > Folder Options > View after
you have deselected it and closed the windows
- Also, immediately on install of this variant of the RookIE rookit
via autorun, the trojan will attempt to contact 60.217.58.86 on port 80
though this appears unique per install as it contacts other hosts on
other infected systems
The RookIE rootkit made the following changes on my test system:
Added to system
- C:\autorun.inf
- C:\d9c.bat
- C:\WINDOWS\System32
mdfgds0.dll
- C:\WINDOWS\System32\olhrwef.exe
It modified
- C:\WINDOWS\System32\drivers\cdaudio.sys (The write time for this file)
It added
- C:\WINDOWS\System32\dllcache\cdaudio.sys
Registry Modifications include
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|cdoosoft
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security|Security
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Type
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|DisplayName
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ErrorControl
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Start
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|Count
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|NextInstance
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|INITSTARTFAILED
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ImagePath
- Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|Count
- Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|NextInstance
Here is a ThreatExpert analysis as well, obviously the file and exe names created may be unique per system
http://www.threatexpert.com/report.aspx?md5=9d14254087c34dfbce98e259683f0ea5
As always, using a nonprivileged account will prevent infection by the RookIE malware suite. !Admin!