nx.exe systom.exe病毒清除办法及nx.exe systom.exe专…

<BR><DIV><FONT size=3><STRONG>nx.exe systom.exe病毒简介</STRONG></FONT></DIV>
<DIV><FONT size=2>File: <STRONG>nx.exe<BR></STRONG>Size: 28160 bytes<BR>Modified: 2007年10月15日, 23:05:30<BR>MD5: 3C35C8AEC2D8DAA9ECDC026C2600141A<BR>SHA1: C230D86618F3D6758E30F4933225A93C3E705DF2<BR>CRC32: C6E542DB</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2><FONT size=3><STRONG>nx.exe systom.exe病毒分析</STRONG></FONT><BR>1.病毒运行后，释放如下副本：<BR>%systemroot%\system32\Systom.exe<BR>在每个分区下面生成autorun.inf 和nx.exe</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>2.调用reg.exe进行如下操作：</FONT></DIV>
<DIV><FONT size=2>添加自身启动项目<BR>ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D</FONT></DIV>
<DIV><FONT size=2>禁用windows自动更新<BR>add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f&nbsp;&nbsp;&nbsp;<BR>禁用任务管理器<BR>add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_dword /d 00000001 /f<BR>破坏显示隐藏文件 <BR>将HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL 的值设置为0<BR>add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v Text /t REG_SZ /d 显示所有文件和文件夹 /f&nbsp;&nbsp;&nbsp;&nbsp;<BR>add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_dword /d 00000002 /</FONT></DIV>
<DIV><FONT size=2>破坏安全模式<BR>delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f<BR>delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f<BR>delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f<BR>delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>3.向HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\下面添加如下映像劫持项目指向%systemroot%\system32\Systom.exe（篇幅所限，仅贴图示意）</FONT></DIV>
<DIV forimg="1"><FONT size=2></FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT>&nbsp;</DIV>
<DIV class=tmpDiv><IMG onmousewheel="return bbimg(this)" height=551 src="http://www.hotbus.cn/it/UploadFiles_7984/200710/20071031182810575.jpg" width=742 onload=javascript:resizepic(this) border=0></DIV>
<DIV class=tmpDiv><FONT size=2>4.遍历各个分区删除.GHO文件</FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT>&nbsp;</DIV>
<DIV class=tmpDiv><FONT size=2>5.感染各个分区的INDEX.ASP，.HTM，INDEX.PHP，DEFAULT.ASP，DEFAULT.PHP，CONN.ASP文件</FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT>&nbsp;</DIV>
<DIV class=tmpDiv><FONT size=2>6.连接<U><FONT color=#000000>http://www.88baobaomm.bj.cn/tj.asp</FONT></U></A>做感染统计</FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT>&nbsp;</DIV>
<DIV class=tmpDiv><FONT size=2>7.读取<U><FONT color=#000000>http://www.88baobaomm.bj.cn1.txt~http://www.88baobaomm.bj.cn3.txt</FONT></U></A>中的内容 进行下载木马，锁定主页或者根据文本文档中的内容关闭指定窗口等破坏操作。<BR>但所有链接已失效。</FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT></DIV>
<DIV class=tmpDiv><FONT size=2></FONT>&nbsp;</DIV>
<DIV class=tmpDiv><FONT size=2>8.病毒体内有字样“niux”</p><p align='center'><b><font color='red'>[1]</font>&nbsp;<a href='http://www.hotbus.cn/it/200710/3933_2.html'>[2]</a>&nbsp;<a href='http://www.hotbus.cn/it/200710/3933_2.html'>下一页</a> </b></p> <BR>