bs3ol8kd2.exe是什么病毒？太厉害了！

2025-01-08 06:41:43

推荐回答（4个）

回答1：

病毒名称(中文):AV终结者变种65536病毒别名:威胁级别:★★☆☆☆病毒类型:木马下载器病毒长度:13824影响系统:Win9xWinMeWinNTWin2000WinXPWin2003
病毒行为:

这是AV终结者的一个变种。它会恢复系统SSDT表，关闭杀软进程或映像劫持杀软的进程。该毒会将自己注入到系统进程中运行，以防止被删除，同时会建立大量的AUTO文件，实现自动传播。

1)搜索当进程中是否含有PID为4的进程，没有退出。判断是否为NT系统。
2)判断当前目录下AUTORUN.INF是否存在，存在，获取当前文件路径的前3个字节，并打开。判断是否从autorun.inf打开。
3)创建SHALONG互斥体，并判断是否存在，存在则退出。
4)将当前文件设置为隐藏和系统。
5)删除以下文件
c:\windows\system32\mfc71.dll
C:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
d:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
f:\ProgramFiles\Kingsoft\KingsoftInternetSecurity2008\kasbrowsershield.dll
c:\windows\system32\drivers\etc\hosts、
c:\winnt\system32\drivers\etc\hosts。
6)搜索当前进程中是否含有safeboxTray.exe(360保险箱)，有了将其进程关闭。
7)将系统时间设置为2004年。
8)运行cacls.exec:\windows\system32\packet.dll/e/peveryone:f
cacls.exec:\windows\system32\pthreadVC.dll/e/peveryone:f
cacls.exec:\windows\system32\wpcap.dll/e/peveryone:f
cacls.exec:\windows\system32\drivers\npf.sys/e/peveryone:f
cacls.exec:\windows\system32\npptools.dll/e/peveryone:f
cacls.exec:\windows\system32\drivers\acpidisk.sys/e/peveryone:f
cacls.exec:\windows\system32\wanpacket.dll/e/peveryone:f
cacls.exec:\DocumentsandSettings\AllUsers\「开始」菜单\程序\启动/e/peveryone:f
cacls.exec:\windows\system32\drivers\etc\hosts/e/peveryone:f
cacls.exec:\windows\system32\ftp.exe/e/peveryone:f
将这些文件设置为everyone完全控制。
9)调用sfc_os.dll的第五个导出函数，将%sys32dir%\drivers\beep.sys、%sys32dir%\spoolsv.exe、%sys32dir%\dllcache\spoolsv.exe的文件保护关闭。
10)将beep.sys的服务设置为SERVICE_CONTROL_STOP，并将其文件属性设置为Normal。
11)解密数据段的数据，将其写入beep.sys，并开启beep服务，其功能为恢复ssdt.
12)搜索当前进程中是否含有以下进程，有了关闭。
wuauclt.exeEsuSafeguard.exeVsTskMgr.exeAvp.EXEIparmor.exeKVWSC.ExEkvsrvxp.exekvsrvxp.kxpKvXP.kxpKRegEx.exeAntiArp.exeVPTRAY.exeVPC32.exescan32.exeFrameworkService.exeKASARP.exenod32krn.exenod32kui.exeTBMon.exerfwmain.exeRavStub.exerfwstub.exerfwProxy.exerfwsrv.exeUpdaterUI.exekissvc.exekav32.exekwatch.exeKAVPFW.EXEkavstart.exekmailmon.exeGFUpd.exeRavxp.exeGuardField.exeRAVMOND.EXERAVMON.EXECenter.EXERSTray.exeRAv.exeRuniep.exe360rpt.EXE360tray.exe360Safe.exe
13)关闭以下杀毒软件的服务。
NortonAntiVirusServerMcAfeeFramework服务SymantecAntiVirus
DefinitionWatcherSymantecAntiVirusDriversServicesSymantecAntiVirusKingsoftInternetSecurityCommonServiceKPfwSvcKWhatchsvcMcShieldsharedaccess
14)比较当前运行路径是否为%sys32dir%\spoolsv.exe,不是的话，将%sys32dir%\spoolsv.exe移到c:\ttmm.tep,并将自己复制到%sys32dir%\spoolsv.exe和%sys32dir%\dllcache\spoolsv.exe
15)调用cmd.exe/cnet1startserver,开启server服务。
16)隐藏方式打开IE，并将自己下载函数注入到其进程中。
⑴将%sys32dir%\urlmon.dll复制到%sys32dir%\aktwkss.dll
⑵获取函数UrldownloadtofileA,下载以下文件，并运行。
http://w.cdd6.com/dd/x.gif到C:\ProgramFiles\ccd.pif
http://w.cdd6.com/dd/1.gif到C:\ProgramFiles\11.pif
http://w.cdd6.com/dd/2.gif到C:\ProgramFiles\22.pif
http://w.cdd6.com/dd/3.gif到C:\ProgramFiles\33.pif
http://w.cdd6.com/dd/4.gif到C:\ProgramFiles\44.pif
http://w.cdd6.com/dd/5.gif到C:\ProgramFiles\55pif
http://w.cdd6.com/dd/6.gif到C:\ProgramFiles\66.pif
http://w.cdd6.com/dd/7.gif到C:\ProgramFiles\77.pif
http://w.cdd6.com/dd/8.gif到C:\ProgramFiles\88.pif
http://w.cdd6.com/dd/9.gif到C:\ProgramFiles\99.pif
http://w.cdd6.com/dd/10.gif到C:\ProgramFiles\1010.pif

17)添加注册表启动键值
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\internetnet:"C:\WINDOWS\system32\spoolsv.exe"
18)添加映像劫持
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360rpt.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360safe.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360safebox.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\360tray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\ANTIARP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\ArSwp.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Ast.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AutoRun.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AutoRunKiller.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AvMonitor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AVP.COM\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\AVP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\CCenter.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Frameworkservice.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\GFUpd.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\GuardField.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\HijackThis.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\IceSword.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Iparmor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KASARP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kav32.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KAVPFW.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kavstart.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kissvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kmailmon.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KPfwSvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KRegEx.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVMonxp.KXP\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVSrvXP.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\KVWSC.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\kwatch.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Mmsk.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\msconfig.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Navapsvc.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\nod32krn.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Nod32kui.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\PFW.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\QQDoctor.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RAV.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RavStub.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Regedit.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwmain.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwProxy.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwsrv.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\rfwstub.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\RSTray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Runiep.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\safeboxTray.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\SREngLdr.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\TrojanDetector.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\Trojanwall.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\TrojDie.KXP\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\VPC32.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\VPTRAY.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
\ImageFileExecutionOptions\WOPTILITIES.EXE\debugger:
"C:\WINDOWS\system32\dllcache\spoolsv.exe"
19)修改隐藏显示
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL下键值CheckedValue改为0x1（0x2为显示）
20)删除以下键值破坏安全模式。
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\:"DiskDrive"
21)遍历c到z的盘符，发现该驱动器为Fixed，将自己复制到其根目录命名HGZP.PIF，并创建对应的autorun.inf,将文件设置为系统，隐藏。
22)搜索窗口，发现以下字符串的窗口则发送wm_close消息。
杀毒清理 srengworm 卡巴斯基超级巡警江民金山
Antivirusfirewall
检测 mcafee 病毒防火墙主动防御
微点防御绿鹰木马瑞星进程 processnod32
专杀安全卫士

回答2：

用我最简洁、最高效、最真诚的回答，
解你最困惑、最急切、最实际的问题。
进入安全模式杀毒.一定让你笑的很甜蜜.

回答3：

..........
重装系统，再安全模式全盘杀毒还快点
手动杀不全。

回答4：

一般牛的病毒杀毒软件都不能搞定。看来你和我一样喜欢自己瞎摸索。如果你在网上找不到任何关于该病毒的资料，还是把资料存盘重装吧。程序的名字可以随意更改。只有杀毒软件根据其特征才能找到它的真名。