『楼 主』:
转贴:新欢乐时光病毒“VBS.KJ”的危害与清除
使用 LLM 解释/回答一下
新欢乐时光病毒“VBS.KJ”的危害与清除
作者:金山反病毒资讯网
病毒感染过程介绍
VBS.KJ是一个感染html/htm、jsp、vbs、php、asp的脚本类病毒。和欢乐时光“VBS.HappyTime”一样,该病毒采用VBScript语言编写,在互联网上通过电子邮件进行传播,也可以通过文件感染;感染后的机器系统资源被大量消耗,速度变慢;利用Windows系统的“资源管理器”进行寄生与感染。
然而,与欢乐时光相比,VBS.KJ 病毒显然经过改进。首先,每次感染都会进行一次变形,可以逃过普通的特征码匹配查找方法;其次,该病毒不会主动发送电子邮件!而是修改系统中 Microsoft Outlook Express、MicrosoftOutlook 2000/XP 的设置,采用html格式的信纸来撰写邮件,病毒感染全部信纸!当发送邮件时病毒会附在邮件中,隐蔽性更强!第三,会感染 html/htm、jsp、vbs、php、asp等格式的文件,不会删除系统文件。
病毒生成和修改的文件
1、在每个检查到的文件夹下生成desktop.ini和folder.htt文件(这两个文件控制了文件夹在资源管理器中的显示视力)。
2、在%Windows%\web和%Windows%System32中生成kjwall.gif。
3、在Windows 9X系统中,生成%Windows%\System\Kernel.dll文件;在Windows 2000/XP中生成%Windows%\System\Kernel32.dll 文件。
4、感染htt文件,将病毒附加在其中;感染html/htm、jsp、vbs、php、asp,用病毒替换其内容。
注册表的修改
1、在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\下增加 Kernel32 键值,使病毒随系统启动;
2、修改HKEY_CLASSES_ROOT\dllFile\,改变dll文件的打开方式;
3、修改HKEY_CURRENT_USER\Identities\"&UserID&"\Software\Microsoft\Outlook Express\" & OEVersion&"\Mail\Compose Use Stationery"为1,即采用信纸;修改 HKEY_CURRENT_USER\Identities\"&UserId&"\Software\Microsoft\OutlookExpress\"&OEVersion&"\Mail\Stationery Name"指向信纸文件;
4、修改HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail相关内容,使Outlook 2000采用信纸来撰写邮件;
5、修改HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail相关内容,使Outlook XP采用信纸撰写邮件;
病毒感染的标志
1、在注册表HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\下存在Kernel32键值,并指向Kernel.dll或者Kernel32.dll文件;
2、系统中大量存在desktop.ini和folder.htt;
3、在system目录下存在kjwall.gif文件;
手工清除(难度较大,建议采用杀毒软件杀毒)
1、打开注册表,删除 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32键值;
参照其他机器,恢复HKEY_CLASSES_ROOT\dllFile\下键值;
参照其他机器,恢复HKEY_CURRENT_USER\Identities\"&UserID&"\Software\Microsoft\Outlook Express\"&OEVersion&"\Mail\下相关键值;
参照其他机器,恢复HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\下相关键值;
参照其他机器,恢复HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\下相关键值;
2、删除文件(建议在DOS状态下或者使用第三方文件管理系统,如WinCommander等)
参照其他机器,恢复%Windows%\web目录下folder.htt 文件;
删除Kernel32.dll或者Kernel.dll文件;删除kjwall.gif;
查找所有存在KJ_start字符串的文件,删除文件尾部的病毒代码;
----------------------以下是我自己写的---------------------
新欢乐时光病毒比较难搞,通过网页、软盘、局域网、邮件等均可传播。
按我的经验,预防它最好的工具是瑞星。金山毒霸2002升级后都不能发现它,不过它的专杀工具杀毒比瑞星要快。
Harm and Removal of the New Happy Time Virus "VBS.KJ"
Author: Kingsoft Anti-Virus Information Network
Introduction to the Virus Infection Process
VBS.KJ is a script-type virus that infects html/htm, jsp, vbs, php, asp. Similar to the Happy Time "VBS.HappyTime", this virus is written in VBScript language, spreads via email on the Internet, and can also infect files; after infection, the system resources of the infected machine are consumed in large quantities, and the speed slows down; it uses the Windows system's "Windows Explorer" for parasitism and infection.
However, compared with Happy Time, the VBS.KJ virus is obviously improved. First, each infection undergoes a mutation, which can escape the ordinary signature matching and searching method; second, this virus does not actively send emails! Instead, it modifies the settings of Microsoft Outlook Express, Microsoft Outlook 2000/XP in the system, uses html-formatted letterheads to compose emails, and the virus infects all letterheads! When sending an email, the virus will be attached to the email, which is more concealed! Third, it will infect files in formats such as html/htm, jsp, vbs, php, asp, and will not delete system files.
Files Generated and Modified by the Virus
1. Generate desktop.ini and folder.htt files under each detected folder (these two files control the display in Windows Explorer).
2. Generate kjwall.gif in %Windows%\web and %Windows%System32.
3. In Windows 9X system, generate %Windows%\System\Kernel.dll file; in Windows 2000/XP, generate %Windows%\System\Kernel32.dll file.
4. Infect htt files and attach the virus to them; infect html/htm, jsp, vbs, php, asp, and replace their contents with the virus.
Registry Modifications
1. Add the Kernel32 key value under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ to make the virus start with the system;
2. Modify HKEY_CLASSES_ROOT\dllFile\ to change the opening method of dll files;
3. Modify HKEY_CURRENT_USER\Identities\"&UserID&"\Software\Microsoft\Outlook Express\" & OEVersion&"\Mail\Compose Use Stationery" to 1, that is, use letterheads; modify HKEY_CURRENT_USER\Identities\"&UserId&"\Software\Microsoft\OutlookExpress\"&OEVersion&"\Mail\Stationery Name" to point to the letterhead file;
4. Modify HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail related contents to make Outlook 2000 use letterheads to compose emails;
5. Modify HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail related contents to make Outlook XP use letterheads to compose emails;
Signs of Virus Infection
1. There is a Kernel32 key value under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ and it points to the Kernel.dll or Kernel32.dll file;
2. There are a large number of desktop.ini and folder.htt in the system;
3. There is a kjwall.gif file in the system directory;
Manual Removal (Difficulty is relatively high, it is recommended to use antivirus software for virus removal)
1. Open the registry and delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 key value;
Refer to other machines to restore the key values under HKEY_CLASSES_ROOT\dllFile\;
Refer to other machines to restore the relevant key values under HKEY_CURRENT_USER\Identities\"&UserID&"\Software\Microsoft\Outlook Express\"&OEVersion&"\Mail\;
Refer to other machines to restore the relevant key values under HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\;
Refer to other machines to restore the relevant key values under HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\;
2. Delete files (it is recommended to do it in DOS state or use a third-party file management system, such as WinCommander, etc.)
Refer to other machines to restore the folder.htt file in the %Windows%\web directory;
Delete the Kernel32.dll or Kernel.dll file; delete kjwall.gif;
Find all files that have the KJ_start string and delete the virus code at the end of the file;
----------------------The following is what I wrote myself---------------------
The new Happy Time virus is relatively difficult to handle. It can spread through web pages, floppy disks, local area networks, emails, etc.
In my experience, the best tool to prevent it is Rising. Kingsoft Antivirus 2002 can't detect it after the upgrade, but its special-kill tool kills the virus faster than Rising.
|