msn中左img1756.zip呢隻毒

2007-08-09 9:07 pm
壓縮的 (zipped) 資料夾

有咩野解毒方法?!
更新1:

重新開機can't ga=w="

回答 (5)

2007-08-13 7:02 pm
病毒名稱:MSN照片(Worm.IRC.MyPhoto.a)
病毒類型:蠕蟲病毒
病毒危害級別:★★★☆
病毒發作現象及危害:該病毒會通過MSN發送內容為“HEY lol i’ve done a new photo album !:)
Second ill find file and send you it.”、“Hey wanna see my new photo album?”等內容的消息,同時附帶一個名為photo album.zip的壓縮檔。

用戶運行該壓縮檔中的程式即會被病毒感染。病毒還會在用戶電腦裏釋放一個後門程式,駭客可以利用IRC軟體遠端控制中毒電腦,竊取個人資料,從而使用戶面臨極大的安全威脅。
手工刪除:
一、刪除病毒的註冊表啟動專案
1、運行regedit,打開註冊表編輯器。打開
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad,找到“rdshost”一項,將其值記錄下來,並將該項刪除。

注意:“rdshost”項的值為一個CLSID。病毒產生的這段CLSID不固定,本例中為:{C7B4EE78-A8FB-4C16-AE1F-C1A568949825}。
2、打開HKEY_CLASSES_ROOTCLSID,找到剛才記錄下的CLSID項,本例為:{C7B4EE78-A8FB-4C16-AE1F-C1A568949825},將其刪除。

二、重新啟動電腦
由於該病毒駐留記憶體,因此,清除掉啟動專案後必須重新啟動電腦才能夠刪除病毒檔。
三、刪除病毒檔
1、進入Windows,默認為C:\windows,找到名為“photo album.zip”的檔並刪除。

2、進入系統目錄,默認為C:\windows\system32,找到名為“rdshost.dll”檔並刪除(注意是DLL檔不是EXE)。
3、重新啟動電腦,檢查這幾個檔是否存在,如果不存在,則病毒已被清除乾淨。
提示:該病毒手工清除較為繁瑣,建議使用殺毒軟體清除。針對“MSN照片”病毒,用戶應採取如下措施,不要輕易通過MSN接收和運行陌生檔;病毒利用MSN進行傳播,大量佔用系統資源和網路帶寬,因此企業局域網用戶更要加強對此病毒的防範;儘快更新自己的殺毒軟體版本,瑞星殺毒軟體19.16.12版本可以徹底清除此病毒。

*****因為這病毒成日都會變種, 岩岩發現另一個file叫 SYSHOST.DLL, 解除方法跟上面一樣, 只要把 rdhost.dll 的地方換成 syshost.dll 便可。*****

*****這毒又有新品種, 現在會說中文的, 大家要小心喔*****

順便去我論壇http://fd07.org/
2007-08-10 2:54 am
經一位blog友同意,將他的內文轉貼如下:

這個檔案附帶的蠕蟲名為 W32.Scrimge.A
Discovered: August 6, 2007
Updated: August 6, 2007 2:48:14 PM
Type: Worm
Infection Length: 27,136 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP



W32.Scrimge.A is a worm that spreads through Microsoft instant messaging clients and opens a back door on the compromised computer.

Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low
* Payload: Opens a back door on the compromised computer.

Distribution

* Distribution Level: Low

----------------------------------------------------------------------------------------

Technical Detail :
Discovered: August 6, 2007
Updated: August 6, 2007 2:48:14 PM
Type: Worm
Infection Length: 27,136 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP



Once executed, the worm creates a mutex named 'JFAngaY' so that only one instance of the threat runs on the compromised computer.

It then drops and executes the following file, in order to stop the Security Center and winvnc4 service:
%SystemRoot%a.bat

The worm then copies itself as the following file:
%Windows%svchost.exe

It goes on to create the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"Microsoft Genuine Logon" = "svchost.exe"

The worm then drops a zipped copy of itself as the following file:
%Windows%img1756.zip

After dropping itself to the compromised computer, it connects to vpn.basecore.info on port 1863 to receive further commands. The worm can then be directed to perform the following actions:

* Update itself
* Download additional files
* Spread using MSN Messenger
* Delete itself

In order to spread over MSN, the worm sends the dropped zip file with one of the following messages to mislead users into downloading a zipped attachment of itself.

* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the *****, did you see this?
* hey man, did you take this picture?

Attachment name: img1756.zip

---------------------------------------------------

手動移除方法 : (適用於 Windows XP 及 Vista)

1) To disable System Restore (Windows Me/XP)

2) To run a full system scan

3) If any files are detected, follow the instructions displayed by your antivirus program.

4) To delete the value from the registry
Important: Strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.

1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / "Microsoft Genuine Logon" = "svchost.exe"
4. Exit the Registry Editor.

P.S. 因為Yahoo+系統問題,部份標點變成一串無意義符號,請自行酎情處理。
參考: 網友提供
2007-08-09 9:20 pm
e 隻好勁咁. 我都收過人地發既zip file, 好彩冇開, 因有人開完之後, d virus 就會按接收file既人既contact list send virus 出去.

咁接收既人見到係識既都會開..

我朋友試過熄機都唔得, 仲係咁send 出去, 起碼我收過3次係2日內.

佢e 2日唯有唔開msn 囉.
2007-08-09 9:18 pm
重新開機吧!!!
2007-08-09 9:11 pm
重新開機!!!!!!!
參考: me


收錄日期: 2021-04-29 15:56:30
原文連結 [永久失效]:
https://hk.answers.yahoo.com/question/index?qid=20070809000051KK02011

檢視 Wayback Machine 備份