Shunze ¾Ç¶é (http://www.shunze.info/forum/index.php)
|- ¯f¬r°l°l°l (http://www.shunze.info/forum/board.php?boardid=6)
|-- ¡m¤À¨É¡n­n©RªºÀH¨­ºÐ¯f¬rkavo.exe (http://www.shunze.info/forum/threadid.php?boardid=6&threadid=1482)


§@ªÌ: shunze µoªí®É¶¡: 2007-09-08, 20:43:

¡m¤À¨É¡n­n©RªºÀH¨­ºÐ¯f¬rkavo.exe

³o°}¤l¦ü¥G¤S¬y¦æ°_¤@ºØÀHµÛUSBÀH¨­ºÐ´²§Gªº·s¯f¬r¡Ðkavo.exe¡C

¤¤¬r«á¡A¦³¤@­Ó©úÅ㪺¯S¼x¡A¨º´N¬OµLªkÅã¥ÜÁôÂÃÀÉ¡I
¦Ó¥B§Y¨Ï¦b¸ê®Æ§¨¿ï¶µ¤¤¶}±Ò¡§Åã¥Ü©Ò¦³ÀɮשM¸ê®Æ§¨¡¨¿ï¶µ¤]¨S§@¥Î¡A°¨¤W´N·|³Q¯f¬r­×§ï¦^¥h...
§óÂ÷ÃЪº¬O¡A§Y¨Ï­«Äé§@·~¨t²Î¤§«á¡A°ÝÃD¤´µMµLªk¸Ñ¨M¡H
¤@¼ËµLªkÅã¥ÜÁôÂÃÀÉ¡H


«z¡I¡I¡I
¦³¨S¦³³o»ò¼F®`¡H
­«Äé³£¨S¦³¥Î¡H¡H¡H



¨ä¹ê­«Äé§@·~¨t²ÎªÖ©w¬O¦³¥Îªº¡C
¥u¤£¹L¤¤¬r«á¡A³o°¦¯f¬r·|¦b©Ò¦³ºÏºÐ¤À³Î°Ï¤¤¯d¤U¿ò¬r¤Îautorun.inf¾É¤ÞÀÉ¡C

¦Ó¤@¯ë¤H¾Þ§@¶}±ÒºÏºÐ¤À³Î°Ïªº¤èªk³£¬O¥´¶}¡§§Úªº¹q¸£¡¨¡AµM«á³sÂI¨â¤U±ý¶}±ÒªººÏºÐ¤À³Î°Ï¡C
¥¿¦n³o¼Ëªº¶}±Ò°Ê§@¡A¹q¸£·|¥ýcheck¸ÓºÏºÐ¤À³Î°Ï¬O§_¦³autorun.inf¡H
¦pªG¦³ªº¸Ü¡A·|¥ý°õ¦æautorun.inf¤¤ªº§å¦¸¤º®e¡C

ÁöµM»¡§@·~¨t²Î¦w¸ËºÐ(CºÐ)¡A­«·s¦w¸Ë¹L«OÃÒ¨S¦³°ÝÃD¡C
¤£¹L¡A¨ä¥¦¤À³Î°Ï¨Ã¥¼­«·s®æ¦¡¤Æ¡A©Ò¥H¤´Â´ݯd¦³¯f¬r¿ò¬r¡C
¦b¸g¹Lautorun.inf³o»ò©I¥s«á¡A¯f¬r¤S­«·s¸ü¤J¨t²Î¤¤...
³o¤]¬O¬°¤°»ò­«Ä餧«á¡AÁÙ¬O¨S¦³¥Î¡A¤´µMµLªkÅã¥ÜÁôÂÃÀɪº¥D­n­ì¦]¤F¡C


­n¸Ñªk³o­Ókavo.exe¯f¬rÁÙ¯u¬O¦³ÂI³Â·Ð¡C
ÁöµM§Ú­Ì²M·¡ªºª¾¹D°ÝÃD®Ú¥»´N¦bautorun.inf³o­ÓÁôÂÃÀÉ¡A
¤£¹L¡A°ÝÃD¬O¥¦³QÁôÂÃÄÝ©Ê«OÅ@µÛ¡A¤@¯ë¨Ï¥ÎªÌÁÙ¬O¨S¦³¯à¤O¥h§R°£¬Ý¤£¨ìªº¥¦¡C


¶â¡A¼o¸Ü¤£¦h»¡¡A¥H¤U¶}©l»¡©ú¸Ñ¬r­ì²z¡C
1.­«³]©Ò¦³ºÏºÐ¤¤autorun.infªºÀÉ®×ÄÝ©Ê¡A±NÁôÂÃÄݩʸѰ£¡AµM«á§R°£autorun.inf³o­ÓÀɮסC
2.§R°£ÁôÂ꺯f¬r¤À¨­Ntdelect.com¡F¦P¼Ëªº¸Ñ°£¨äÁôÂÃÄݩʵM«á§R°£¡C
3.¦bµù¥U¾÷½X¤¤²M°£¯f¬r©Ò¼W¥[ªº¾÷½X¡AµM«á¦^´_³Q¯f¬r°±¥Îªº¡§Åã¥ÜÁôÂÃÀɮס¨ªº¥\¯à¡C
4.§R°£¯f¬r¥»ÅéC:\WINDOWS\system32\¥Ø¿ý¤Uªºkavo.exe¤Îkavo0.dll¡C
5.­«¶}¾÷«á¡AÀ³¸Ó´N¯àÂ\²ækavo.exeªº«Â¯Ù¤F¡C



¥H¤Uµ{¦¡½X¬O¤W­z1¨ì4ÂI¸Ñ¬r­ì²zªº¹ê§@§å¦¸ÀÉ¡C

@echo off
cls

echo ²M°£¦UºÏºÐ¤Î¸ê·½¦^¦¬µ©¤ºªº¯f¬rÀɤÎautorun.inf
echo ¦p­n¤¤Â_µ{§Ç¡A½Ð«öCtrl+C
echo .
pause
for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
echo ²M°£%%aºÐ¤¤...
for %%b in (EXE COM PIF) do (
attrib -r -s -h -a %%a:\RECYCLER\*.%%b /s >nul 2>nul
attrib -r -s -h -a %%a:\RECYCLED\*.%%b /s >nul 2>nul
del %%a:\recycler\*.%%b /s /q /f >nul 2>nul
del %%a:\recycled\*.%%b /s /q /f >nul 2>nul
)
attrib -r -s -h -a /D /S %%a:\autorun.inf >nul 2>nul
attrib -r -s -h -a /D /S %%a:\ntdelect.com >nul 2>nul
del %%a:\autorun.inf /s /q /f >nul 2>nul
del %%a:\ntdelect.com /s /q /f >nul 2>nul
)

echo ²M°£¯f¬rªºµù¥U¾÷½X
@echo Windows Registry Editor Version 5.00 >c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] >>c:\fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] >>c:\fix.reg
@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] >>c:\fix.reg
@echo "kava"=- >>c:\fix.reg
@echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] >>c:\fix.reg
@echo "{27E1C1B0-7117-4582-8565-682E569810D2}"=- >>c:\fix.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] >>c:\fix.reg
@echo "CheckedValue"=dword:00000001 >>c:\fix.reg
regedit.exe /s c:\fix.reg
del c:\fix.reg >nul 2>nul

echo ²M°£kavo¬ÛÃö¯f¬rÀÉ
attrib -s -h -r %windir%\system32\kavo.exe >nul 2>nul
attrib -s -h -r %windir%\system32\kavo0.dll >nul 2>nul
del %windir%\system32\kav*.* >nul 2>nul

echo "²M°£§¹¦¨¡A½Ð­«·s¶}¾÷¡C"
pause

±N³o¨Çµ{¦¡½X½Æ»s¤U¨Ó¡A¶K¦b°O¨Æ¥»³oÃþªº¯Â¤å¦r½s¿è¾¹¤¤¡AµM«á¥t¦s¬°°ÆÀɦW¬°batªº§å¦¸ÀÉ¡A
¦A¥H·Æ¹«³sÂI¨â¤U°õ¦æ¥¦¡A´N¥i¥Hµo´§¸Ñ¬r¥\®Ä¡C

¦pªGı±o³Â·Ðªº¸Ü¡A´N¥Î¶¶¤l¼g¦nªº§å¦¸Àɧa¡ã
¤U¸ü¥»¤å³Ì«áªºªþ¥[ÀÉ delkavo.zip ¡A¸ÑÁYÀ£«á°õ¦æ¥¦¤]¨ã¦³¦P¼Ë®ÄªG¡I
¶¶¤l«Øij±z¦b¸Ñ¬r®É¡A±NUSBÀH¨­ºÐ¤@¨Ö±µ´¡¤W¡A¤~¯à³s¦PÀH¨­ºÐ¤@°_¸Ñ¬r¡A¹ý©³¸Ñ¨M°ÝÃD¡I



¨ä¥¦¸É¥R
  1. ¦pªG¦b¡§§Úªº¹q¸£¡¨¤¤ª½±µ¶}±ÒDºÐ´N·|¤¤¬rªº¸Ü¡A¨º­n¦p¦óÂsÄýDºÐ¤¤ªº¸ê®Æ©O¡H
    ¶¶¤l«Øij¥H¡§WindowsÀÉ®×Á`ºÞ¡¨¨ÓÀ˵øºÞ²zÀɮסC
    ³z¹L¡§ÀÉ®×Á`ºÞ¡¨¥ª°¼ªº¾ðª¬µ²ºc¤¤¨Ó¶}±Ò¤À³Î°Ï©Î¬O¥Ø¿ý¡A´N¤£·|¥h¦Û°Ê°õ¦æautorun.inf³oÃþÀɮסC



  2. ¦pªG¤£½T©w§O¤HªºÀH¨­ºÐ¬O§_¦³¯f¬r¡A¥i¬O¤S¥²»ÝÀ˵øùØ­±ªº¸ê®Æ®É¡A¸Ó«ç»ò¿ì¡H
    ¤@¯ë¨Ó»¡¡A´¡¤JUSBÀH¨­ºÐ«á¡Awindows§@·~¨t²Î·|¦Û°Ê±½´y¡AµM«á¦Û°Ê°õ¦æautorun.inf¡C
    ¨ä¤U³õ´N¬O¤¤¬r...
    ³o¤]¬O¬°¤°»òUSBÀH¨­ºÐ³o»ò®e¶Ç¼½¯f¬rªº­ì¦]¡C

    ¹J¨ì³oºØ±¡ªp®É¡A½Ð«öµÛÁä½L¤Wªº¡§Shift¡¨Á䤣©ñ¡AµM«á¦A´¡¤JÀH¨­ºÐ¡C
    ³o¼Ë²³æªº¤@­Ó°Ê§@´N¥i¥HÅýwindows²¤¹L¦Û°Ê°õ¦æªº¥\¯à¡C
    (·íµM¡A³o­Ó¥\¯à¹ï¥úºÐ¤]¦³®Ä¡ã)

  3. ¬JµMAutorun.inf³o»ò°Q¹½¡A¨º¦³¨S¦³¿ìªk³]©w¹q¸£¥H«á³£¤£­n¥h°õ¦æ¥¦¡H
    ¿ìªk¬O¦³ªº¡A¤£¹L¦p¦¹³]©w«á¡A¥]¬A¥úºÐ¦b¤º¡A©Ò¦³µ{¦¡³£¤£·|¦Û°Ê°õ¦æ...

    «Øij´«­Ó¤è¦¡¡A¦b©Ò¦³ºÏºÐ¤À³Î°Ïªº®Ú¥Ø¿ý¤¤(¥]¬AÀH¨­ºÐ)¡A³£¥[¤J¤@­Ó¦W¬°autorun.infªº¸ê®Æ§¨¡C
    ³o¼Ë¤@­Ó¸ê®Æ§¨¦s¦b«á¡A¯f¬r´NµLªk¦A¼W¥[¤@­Ó¬Û¦P¦WºÙªºÀɮסA¦P®É¤]¤£·|¼vÅT¥úºÐªº¦Û°Ê°õ¦æµ{¦¡¡C
    ³oºØ¤è¦¡¦ü¥G²³æ¥i¦æ¦h¤F¡ã

¤W¶ÇªºÀÉ®×
delkavo.zip (1 KB, ¤w¸g³Q¤U¸ü 2076 ¦¸)


§@ªÌ: shunze µoªí®É¶¡: 2007-09-11, 09:30:

¡mª`·N¡nNtdelect.com«Y½¼¦Ì

¨Æ¹ê¤WNtdelect.com´N¬O¯f¬r¥»Åé¡C
¥¦ªº©R¦W¬O¼Ò¥éWindows NT base§@·~¨t²Î¤¤ªº¨t²ÎÀÉNtdetect.com¡C
¬Û¦üªºÀɮצWºÙ¡A¬O¯f¬rªº¯S¼x¤§¤@¡I
¥Øªº´N¬OÅý¤H²£¥Í²V²c¡A»~¥H¬°¥¦¬O¨t²ÎÀɮצө¿²¤¤F¥¦ªº¦s¦b¡C


¦¹¥~¡A¬Û¦üªºÀɮצWºÙ¤]¦³¬Û·í¤jªº¾÷²v¡AÅý¤H¦b¤â°Ê¸Ñ¬r®É¡A»~§R¤F¨t²ÎÀɦӳy¦¨µLªk¶}¾÷ªº²{¶H¡C

©Ò¥H¡A¤â°Ê¸Ñ¬r®É¡A¤d¸U­n¤p¤ß°Ú...


§@ªÌ: shunze µoªí®É¶¡: 2007-09-11, 16:00:

¥H¤Uµ{¦¡½X¬Okavo¯f¬rªºautorun.inf¤º®e¡C

[AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdelect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdelect.com

§Ú­Ì¥i¥H¬Ý¨ì­ì¥»ªº¶}±Ò(Open)¤ÎÀÉ®×Á`ºÞ(Manager)³£³Q¯f¬r­×§ï¬°°õ¦æntdelect.com¡C
³o¤]´N¬O»¡¤£½×¬O ¦b¡§§Úªº¹q¸£¡¨¤W³s«ö¨â·Æ¹«¶}±ÒDºÐ¡F
©Î¬O ¦b¡§§Úªº¹q¸£¡¨¤W«ö¤U·Æ¹«¥kÁä¡A¥HÀÉ®×Á`ºÞªº¤è¦¡¨Ó¶}±ÒDºÐ ¤@¼Ë³£·|¤¤¬r¡I


¡ô³o¼Ë¶}±Ò¤@¼Ë·|¤¤¬r...

©Ò¥H¶}±ÒºÏºÐÁÙ¬O¥H¾ðª¬µ²ºcªº¡§WindowsÀÉ®×Á`ºÞ¡¨¨Ó¶}±Ò³Ì¦w¥þ¡C


¡ô³o¼Ë¶}±Ò¤~¦w¥þ¡I


ªþ¥[Àɮ׬Okavoªº¥»Åé ntdelect.com ¥H¤Î¨ä¾É¤ÞÀÉ autorun.infªºÀ£ÁYÀÉ¡A¶È¨Ñ´ú¸Õ¡C
(¸ÑÀ£ÁY±K½X¬° virus )

¸ÑÀ£ÁY«á°õ¦æ ntdelect.com¡A´N·|¤¤¬r¡I
¤p¤ß¡A¤£­nÀH«K¶}¦Û¤vªºª±¯º¡I



¥t¥~¡A¦pªG¸Ñ¬r«á¡Aµo²{ÁÙ¬OµLªk¶}±ÒÅã¥ÜÁôÂÃÀɮתº¸Ü¡A
½Ð¦A°õ¦æ¤@¦¸¸Ñ¬rµ{§ÇÀ³¸Ó´NOK¤F¡ã

¤W¶ÇªºÀÉ®×
virus-kavo.rar (74 KB, ¤w¸g³Q¤U¸ü 1809 ¦¸)

Powered by: Burning Board 1.1.1 2001 by WoltLab
Taiwan Translation by Achi