该病毒通过U盘传播,在硬盘与U盘的根目录下生成autorun.inf 和stesm.exe,且置为隐藏与系统属性,360杀毒被关闭,无法访问病毒安全相关的网站或论坛相应的版块(一访问浏览器就被关闭),可能屏蔽了有关的关键字。autorun.inf文件内容如下:
[AutoRun]
Open=stesm.exe
Shell\Open=打开(&O)
Shell\Open\Command=stesm.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=stesm.exe
由病毒生成的其它文件有:
%UserProfile%\kjkxi.drv
%ProgramFiles%\Common Files\stesm.exe
以上%UserProfile%指C:\Documents and Settings\<用户名>\;%ProgramFiles%指C:\Program Files\
增加注册表项(生成服务或驱动):
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller]
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%UserProfile%\dqlds"
DisplayName = "DrvKiller"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller]
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%UserProfile%\dqlds"
DisplayName = "DrvKiller"
其中%UserProfile%的说明见上。
以上内容来源于ThreatExpert对样本文件stesm.exe的分析,不排除生成随机文件名的可能。清除建议:除了autorun.inf和根目录下的stesm.exe,应查找C:\Documents and Settings\<用户名>\kjkxi.drv和C:\Program Files\Common Files\stesm.exe,并根据上述内容删除注册表项HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller和HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller及C:\Documents and Settings\<用户名>\dqlds。如文件名有变动,可按以上路径对照检查。