2006-10-14 11:10
祥子
[源码]查杀QQ Messenger病毒
昨天,同事的机子中招了。
QQ总是提示密码不正确,查看进程,里面有一个名为Messenger.exe的危险进程。
该进程的路径在QQ的安装目录下。
但是该程序设置的文件属性为隐藏。
这个时候怎么修改查看属性都没有,一直没还原为不可查看隐藏文件。
显然他修改了注册表。但这个病毒也比如狡猾,他实际刷新注册表,把被修改的部分再改回来。
结束进程也没有用,因为他还有其他的动态库挂在系统进程上。本人没有查出他挂在什么系统进程上。
不管那么多了,直接写了一个服务程序,在进程和动态还没有活动的时候就把他们一下掉就可以了。现在我粘上源码,供大家交流。
昨天,同事的机子中招了。
QQ总是提示密码不正确,查看进程,里面有一个名为Messenger.exe的危险进程。
该进程的路径在QQ的安装目录下。
但是该程序设置的文件属性为隐藏。
这个时候怎么修改查看属性都没有,一直没还原为不可查看隐藏文件。
显然他修改了注册表。但这个病毒也比如狡猾,他实际刷新注册表,把被修改的部分再改回来。
结束进程也没有用,因为他还有其他的动态库挂在系统进程上。本人没有查出他挂在什么系统进程上。
不管那么多了,直接写了一个服务程序,在进程和动态还没有活动的时候就把他们一下掉就可以了。现在我粘上源码,供大家交流。
2006-10-14 11:11
祥子
晕。。。没地方贴附件......
2006-10-14 11:34
祥子
权限不够,我直接贴出来好了....代码是DELPHI的服务程序:
unit uMain;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, SvcMgr, Dialogs, Registry;
type
TService1 = class(TService)
procedure ServiceContinue(Sender: TService; var Continued: Boolean);
procedure ServiceExecute(Sender: TService);
procedure ServicePause(Sender: TService; var Paused: Boolean);
procedure ServiceShutdown(Sender: TService);
procedure ServiceStop(Sender: TService; var Stopped: Boolean);
private
{ Private declarations }
procedure MyDeleteFile(const APath: string);
//procedure MyDeleteReg;
public
function GetServiceController: TServiceController; override;
{ Public declarations }
end;
var
Service1: TService1;
AText: TextFile;
implementation
{$R *.DFM}
procedure ServiceController(CtrlCode: DWord); stdcall;
begin
Service1.Controller(CtrlCode);
end;
function TService1.GetServiceController: TServiceController;
begin
Result := ServiceController;
end;
procedure TService1.MyDeleteFile(const APath: string);
begin
if FileExists(APath) then
begin
DeleteFile(APath);
Writeln(AText, '删除' + APath + '成功');
end;
end;
{procedure TService1.MyDeleteReg;
var
tmpReg: TRegistry;
begin
tmpReg := TRegistry.Create;
try
finally
tmpReg.Free;
end;
end;}
procedure TService1.ServiceContinue(Sender: TService;
var Continued: Boolean);
begin
Continued := True;
end;
procedure TService1.ServiceExecute(Sender: TService);
var
Handle: THandle;
FilePath: string;
begin
FilePath := 'C:\Result.txt';
Handle := CreateFile(PChar(FilePath), 3,5,nil,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,0);
while not Terminated do
begin
Sleep(600);
AssignFile(AText,'D:\Result.txt');
Reset(AText);
Append(AText);
Writeln(AText, '//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=');
MyDeleteFile('C:\Program Files\Tencent\QQ\Messenger.exe');
MyDeleteFile('C:\WINDOWS\system32\Maxthonz.dll');
MyDeleteFile('C:\Program Files\Tencent\QQ\RTraveler.dll');
MyDeleteFile('C:\WINDOWS\gafsdaz.bat');
Writeln(AText, '');
Writeln(AText, '//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=');
CloseFile(AText);
Break;
end;
CloseHandle(Handle);
Self.DoStop;
end;
procedure TService1.ServicePause(Sender: TService; var Paused: Boolean);
begin
Paused := True;
end;
procedure TService1.ServiceShutdown(Sender: TService);
begin
Status := csStopped;
end;
procedure TService1.ServiceStop(Sender: TService; var Stopped: Boolean);
begin
Stopped := True;
end;
end.
unit uMain;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, SvcMgr, Dialogs, Registry;
type
TService1 = class(TService)
procedure ServiceContinue(Sender: TService; var Continued: Boolean);
procedure ServiceExecute(Sender: TService);
procedure ServicePause(Sender: TService; var Paused: Boolean);
procedure ServiceShutdown(Sender: TService);
procedure ServiceStop(Sender: TService; var Stopped: Boolean);
private
{ Private declarations }
procedure MyDeleteFile(const APath: string);
//procedure MyDeleteReg;
public
function GetServiceController: TServiceController; override;
{ Public declarations }
end;
var
Service1: TService1;
AText: TextFile;
implementation
{$R *.DFM}
procedure ServiceController(CtrlCode: DWord); stdcall;
begin
Service1.Controller(CtrlCode);
end;
function TService1.GetServiceController: TServiceController;
begin
Result := ServiceController;
end;
procedure TService1.MyDeleteFile(const APath: string);
begin
if FileExists(APath) then
begin
DeleteFile(APath);
Writeln(AText, '删除' + APath + '成功');
end;
end;
{procedure TService1.MyDeleteReg;
var
tmpReg: TRegistry;
begin
tmpReg := TRegistry.Create;
try
finally
tmpReg.Free;
end;
end;}
procedure TService1.ServiceContinue(Sender: TService;
var Continued: Boolean);
begin
Continued := True;
end;
procedure TService1.ServiceExecute(Sender: TService);
var
Handle: THandle;
FilePath: string;
begin
FilePath := 'C:\Result.txt';
Handle := CreateFile(PChar(FilePath), 3,5,nil,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,0);
while not Terminated do
begin
Sleep(600);
AssignFile(AText,'D:\Result.txt');
Reset(AText);
Append(AText);
Writeln(AText, '//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=');
MyDeleteFile('C:\Program Files\Tencent\QQ\Messenger.exe');
MyDeleteFile('C:\WINDOWS\system32\Maxthonz.dll');
MyDeleteFile('C:\Program Files\Tencent\QQ\RTraveler.dll');
MyDeleteFile('C:\WINDOWS\gafsdaz.bat');
Writeln(AText, '');
Writeln(AText, '//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=');
CloseFile(AText);
Break;
end;
CloseHandle(Handle);
Self.DoStop;
end;
procedure TService1.ServicePause(Sender: TService; var Paused: Boolean);
begin
Paused := True;
end;
procedure TService1.ServiceShutdown(Sender: TService);
begin
Status := csStopped;
end;
procedure TService1.ServiceStop(Sender: TService; var Stopped: Boolean);
begin
Stopped := True;
end;
end.
2006-10-14 17:08
木舟
to 祥子: 论坛的权限设置问题, 现在可以上传附件了!
页: [1]
查看完整版本: [源码]查杀QQ Messenger病毒
Powered by Discuz! Archiver 5.5.0 © 2001-2006 Comsenz Inc.