【軟體】疾風病毒自動掃瞄移除工具---不止疾風病毒含其他蠕蟲病毒



贊助商連結


baba_yu
2003-08-15, 09:07 PM
此程式FOR 所有的版本 NT/2000/XP/2003

程式
ftp://ftp.kaspersky.com/utils/clrav.com

用法說明及參數


****************************************************************************
Utility for cleaning infection by:
I-Worm.BleBla.b
I-Worm.Navidad
I-Worm.Sircam
I-Worm.Goner
I-Worm.Klez.a,e,f,g,h
Win32.Elkern.c
I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p
I-Worm.Tanatos.a,b
Worm.Win32.Opasoft.a,b,c,d,e,f,g,h
I-Worm.Avron.a,b,c,d,e
I-Worm.LovGate.a,b,c,d,e,f,g,h,i,j,k,l
I-Worm.Fizzer
I-Worm.Magold.a,b,c,d,e
Worm.Win32.Lovesan
Version 10.0.5.2 Copyright (C) Kaspersky Lab 2000-2003. All rights reserved.
****************************************************************************
Command line:
/s[n] - to force scaning of hard drives. Program will scan hard
drive for I-Worm.Klez.a(e,f,g,h) infection in any case.
n - include scaning of mapped network drives.
/y - end program without pressing any key.
/i - show command line info.
/nr - do not reboot system automatically in any cases.
/Rpt[ao][=<Report file path>] - create report file
a - add report file
o - report only (do not cure/delete infected files)
Return codes:
0 - nothing to clean
1 - virus was deleted and system restored
2 - to finilize removal of virus you shold reboot system
3 - to finilize removal of virus you shold reboot system and start
program the second time
4 - programm error.
****************************************************************************

I-Worm.BleBla.b
---------------
If program find HKEY_CLASSES_ROOT\rnjfile key in registry it:
delete registry keys
HKEY_CLASSES_ROOT\rnjfile
HKEY_CLASSES_ROOT\.lha
repair registry key to default value
HKEY_CLASSES_ROOT\.jpg to jpegfile
HKEY_CLASSES_ROOT\.jpeg to jpegfile
HKEY_CLASSES_ROOT\.jpe to jpegfile
HKEY_CLASSES_ROOT\.bmp to Paint.Picture
HKEY_CLASSES_ROOT\.gif to giffile
HKEY_CLASSES_ROOT\.avi to avifile
HKEY_CLASSES_ROOT\.mpg to mpegfile
HKEY_CLASSES_ROOT\.mpeg to mpegfile
HKEY_CLASSES_ROOT\.mp2 to mpegfile
HKEY_CLASSES_ROOT\.wmf to empty
HKEY_CLASSES_ROOT\.wma to wmafile
HKEY_CLASSES_ROOT\.wmv to wmvfile
HKEY_CLASSES_ROOT\.mp3 to mp3file
HKEY_CLASSES_ROOT\.vqf to empty
HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1
HKEY_CLASSES_ROOT\.xls to excel.sheet.8
HKEY_CLASSES_ROOT\.zip to winzip
HKEY_CLASSES_ROOT\.rar to winrar
HKEY_CLASSES_ROOT\.arj to archivefile or winzip
HKEY_CLASSES_ROOT\.reg to regfile
HKEY_CLASSES_ROOT\.exe to exefile
try to delete file
c:\windows\sysrnj.exe

I-Worm.Navidad
--------------
If program find HKEY_CURRENT_USER\Software\Navidad,
HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key
in registry it:
delete registry keys
HKEY_CURRENT_USER\Software\Navidad
HKEY_CURRENT_USER\Software\xxxxmas
HKEY_CURRENT_USER\Software\Emanuel
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32BaseServiceMOD
repair registry key to default value
HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
winsvrc.vxd
winfile.vxd
wintask.exe

I-Worm.Sircam
-------------
If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry,
"@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and
\windows\rundll32.exe was created on Delphi it:
delete registry keys
HKEY_LOCAL_MACHINE\Software\SirCam
Software\Microsoft\Windows\CurrentVersion\RunServices
Driver32
repair registry key to default value
HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
%Windows drive%:\RECYCLED\SirC32.exe
%Windows directory%\ScMx32.exe
%Windows system directory%\SCam32.exe
%Windows startup directory%\"Microsoft Internet Office.exe"
%Windows drive%:\windows\rundll32.exe
try to rename files
%Windows drive%:\windows\Run32.exe to
%Windows drive%:\windows\RunDll32.exe
try to repair files
autoexec.bat

In case program can not delete or rename any files (it may be used at
that moment) it set these files to queue to delete or rename during bootup
process and offer user to reboot system.

I-Worm.Goner
------------
If gone.scr process exist in memory, program will try to stop it.
if file %Windows system directory%\gone.scr exist on hard drive,
program will try to delete it.
If program find %Windows system directory%\gone.scr key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system
registry, it will delete this key.

I-Worm.Klez.a,e-h, Win32.Elkern.c, I-Worm.Lentin.a-p, I-Worm.Tanatos.a-b,
-------------------------------------------------------------------------
Worm.Win32.Opasoft.a-h, I-Worm.Avron.a-e, I-Worm.LovGate.a-l, I-Worm.Fizzer,
----------------------------------------------------------------------------
I-Worm.Magold.a-e, Worm.Win32.Lovesan
-------------------------------------
If program find next processes in memory:
Krn132.exe
WQK.exe
or any processes, infected by these viruses, it will try to
unhook virus hooks and patch needed processes to stop reinfection and then
stop them and delete/cure their files on hard drive and delete links to their
files from system registry and other startup places.
If program find that WQK.DLL library has been loaded by any processes
it will rename file of this library and will remove it after system reboot.
In case program find such library in memory of your PC you should reboot your
PC when program finish and start it the second time after reboot to clean your
system registry.
If program find any infected processes in memory it will start scan of
your hard drive (and all mapped network drives if you specify /netscan in
command line). It will check only infection by these viruses.
If you specify /s key in command line program will scan your hard drive
(and all mapped network drives if you specify /sn) in all cases.
If Win32.Elkern.c virus create memory mapping, program will disinfect
this memory area.
Program can restore next startup links used by viruses:
autoexec.bat
win %virus file path and name%
win.ini section [Windows]
run=<virus file>
registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
values
AppInit_DLLs
Run
HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association)
restoring to link to notepad.exe program
HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association)
restoring to "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command (com association)
restoring to "%1" %*
HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association)
restoring to "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association)
restoring to "%1" %*
HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association)
restoring to "%1" %*
installed NT services
mIRC start scripts
<Program Files folder>\Mirc\script.ini
<Program Files folder>\Mirc32\script.ini
Pirch start scripts
<Program Files folder>\Pirch98\events.ini



用法:
1. copy clrav.com 到你的windows\system32目錄下
2. 開始--->執行----->鍵入clrav.com /s----> 確定

贊助商連結


TAIWAN
2003-08-16, 11:46 PM
對『 馬 』兒和『 蟲蟲 』 危機有用嗎 :D

這年頭 H 字輩的都已經不在用這類修改機碼的『馬』兒了和『 蟲蟲 』 :D

當然寫防毒軟體的還是只能用那套舊技術來做防範

不過聽說寫防毒的還會寫毒出來逛大街

不知是否正確

還是看看這一篇吧 寫防毒的最恨 :D

http://forum.icst.org.tw/phpBB2/viewtopic.php?t=943 ;)

baba_yu
2003-08-17, 12:46 AM
Taiwan兄 謝謝指教
我想重視資訊安全 不會只重視 防毒而不防火
下列應列為原則 有需要在另外開PROT
RULE 1:

Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 2:

Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 3:

Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

= = = = = = = = = = = = = = = =
RULE 4:

Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: (Your ISP DNS) IP number
Port type: Single
Port number: 53
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 5:

Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY

= = = = = = = = = = = = = = = =
RULE 6:

Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 7:

Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 8:

Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 9:

Description: Out Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 10:

Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Address Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 11:

Description: Block Common Ports (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports:
113,79,21,80,443,8080,143,110,25,23,22,42,53,98
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 12:

Description: Back Orifice Block (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 54320,54321,31337
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 13:

Description: Netbus Block (Logged)
Protocol: TCP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 12456,12345,12346,20034
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 14:

Description: Bootpc (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 68
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 15:

Description: RPCSS (Logged)
Protocol: UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 135
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 16:

Description: Block Low Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 1
Last port number: 79
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 17:

Description: Block High Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 5000
Last port number: 65535
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 18:

Description: Internet Explorer-Web browsing
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 19:

Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 20:

Description: ICQ Web Access Block
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 80
Action DENY

= = = = = = = = = = = = = = = =
RULE 21:

Description: ICQ Application
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 5190
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 22:

Description: Block Outbound Unauthorized Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 23:

Description: Block Inbound Unknown Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

If you are on a LAN you might need to allow NetBIOS to and from computers on
your LAN. You should insert two rules before rule 2 and 3:

RULE 2a:

Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 3b:

Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT