{"id":10654,"date":"2014-12-11T09:00:25","date_gmt":"2014-12-11T01:00:25","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=10654"},"modified":"2014-12-11T10:20:07","modified_gmt":"2014-12-11T02:20:07","slug":"%e7%b4%a2%e5%b0%bc%ef%bc%88sony-pictures%ef%bc%89%e8%a2%ab%e9%a7%ad%e4%ba%8b%e4%bb%b6%e5%88%86%e6%9e%90-wipall-%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94%e5%88%86%e6%9e%90","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=10654","title":{"rendered":"< \u7d22\u5c3c\u5f71\u696d\u88ab\u99ed\u4e8b\u4ef6 > GOP \u99ed\u5ba2\u7d44\u7e54\u7d66Sony Pictures\u54e1\u5de5\u7684\u8b66\u544a\u8207 WIPALL \u60e1\u610f\u8edf\u9ad4\u8b8a\u7a2e\u5206\u6790"},"content":{"rendered":"

\u8da8\u52e2\u79d1\u6280<\/a> \u4e4b\u524d\u8a0e\u8ad6\u4e86\u300c\u7834\u58de\u6027\u300d\u7f8e\u570b\u806f\u90a6\u8abf\u67e5\u5c40\u5b89\u5168\u901a\u5831\u548c\u95dc\u65bcWIPALL\u60e1\u610f\u8edf\u9ad4\u5bb6\u65cf\u7684\u5206\u6790<\/a>\u53ca\u5176\u5c0d\u7d22\u5c3c\u5f71\u8996\uff08Sony Pictures\uff09\u5927\u898f\u6a21\u99ed\u5ba2\u653b\u64ca<\/a>\u7684\u76f4\u63a5\u95dc\u806f\u3002<\/p>\n

\"\u99ed\u5ba2hacker\"<\/p>\n

\u5728\u6b64\u7bc7\u6587\u7ae0\u4e2d\uff0c\u6211\u5011\u5c07\u9032\u4e00\u6b65\u8a0e\u8ad6\u5176\u4ed6 WIPALL\u60e1\u610f\u8edf\u9ad4\u8b8a\u7a2e\u548c\u5b83\u5011\u8207\u7d22\u5c3c\u5f71\u8996\uff08Sony Pictures\uff09\u54e1\u5de5\u53d7\u611f\u67d3\u96fb\u8166\u5167\u6240\u898b#GOP\u8b66\u544a\u76f8\u95dc\u7684\u4e3b\u8981\u884c\u70ba\u3002\u4e0b\u9762\u662f\u5c0d\u6b64\u6587\u7ae0\u6240\u8981\u8a0e\u8ad6\u611f\u67d3\u93c8\u7684\u6982\u8ff0\uff1a<\/p>\n

\"\"<\/p>\n

BKDR64_WIPALL.F<\/em><\/strong>\u505c\u7528McAfee\u670d\u52d9<\/em><\/strong><\/p>\n

WIPALL\u8b8a\u7a2eBKDR_WIPALL.C\u548c\u4e4b\u524d\u6240\u8a0e\u8ad6\u7684\u8b8a\u7a2eBKDR_WIPALL.B\u5171\u7528\u7a0b\u5f0f\u78bc\u3002\u5728BKDR_WIPALL.C\u6848\u4f8b\u4e2d\u3001\u690d\u5165\u7684\u8907\u672c\u547d\u540d\u70baigfxtrays{2\u96a8\u6a5f\u5b57\u5143}.exe<\/em>\u548c\u7528\u6307\u5b9a\u53c3\u6578\uff08-a\u3001-m\u3001-d\u3001-s\uff09\u57f7\u884c\u6578\u500b\u81ea\u8eab\u8907\u672c\uff0c\u5176\u4e2d\u5305\u542b\u5176\u4e3b\u8981\u884c\u70ba\u3002<\/p>\n

\"\"<\/p>\n

\u57161\u3001BKDR_WIPALL.C\u7684\u4e3b\u8981\u60e1\u610f\u8edf\u9ad4\u884c\u70ba<\/p>\n

<\/p>\n

\u503c\u5f97\u6ce8\u610f\u7684\u662fBKDR_WIPALL.C\u6703\u6aa2\u67e5\u53d7\u611f\u67d3\u7cfb\u7d71\u662f\u5426\u70ba64\u4f4d\u5143\u3002\u5982\u679c\u767c\u73fe\u662f\u572864\u4f4d\u5143\u7cfb\u7d71\u4e0a\u57f7\u884c\uff0c\u8a72\u60e1\u610f\u8edf\u9ad4\u6703\u690d\u5165kph.sys<\/em>\uff08KProcessHacker\u9a45\u52d5\u7a0b\u5f0f\uff09\u548c\u5176\u5143\u4ef6ams.exe<\/em>\uff08\u5075\u6e2c\u70baBKDR64_WIPALL.F<\/a>\uff09\u3002<\/p>\n

\u6211\u5011\u6ce8\u610f\u5230BKDR64_WIPALL.F\u7528\u53e6\u4e00\u500b\u4f4d\u5728\u5176\u76ee\u524d\u76ee\u9304\u7684\u6a94\u6848\u4f86\u7f6e\u63dbMcAfee\u7684\u5373\u6642\u6383\u63cf\u7a0b\u5f0fmcshield.exe\uff0c\u539f\u672c\u7684mcshield.exe\u88ab\u653e\u5230system32\u76ee\u9304\u3002\u63a5\u8457\uff0c\u7576McAfee\u670d\u52d9\u57f7\u884c\uff0c\u88ab\u7f6e\u63db\u7684\u57f7\u884c\u6a94\u5c07\u88ab\u57f7\u884c\uff0c\u800c\u975e\u6b63\u5e38\u7684\u5373\u6642\u6383\u63cf\u5143\u4ef6\uff0c\u6709\u6548\u5730\u505c\u7528\u9632\u6bd2\u8edf\u9ad4\u904b\u4f5c\u3002<\/p>\n

\"\"<\/p>\n

\u57162\u3001BKDR64_WIPALL.F\u5f9e\u8a3b\u518a\u8868\u670d\u52d9\u5217\u8868\u4e2d\u53d6\u5f97McShield.exe\u8def\u5f91\uff1aHKLM\\CurrentControlSet\\services\\McShield<\/em><\/p>\n

 <\/p>\n

\"\"<\/p>\n

\u57163\u3001BKDR64_WIPALL.F\u5c07\u6b63\u5e38mcshield.exe\u79fb\u52d5\u5230System32\u76ee\u9304\uff0c\u4e26\u7528\u4f4d\u5728\u60e1\u610f\u8edf\u9ad4\u76ee\u524d\u76ee\u9304\u5167\u7684\u53e6\u4e00\u500bmcshield.exe\u66ff\u63db<\/em><\/p>\n

BKDR64_WIPALL.F\u5c07KprocessHacker\u5b89\u88dd\u70ba\u9a45\u52d5\u7a0b\u5f0f\u670d\u52d9\uff0c\u4e26\u7528\u5b83\u4f86\u7d42\u6b62\u4e0b\u5217\u548cMcAfee\u9632\u6bd2\u61c9\u7528\u7a0b\u5f0f\u76f8\u95dc\u7684\u7a0b\u5e8f\uff08\u4e5f\u5217\u5728\u4e0a\u9762\u7684\u611f\u67d3\u93c8\u4e2d\uff09\u3002\u9019\u662f\u984d\u5916\u63aa\u65bd\u4f86\u78ba\u4fdd\u60e1\u610f\u8edf\u9ad4\u9806\u5229\u57f7\u884c\u3002<\/p>\n