mssym.exe这个进程的问题
Xmas以后,公司大批电脑不能上网,但上qq,msn没问题,检查了以后发现这些电脑中都有一个mssys.exe的进程,结束该进程后就能正常上网,据说是一个病毒,请问怎样才能彻底清除这个病毒呢?谢谢,在线等!! 找该进程对应的文件,然后下手,我的也是这样的问题,不过是另一个进程而以,CMD。EXE,应该是同一类问题的。 可是每次重启以后没多长时间,它又会自己冒出来了,很烦。不知道该怎么彻底清除它 把病毒样本提交给杀毒软件厂商,两到三天后升级病毒库,一般可以解决! 这个是针对SYMANTEC杀毒软件的一个病毒
病毒利用了SYMANTEC 5月份公布的一个漏洞(Symantec Remote Management Stack Buffer Overflow),其实,只要你的SYMANTEC病毒库更新上12月14号以上,这个病毒是发作不起来的.
漏洞的补丁可以访问这个网址下载:
[url]http://www.symantec.com/avcenter/security/Content/2006.05.25.html[/url]
这个病毒可以通过关闭MSSYM.EXE的进程(有时有2个),然后删除你的SYMANTC杀毒软件的目录下的MSSYM.EXE和%systemroot%\system32\mssym.exe(系统,隐藏)文件,还有删除注册表里的相应项就好了(一般是HKUM,HKLM...RUN项下)来手动清理,不过..这个病毒运行时会开放本地大量的端口用于扫描网络上的TCP 2967(SYMANTEC REMOTE MANAGEMENT PORT)端口来发现可感染的机器,并开放本地2121用于TFTP,还连接外网一IRC服务器,IP:5599,建议在网关处拦截这个端口..不让病毒在内网变种.
因为病毒运行起来后.SYMANTEC的远程管理功能就无法正常使用了,所以服务器的病毒库是无法下发的,如果是域的网络,可以做策略禁止MSSYM.EXE运行,对病毒服务器升级病毒定义,打上补丁,问题应该可以解决,当然..如果通过做策略禁止MSSYM.EXE后,客户端还是不能从服务器上更新病毒定义的话~`那就只好让下面手动升级病毒库(清理病毒),如果随手,给客户端打上补丁.... 这是eEye Digital Security的漏洞描述,来之SecuriTeam
Symantec Remote Management Stack Buffer Overflow 13 Jun. 2006
Summary
Improper handling of user input allows attackers to execute arbitrary code in Symantec Remote Management.
Credit:
The information has been provided by eEye.
Details
Click here to get expert advice, liveVulnerable Systems:
* Symantec AntiVirus 10.0.x for Windows (all versions)
* Symantec AntiVirus 10.1.x for Windows (all versions)
* Symantec Client Security 3.0.x for Windows (all versions)
* Symantec Client Security 3.1.x for Windows (all versions)
Immune Systems:
* Symantec AntiVirus 10.x.x for Macintosh
* Symantec AntiVirus 10.x.x for Linux
* Symantec AntiVirus 10.x.x for Wireless
A vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system.
The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.
Although remote management traffic is typically SSL-encrypted, managed systems will accept and process clear-text requests of the vulnerable type.
The remote management protocol communicated by the affected products is a proprietary message-based protocol with two levels of encapsulation.
The outer layer comprises a message header indicating one of three message types: 10, which designates a request to Rtvscan.exe, or 20 or 30, which mediate SSL negotiation. If SSL is established for a TCP connection, subsequent traffic is encrypted although the plaintext is still in the proprietary format.
The data of type-10 messages contains its own header and body which are processed by Rtvscan.exe. This header features a command field which specifies the operation to perform and dictates the format of the body data.
The COM_FORWARD_LOG (0x24) command handler contains an improper use of strncat that allows a 0x180-byte stack buffer to be overflowed with arbitrary data. If the first string in the COM_FORWARD_LOG request body contains a backslash, then one of the following two strncat calls will be performed:
* If the string contains a comma but no double-quote:
strncat(dest, src, 0x17A - strlen(src));
* Otherwise:
strncat(dest, src, 0x17C - strlen(src));
If the length of the source string exceeds 0x17A or 0x17C characters respectively, the arithmetic will underflow and result in a very large copy size (since the copy size argument is of type size_t, which is unsigned). This causes the entire source string to be appended to the buffer, allowing the stack to be overwritten with up to 64KB of data in which only null characters are prohibited.
Rtvscan.exe was compiled with the Visual Studio /GS security option which institutes stack canary checks, but this security measure can be bypassed by causing a very large overwrite and taking control of an exception handler registration.
As a basic workaround against automated exploitation, the management interface TCP port may be changed via the "HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort" registry value in order to accomplish a very slight amount of obfuscation. Remote management should continue to function even if the new port numbers are not homogeneous across an enterprise.
CVE Information:
CVE-2006-2630
Vendor Status:
Symantec has released patches for the affected products. For more information, please consult Symantec security advisory SYM06-010:
[url]http://www.symantec.com/avcenter/security/Content/2006.05.25.html[/url]
Disclosure Timeline:
Date Reported: May 24, 2006
Release Date: June 12, 2006 非常感谢 ,我试试先!!!
页:
[1]