透過Skype傳播的病毒  

今天下午我的同事突然在Skype對話框丟一個連結如下圖,那個連結看起來是一個...jpg的圖檔,其實是 .scr 螢幕保護程式偽裝的.
[15:28:02] Clevo-劉X倉 說 : how are u ? :)
[15:28:25] Clevo-劉X倉 說 : look what crazy photo Tiffany sent to me,looks cool
[15:28:30] Clevo-劉X倉 說 : haha lol
[15:28:37] Clevo-X文倉 說 : http://www.fakme.org/erotic-gallerys/usr5d8c/  dsc027.jpg
[15:28:50] Clevo-劉X倉 說 : :D
[16:29:16] Clevo-劉文X 說 : 剛剛傳的那個網址不是我傳的。是有毒的，不要開唷！
[15:57:13] Clevo-洪Jenping 說 : hey
[15:57:14] Clevo-洪Jenping 說 : look what crazy photo Tiffany sent to me,looks cool
[15:57:18] Clevo-洪Jenping 說 : http://www.fakme.org/erotic-gallerys/usr5d8c/ dsc027.jpg
[15:57:27] Clevo-洪Jenping 說 : I used photoshop and edited it
[15:57:28] Clevo-洪Jenping 說 : u happy ?
[15:57:31] Clevo-洪Jenping 說 : http://www.myimagespace.net/erotic-gallerys/usr5d8c/ dsc027.jpg
[15:57:39] Clevo-洪Jenping 說 : oops sorry please don't look there :S
[16:31:30] 戰地記者 說 : Skype 中毒了你, Skype 病毒 virus

點了它除了會透過 Skype 散播,還有以下的中毒症狀.

• Skype官方討論區有提到下面的網址跟病毒有關
  www.what.net ....
  www.what.org ...
• 會執行 wndriv32.exe, 殺了以後仍會再起.
• skype會不能正常使用(視窗打不開也無法設狀態, 要用工作管理員強制殺掉)
• 工作管理員及regedit會無法開啟(開啟後被關掉)
• 會寫入一堆防毒公司網址及對應ip到 host 檔案內,企圖讓病毒碼更新失敗.

如何排除此病毒-解毒/掃毒

• 用工作管理員強制關掉/刪除執行中的 Skype 程序 
• 用工作管理員強制關掉/刪除DSC027
• 將你的螢幕保護程式換掉,因為病毒隱藏在 DSC027 這個 Screen Saver 中
• 清除/Delete 你剛剛點的連結所下載的檔案
• 重新開啟 Skype 程式, 看是誰傳送該連結給你, 把他殺了...告知對方已中毒,以免災情擴大.

參考連結:

• Skype 官方討論區
• PCZONE 討論區
• 新變種蠕蟲綁架Skype、關閉防毒軟體 - Taiwan.Cnet.com
• Virus Link Also http://what.com/files/54512628/clean.bat.htmｌ
• On the worm that affects Skype for Windows users
  Skype has learned that a computer virus called “w32/Ramex.A” is affecting users of Skype for Windows.
  

  Expert users — and only expert users — who know what they’re doing can also remove the worm manually.

  1. Restart the PC in safe mode
  2. Run regedit
  3. Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry.
  4. Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
  5. Go to windows/system32/drivers/etc
  6. Find file hosts
  7. Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close.
  8. Restart the PC.
• forum.skype.com
  here is how to get rid of this thing:

  1) shut down skype using the task manager if need be (to stop spreading this virus further)
  2) start your task manager and shut down the "DSC027" program
  3) change your screen saver (display properties etc.) to something other than "DSC027"
  4) delete the file you downloaded
  5) restart skype and check who you sent this to (see events and chat history) and let them know what's going on