Trojan-PSW.Win32.Nilage.bcw是属于木马类病毒,是基于Borland Delphi 设计的主要针对微软windows系统的病毒,通过存储介质、 恶意网站、其它病毒,木马下载方式进入用户的电脑后进行信息盗取、arp欺骗、远程控制等活动。 目前常见的防毒软体均有针对性升级病毒库和专杀工具。
基本介绍
- 中文名Trojan-PSW.Win32.Nilage.bcw
- 病毒类型木马类
- 危害等级3
- 公开範围完全公开
病毒简介
病毒名称 Trojan-PSW.Win32.Nilage.bcw
病毒类型 木马类
档案 MD5 48ABEEBC0D32069184C46A86A4C363D9
公开範围 完全公开
危害等级 3
档案长度
33,363 位元组,脱壳后120,832 位元组
感染系统
windows 98以上版本
开发工具
Borland Delphi 6.0 - 7.0
加壳类型
UPX 0.89.6 - 1.02 / 1.05 - 1.22
病毒描述
该病毒通过移动存储介质、 恶意网站、其它病毒 /木马下载大面积传播;由于 该病毒查杀和劫持防毒软体、防火墙、病毒查杀工具软体,且插入其它进程的“随机 8位数字与字母组合.dll”
对注册表和病毒档案有监视和保护功能,则对其查杀该病毒有一定难度,更增加了其生存的空间。该木马可以通过插入的“随机8位数字与字母组合.dll”来记录用户的操作,从而达到盗取用户的
敏感信息目的。该木马运行后连线网路,更新档案,下载其它病毒档案,进行信息盗取、 arp 欺
骗、远程控制等。
行为分析
1 、病毒被激活后,複製自身到系统目录和各个驱动器下,衍生病毒档案
自身副本档案
%Program Files%\Common Files\Microsoft Shared\
MSInfo\随机8位数字与字母组合.dat
%WINDIR%\Help\随机8位数字与字母组合.chm
衍生病毒档案
%Program Files%\Common Files\Microsoft Shared\
MSInfo\随机8位数字与字母组合.dll
%WINDIR%\随机8位数字与字母组合.hlp
%system%\verclsid.exe.bak(删除原verclsid.exe档案,
并建立副本verclsid.exe.bak)
各个驱动器下释放自身副本
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ 随机8位数字与字母组合.exe
注随机 8位数字与字母组合, 本次感染为80C88D28
2 、启动项目
(1)、修改注册表,在ShellExecuteHooks添加键值,以钩子挂接档案的打开操作,以达
到启动的目的
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-0C8D2 0C88D28}
键值 : 字串: " 默认 " = ""
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
键值 :字串:"默认"=" %ProgramFiles%\CommonFiles\MicrosoftShared\
MSInfo\ 随机 8位数字与字母组合.dll "
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
键值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
键值 : 字串: " " = ""
(2)、修改注册表恢复硬碟或光碟机的 AutoRun功能
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoDriveTypeAutoRun
键值 : DWORD: 145 (0x91)
在 各个驱动器下释放 AutoRun.inf档案,从而在打开驱动器时运行同目录下的
“随机8位数字与字母组合.exe”档案, AutoRun代码如下
[AutoRun]
open=80C88D28.exe
shell\open=打开(&O)
shell\open\Command= 随机 8位数字与字母组合.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command= 随机 8位数字与字母组合.exe
3 、“随机 8位数字与字母组合.dll”插入到Explorer.exe进程中,以Explorer.exe进程监视其
写入的注册表键值,如删除则恢复; 尝试通过钩子挂接使“随机8位数字与字母组合.dll”插入
到IEXPLORER.EXE进程和应用程式进程中。
4 、监视并关闭众多防毒软体、防火墙、病毒查杀工具软体的进程与视窗及和防毒相关网站,甚
至带有病毒等关键字的视窗
AntiVirus TrojanFirewall
Kaspersky
JiangMin
KV200
Kxp
Rising
RAV
RFW
KAV200
KAV6
McAfe
Network Associates
TrustPort
NortonSymantec SYMANT~1
Norton SystemWorks
ESET
Grisoft
F-Pro
Alwil Software
ALWILS~1
F-Secure
ArcaBit
Softwin
ClamWin
DrWe
Fortineanda Software
Vba3
Trend Micro
QUICKH~1
TRENDM~1
Quick Heal
eSafewido
Prevx1
Ers
Avg
Ikarus
SophoSunbeltPC-cilli
ZoneAlar
Agnitum
WinAntiVirus
AhnLab
Normasurfsecret
Bullguard\Blac
360safe
SkyNet
Micropoint
Iparmor
Ftc
mmjk2007
Antiy Labs
LinDirMicro Lab
Filseclab
Ast
System Safety Monitor
ProcessGuard
FengYun
Lavasoft
Spy Cleaner Gold
CounterSpy
EagleEyeOS
Webroot
BufferZ
Avp
AgentSvr
CCenter
Rav
RavMonD
RavStub
RavTask
Rfwcfg
Rfwsrv
RsAgent
Rsaupd
Runiep
SmartUp
FileDsty
RegClean
360tray
360Safe
360rpt
Kabaload
Safelive
Ras
KASMain
KASTask
KAV32
KAVDX
KAVStart
KISLnchr
KMailMon
KMFilter
KPFW32
KPFW32X
KPFWSvc
KWatch9x
KWatch
KWatchX
TrojanDetector
UpLive.EXE
KVSrvXP
KvDetect
KRegEx
Kvol
Kvolself
Kvupload
Kvwsc
UIHost
IceSword
iparmo
mmsk
adam
MagicSet
PFWLiveUpdate
SREng
WoptiClean
scan32
QHSET
zxsweep.
AvMonitor
UmxCfg
UmxFwHlp
UmxPol
UmxAgent
UmxAttachment
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KVScan
KVStub
KvXP
KVMonXP
KVCenter
TrojDie
avp.com.
krepair.COM
KaScrScn.SCR
Trojan
Virus
kaspersky
jiangmin
rising
ikaka
duba
kingsoft
360safe
木马
木马
病毒
防毒
防毒
查毒
防毒
反病毒
专杀
专杀
卡巴斯基
江民
瑞星
卡卡社区
金山毒霸
毒霸
金山社区
360安全
恶意软体
流氓软体
举报
报警
杀软
杀软
防骇
微点
MSInfo
winRAR
IceSword
HijackThis
Killbox
Procexp
Magicset
EQSysSecureProSecurity
Yahoo!
Google
Baidu
P4P
Sogou PXP
Ardsys
超级兔子木马
KSysFiltsys
KSysCallsys
KsLoader
KvfwMcl
autoruns
AppSvc32
ccSvcHst
isPwdSvc
symlcsvcnod32kui
avgrssvc
RfwMain
KAVPFW
Iparmor
nod32krn
AVK
K7
Zondex
Blcorp
Tiny Firewall Pro
Jetico
HAURI
CA
Kmx
PCClear_Plus
Novatix
Ashampoo
WinPatrol
PFW
Mmsk
The Cleaner
Defendio
kis6Beheadsreng
Trojanwall
FTCleanerShell
loaddll
rfwProxy
mcconsol
HijackThis
Mmqczj
RavMon
KAVSetup
NAVSetup
SysSafe
hcfg32
NOD3
5 、破坏注册表安全模式,删除下列注册表项
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
6、改变注册表值使隐藏档案不可见,达到病毒体隐藏目的
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
键值 : dword:"CheckedValue"=dword:00000001
改为键值 : dword:"CheckedValue"=dword:00000000
7、在注册表的映像劫持中添加多个劫持项,劫持多个防毒软体、防火墙、病毒查杀工具等相关
软体
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\krepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\zxsweep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpLive.EXE.exe
被劫持到 C:\Program Files\Common Files\Microsoft Shared\MSInfo\
下面的那个dat档案
8、在注册表中改变键值,以禁用特定防毒软体服务项,禁用自动更新功能
HKLM\SYSTEM\ControlSet001\Services\防毒软体服务名\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\start
9、该木马运行后连线网路,更新档案,下载其它病毒档案,进行信息盗取、arp欺骗、远程
控制等。
注随机 8位数字与字母组合, 本次感染为80C88D28 .
%System%是一个可变路径。病毒通过查询作业系统来决定当前System资料夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
清除方案
1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )
2 、 手工清除请按照行为分析删除对应档案,恢复相关係统设定。
(1)使用 安天木马防线 “进程管理”关闭病毒进程
mstsc.exe
(2)强行删除病毒档案
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dat
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dll
%WINDIR%\Help\ XXXXXXXX.chm
%WINDIR%\XXXXXXXX.hlp
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ XXXXXXXX.exe
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项
HKLM\SOFTWARE\Classes\CLSID\
键值 : 字串: " 默认 " = ""
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
键值 :字串:"默认"="%ProgramFiles%\CommonFiles\
MicrosoftShared\MSInfo\XXXXXXXX.dll"
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
键值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
键值 : 字串: " " = ""
(4)将%system%\verclsid.exe.bak中的.bak后缀去掉,改为
%system%\verclsid.exe
(5)显示隐藏档案
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
键值 : dword:"CheckedValue"=dword:00000000
改为键值 : dword:"CheckedValue"=dword:00000001
(6)将映像劫项中添加多个劫持项删除,路径为
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options
(7)恢复注册表安全模式,开启特定防毒软体服务项,自动更新功能,删除
其下载病毒档案。
(8)进行免疫设定,在各个驱动器根目录下新建autorun.ini与autorun.inf
档案,档案属性设为不可删,不可写。