样本名称:1.exe
病毒大小:284,190 字节
加壳方式:无
编写语言:Borland Delphi
病毒预警:2级
病毒指纹:
SHA-160 : CB929DBB1929477A851DB06A54D1EA96FA1DFB10
MD5 : 59419C7C3B504A07FF92A7F40826A28F
RIPEMD-160 : 4E7BEA5F1D676C8C03974EE0FC6685D240F14AE7
CRC-32 : 731FC41F
文章作者:[G-AVR]孤单每一天
文章地址:http://hi.baidu.com/renlangliu/blog/item/fbc2c258bf0eaa80800a1897.html
命名对照:
http://scanner.virus.org
| ArcaVir |
1.0.4 |
Clean |
3.67603 secs |
| avast! |
3.0.0 |
Clean |
0.0464969 secs |
| AVG Anti Virus |
7.5.47 |
Clean |
3.26215 secs |
| BitDefender |
7.1 |
GenPack:Generic.PWStealer.874D09AB |
5.07662 secs |
| CAT QuickHeal |
9.00 |
Clean |
5.16741 secs |
| ClamAV |
0.90/3311 |
Clean |
0.407175 secs |
| Dr. Web |
4.33.0 |
Trojan.PWS.Maran |
9.5218 secs |
| F-PROT |
4.6.7 |
Unknown |
0.776782 secs |
| F-Secure |
1.02 |
Trojan-PSW.Win32.Maran.dy [AVP] |
0.0956321 secs |
| H+BEDV AntiVir |
2.1.10-41 |
NULL |
5.89765 secs |
| McAfee Virusscan |
5.10.0 |
PWS-Maran.dll |
3.69338 secs |
| NOD32 |
2.51.1 |
a variant of Win32/PSW.Maran trojan |
2.58767 secs |
| Norman Virus Control |
5.70.01 |
Clean |
8.68103 secs |
| Panda |
9.00.00 |
Clean |
0.968208 secs |
| Sophos Sweep |
4.17.0 |
Mal/Maran-A |
5.94194 secs |
| Trend Micro |
8.310-1002 |
Clean |
0.515448 secs |
| VBA32 |
3.12.0 |
Clean |
3.77676 secs |
| VirusBuster |
1.3.3 |
Clean |
2.12044 secs |
http://www.virustotal.com
| AhnLab-V3 |
2007.5.24.0 |
05.28.2007 |
no virus found |
| AntiVir |
7.4.0.27 |
05.28.2007 |
TR/PSW.Stealer.284190 |
| Authentium |
4.93.8 |
05.23.2007 |
could be a corrupted executable file |
| Avast |
4.7.997.0 |
05.27.2007 |
Win32:Qhost-AI |
| AVG |
7.5.0.467 |
05.27.2007 |
no virus found |
| BitDefender |
7.2 |
05.28.2007 |
GenPack:Generic.PWStealer.874D09AB |
| CAT-QuickHeal |
9.00 |
05.26.2007 |
no virus found |
| ClamAV |
devel-20070416 |
05.28.2007 |
no virus found |
| DrWeb |
4.33 |
05.28.2007 |
Trojan.PWS.Maran |
| eSafe |
7.0.15.0 |
05.27.2007 |
no virus found |
| eTrust-Vet |
30.7.3670 |
05.28.2007 |
no virus found |
| Ewido |
4.0 |
05.27.2007 |
no virus found |
| FileAdvisor |
1 |
05.28.2007 |
no virus found |
| Fortinet |
2.85.0.0 |
05.28.2007 |
suspicious |
| F-Prot |
4.3.2.48 |
05.25.2007 |
W32/Rootkit-Backdoor-based!Maximus |
| F-Secure |
6.70.13030.0 |
05.28.2007 |
Trojan-PSW.Win32.Maran.dy |
| Ikarus |
T3.1.1.8 |
05.28.2007 |
Generic.PWS.Maran |
| Kaspersky |
4.0.2.24 |
05.28.2007 |
Trojan-PSW.Win32.Maran.dy |
| McAfee |
5039 |
05.25.2007 |
PWS-Maran.dll |
| Microsoft |
1.2503 |
05.28.2007 |
no virus found |
| NOD32v2 |
2293 |
05.27.2007 |
a variant of Win32/PSW.Maran |
| Norman |
5.80.02 |
05.25.2007 |
no virus found |
| Panda |
9.0.0.4 |
05.28.2007 |
no virus found |
| Prevx1 |
V2 |
05.28.2007 |
no virus found |
| Sophos |
4.18.0 |
05.25.2007 |
Mal/Maran-A |
| Sunbelt |
2.2.907.0 |
05.26.2007 |
VIPRE.Suspicious |
| Symantec |
10 |
05.28.2007 |
no virus found |
| TheHacker |
6.1.6.123 |
05.25.2007 |
no virus found |
| VBA32 |
3.12.0 |
05.26.2007 |
no virus found |
| VirusBuster |
4.3.23:9 |
05.27.2007 |
no virus found |
| Webwasher-Gateway |
6.0.1 |
05.28.2007 |
Trojan.PSW.Stealer.284190
|
测试环境:winXPProSP2 实机
样本可能为下载者所下载,运行后释放ws2ifsl.sys到%systemroot%\system32\drivers\目录下,注册驱动,释放avp.exe到%systemroot%\目录下,注册服务,释放tf6sound.dll到%systemroot%\system32\目录下挟持winsock的tcp/ip和raw/ip,调用释放的批处理文件删除病毒文件。
病毒修改和新建注册表项:
挟持Winsock:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
还有其他默认上面的改动不列举
反汇编分析tf6sound.dll:
猜测病毒挟持winsock在后台使用多个IP地址刷流量,本人对游戏不是很了解,不过被刷的网站是和游戏点卡相关的,列举一下被刷名和IP。
连接网页:https://tw.gash.gamania.com/GASHLogin.aspx
CODE:00421AD4 s_Changegashpas db 'ChangeGashPass:gash**:',0 ; DATA XREF: sub_41FD20+F14 o
CODE:00421BFC s_Changegamepas db 'ChangeGamePass:gamea**ount:',0
PS:用这种方法来给自己充点卡是不道德的,用户名暂不列出,希望病毒作者好自为之。
61.220.62.*
61.220.56.*-61.220.56.*
203.69.46.*-203.69.46.*
220.130.113.*
220.130.125.13*
220.130.125.14*-220.130.125.14*
220.130.125.18*-220.130.125.18*
220.130.125.24*-220.130.125.24*
220.130.125.21*-220.130.125.21*
220.130.125.17*-220.130.125.17*
注册服务:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VGADown\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VGADOWN\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VGADOWN\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown\
服务名称:VGADown
显示名称:Audio Adapter
服务映象:%systemdrive%\%systemroot%\avp.exe
启动方式:自动
服务描述;无
服务隶属于:LocalSystem
注册驱动:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\
服务名称:WS2IFSL
显示名称:Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境
服务映象:%systemdrive%\%systemroot%\system32\drivers\ws2ifsl.sys
启动方式:自动
服务描述:无
服务隶属于:LocalSystem
有必要说明一下病毒的两个主文件,ws2ifsl.sys与avp.exe,avp.exe是病毒的进程文件,属于win32服务类别,可以在任务管理器中看到,ws2ifsl.sys属于系统驱动,虽然启动方式为非系统和引导,但是也无法看到病毒进程。
清除方法:
打开IceSword找到ws2ifsl.sysavp.exe强制卸除,删除病毒注册的驱动和服务注册表项(整个项),使用SREng首先修复安全模式,在安全模式下删除N/A的winsock,使用syscheak的winsock修复功能修复winsock协议(SREng无法修复但可以删除,)删除tf6sound.dll,重启计算机,杀毒完毕。
PS:不要试图在正常模式下强制删除和反注册tf6sound.dll,会造成服务错误重启计算机的。
