|
- 帖子
- 17344
- 积分
- 26510
- 注册时间
- 2005-12-28
         
|
[分享] Virus.Win32.AutoRun.tn分析
Virus.Win32.AutoRun.tn分析
病毒标签: <br />
病毒名称: Virus.Win32.AutoRun.tn<br />
病毒类型: 病毒类<br />
文件 MD5: db9dcd04e8fc96d7b83c0476d5902ec7<br />
公开范围: 完全公开 <br />
危害等级: 高<br />
文件长度: 28,160字节<br />
感染系统: Win98以上版本 <br />
开发工具: Borland Delphi 6.0 - 7.0<br />
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24 <br />
<br />
病毒描述: <br />
该病毒运行后释放病毒自身到各个驱动器的根目录下,并释放一个autorun.inf文件,<br />
当用户打开驱动器是就会自动执行该病毒,同时衍生大量的游戏木马到系统文件夹下;对<br />
SPI进行劫持;下载大量游戏木马并且运行;对安全软件进行映像劫持<br />
<br />
行为分析: <br />
本地行为:
1、文件运行后会释放以下文件:
%System32%\Systom.exe 28,160字节<br />
%DriveLetter%\auToRun.inf 156字节<br />
%DriveLetter%\nx.exe 28,160字节<br />
%System32%\5temp.exe 32,385字节 <br />
%System32%\addrmshelp.dll 11,888字节 <br />
%System32%\auToRun.inf 156字节 <br />
%System32%\avzxdmn.dll 23,126字节 <br />
%System32%\avzxdst.exe 15,146字节 <br />
%System32%\daemon_mgm.exe 49,152字节 <br />
%System32%\kafyeaz.exe 13,364字节 <br />
%System32%\kafyezy.dll 19,044字节 <br />
%System32%\kawdbaz.exe 14,035字节 <br />
%System32%\kawdbzy.dll 20,058字节 <br />
%System32%\kvdxcis.exe 14,269字节 <br />
%System32%\kvdxcma.dll 20,072字节 <br />
%System32%\kvmxeis.exe 14,437字节 <br />
%System32%\kvmxema.dll 20,580字节 <br />
%System32%\NetMonInstaller.exe 6,656字节 <br />
%System32%\npf_mgm.exe 49,152字节<br />
%System32%\qdshm.dll 9,818字节<br />
%System32%\rpcapd.exe 86,016字节<br />
%System32%\rsmydpm.dll 22,094字节<br />
%System32%\rsmydsp.exe 15,005字节<br />
%System32%\rsztcpm.dll 23,110字节<br />
%System32%\rsztcsp.exe 15,354字节<br />
%System32%\Systom.exe 28,160字节<br />
%System32%\wpc2.exe 659,456字节<br />
%System32%\wuapi.dll.mui 25,944字节<br />
%System32%\wuaucpl.cpl.mui 25,944字节<br />
%System32%\wuaueng.dll.mui 16,216字节<br />
%System32%\wucltui.dll.mui 30,040字节<br />
%System32%\zxarps.exe 24,064字节<br />
<br />
2、对安全软件映像劫持,劫持安全软件如下:
360rpt.exe<br />
360Safe.exe<br />
360tray.exe<br />
adam.exe<br />
AgentSvr.exe<br />
AppSvc32.exe<br />
AST.exe<br />
AutoRuns.exe<br />
avgrssvc.exe<br />
AvMonitor.exe<br />
avp.com<br />
avp.exe<br />
CCenter.exe<br />
ccSvcHst.exe<br />
FileDsty.exe<br />
FTCleanerShell.exe<br />
HijackThis.exe<br />
IceSword.exe<br />
iparmo.exe<br />
Iparmor.exe<br />
isPwdSvc.exe<br />
kabaload.exe<br />
KaScrScn.SCR<br />
KASMain.exe<br />
KASTask.exe<br />
KAV32.exe<br />
KAVDX.exe<br />
KAVPFW.exe<br />
KAVSetup.exe<br />
KAVStart.exe<br />
KISLnchr.exe<br />
KMailMon.exe<br />
KMFilter.exe<br />
KPFW32.exe<br />
KPFW32X.exe<br />
KPFWSvc.exe<br />
KRegEx.exe<br />
krepair.COM<br />
KsLoader.exe<br />
KVCenter.kxp<br />
KvDetect.exe<br />
KvfwMcl.exe<br />
KVMonXP.kxp<br />
KVMonXP_1.kxp<br />
kvol.exe<br />
kvolself.exe<br />
KvReport.kxp<br />
KVScan.kxp<br />
KVSrvXP.exe<br />
KVStub.kxp<br />
kvupload.exe<br />
kvwsc.exe<br />
KvXP.kxp<br />
KvXP_1.kxp<br />
KWatch.exe<br />
KWatch9x.exe<br />
KWatchX.exe<br />
loaddll.exe<br />
MagicSet.exe<br />
mcconsol.exe<br />
mmc.exe<br />
mmqczj.exe<br />
mmsk.exe<br />
msconfig.exe<br />
NAVSetup.exe<br />
PFW.exe<br />
PFWLiveUpdate.exe<br />
QHSET.exe<br />
Ras.exe<br />
Rav.exe<br />
RavMon.exe<br />
RavMonD.exe<br />
RavStub.exe<br />
RavTask.exe<br />
RegClean.exe<br />
regedit.exe<br />
rfwcfg.exe<br />
RfwMain.exe<br />
rfwProxy.exe<br />
rfwsrv.exe<br />
RsAgent.exe<br />
Rsaupd.exe<br />
runiep.exe<br />
safelive.exe<br />
scan32.exe<br />
shcfg32.exe<br />
SmartUp.exe<br />
SREng.exe<br />
symlcsvc.exe<br />
SysSafe.exe<br />
taskmgr.exe<br />
TrojanDetector.exe<br />
Trojanwall.exe<br />
TrojDie.kxp<br />
UIHost.exe<br />
UmxAgent.exe<br />
UmxAttachment.exe<br />
UmxCfg.exe<br />
UmxFwHlp.exe<br />
UmxPol.exe<br />
UpLive.EXE.exe<br />
WoptiClean.exe<br />
zxsweep.exe
<br />
3、新增注册表:
HKCR\CLSID\{2598FF45-DA60-F48A-BC43-10AC47853D52}<br />
\InprocServer32<br />
注册表值: (默认)<br />
类型: REG_SZ<br />
值: C:\WINNT\system32\rarjbpi.dll<br />
<br />
HKCU\SOFTWARE\MICROSOFT\Internet Explorer<br />
\Toolbar\Explorer<br />
注册表值: ITBarLayout<br />
类型: REG_BINARY<br />
值: 110000005C0000000000000034000000...<br />
<br />
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION<br />
\Explorer\ShellExecuteHooks<br />
注册表值: {2598FF45-DA60-F48A-BC43-10AC47853D52}<br />
类型: REG_SZ<br />
值: rarjbpi.dll
HKCR\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}<br />
\InprocServer32<br />
注册表值: (默认)<br />
类型: REG_SZ<br />
值: C:\WINNT\system32\avzxdmn.dll<br />
<br />
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION<br />
\Explorer\ShellExecuteHooks<br />
注册表值: {4859245F-345D-BC13-AC4F-145D47DA34F4}<br />
类型: REG_SZ<br />
值: avzxdmn.dll
4、修改注册表:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT<br />
\Internet Explorer\Extensions<br />
\{c95fe080-8f5d-11d2-a20b-00aa003c157a}<br />
注册表值: ButtonText<br />
新建键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-866@2052,相关站点<br />
原键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-866<br />
<br />
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT<br />
\Internet Explorer\Extensions<br />
\{c95fe080-8f5d-11d2-a20b-00aa003c157a}<br />
注册表值: MenuText<br />
新建键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-864@2052,显示相关站点(&R)<br />
原键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-864<br />
<br />
HKLM\SOFTWARE\MICROSOFT\Internet Explorer<br />
\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}<br />
注册表值: MenuStatusBar<br />
新建键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-865@2052,显示与当前页相关的站点。<br />
原键值:<br />
类型: REG_SZ<br />
值: @shdoclc.dll,-865<br />
<br />
HKCU\SOFTWARE\MICROSOFT\Internet Explorer<br />
\Toolbar\ShellBrowser<br />
注册表值: {0E5CBF21-D15F-11D0-8301-00AA005B4383}<br />
新建键值:<br />
类型: REG_BINARY<br />
值: 21BF5C0E5FD1D011830100AA005B4383...<br />
原键值:<br />
类型: REG_BINARY<br />
值: 21BF5C0E5FD1D011830100AA005B4383...
网络行为:
1、连接网络下载病毒文件:
连接网络:<br />
www.tes***com(222.208.183.***)
下载病毒文件并自动运行:<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\25S27BF7\14[1].exe 265,781字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.eom
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\25S27BF7\2[1].exe 20,044字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.eon
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\25S27BF7\6[1].exe 32,385字节 <br />
病毒名:Virus.Win32.AutoRun.sx<br />
<br />
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\4XY7C1AB\4[1].exe 15,354字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.ejq
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\4XY7C1AB\8[1].exe 14,035字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.enh
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\M0OMLYEX\1[1].exe 14,437字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.ejx
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\M0OMLYEX\5[1].exe 15,005字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.eau<br />
<br />
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\M0OMLYEX\9[1].exe 13,364字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.epf
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\Z8OCRA4R\3[1].exe 15,146字节 <br />
病毒名:Trojan-PSW.Win32.OnLineGames.enb<br />
<br />
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\Z8OCRA4R\7[1].exe 14,269字节<br />
病毒名:Trojan-PSW.Win32.OnLineGames.eei<br />
<br />
%Documents and Settings%\Temporary Internet Files<br />
\Content.IE5\Z8OCRA4R\down[1].exe 28,160 bytes <br />
病毒名:Virus.Win32.AutoRun.tn
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的<br />
位置。<br />
<br />
%Windir% WINDODWS所在目录<br />
%DriveLetter% 逻辑驱动器根目录<br />
%ProgramFiles% 系统程序默认安装目录<br />
%HomeDrive% 当前启动的系统的所在分区<br />
%Documents and Settings% 当前用户文档根目录<br />
%Temp% \Documents and Settings<br />
\当前用户\Local Settings\Temp<br />
%System32% 系统的 System32文件夹<br />
<br />
Windows2000/NT中默认的安装路径是C:\Winnt\System32<br />
windows95/98/me中默认的安装路径是C:\Windows\System<br />
windowsXP中默认的安装路径是C:\Windows\System32 <br />
<br />
</p>
--------------------------------------------------------------------------------<br />
清除方案: <br />
1 、使用安天木马防线可彻底清除此病毒 ( 推荐 )</p>
2 、手工清除请按照行为分析删除对应文件,恢复相关系统设置。 <br />
(1)使用安天木马防线“进程管理”关闭病毒进程<br />
(2)删除病毒文件:<br />
%System32%\Systom.exe 28,160字节<br />
%DriveLetter%\auToRun.inf 156字节<br />
%DriveLetter%\nx.exe 28,160字节<br />
%System32%\5temp.exe 32,385字节 <br />
%System32%\addrmshelp.dll 11,888字节 <br />
%System32%\auToRun.inf 156字节 <br />
%System32%\avzxain.dll 55字节 <br />
%System32%\avzxdmn.dll 23,126字节 <br />
%System32%\avzxdst.exe 15,146字节 <br />
%System32%\c.txt 510字节 <br />
%System32%\daemon_mgm.exe 49,152字节 <br />
%System32%\kafyacs.dll 62字节 <br />
%System32%\kafyeaz.exe 13,364字节 <br />
%System32%\kafyezy.dll 19,044字节 <br />
%System32%\kawdacs.dll 57字节 <br />
%System32%\kawdbaz.exe 14,035字节 <br />
%System32%\kawdbzy.dll 20,058字节 <br />
%System32%\kvdxacf.dll 64字节 <br />
%System32%\kvdxcis.exe 14,269字节 <br />
%System32%\kvdxcma.dll 20,072字节 <br />
%System32%\kvmxecf.dll 62字节 <br />
%System32%\kvmxeis.exe 14,437字节 <br />
%System32%\kvmxema.dll 20,580字节 <br />
%System32%\NetMonInstaller.exe 6,656字节 <br />
%System32%\npf_mgm.exe 49,152字节<br />
%System32%\qdshm.dll 9,818字节<br />
%System32%\rpcapd.exe 86,016字节<br />
%System32%\rsmyafg.dll 51字节<br />
%System32%\rsmydpm.dll 22,094字节<br />
%System32%\rsmydsp.exe 15,005字节<br />
%System32%\rsztafg.dll 47字节<br />
%System32%\rsztcpm.dll 23,110字节<br />
%System32%\rsztcsp.exe 15,354字节<br />
%System32%\Systom.exe 28,160字节<br />
%System32%\test1.txt 98字节<br />
%System32%\wpc2.exe 659,456字节<br />
%System32%\wuapi.dll.mui 25,944字节<br />
%System32%\wuaucpl.cpl.mui 25,944字节<br />
%System32%\wuaueng.dll.mui 16,216字节<br />
%System32%\wucltui.dll.mui 30,040字节<br />
%System32%\zxarps.exe 24,064字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\25S27BF7\14[1].exe265,781字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\25S27BF7\2[1].exe20,044字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\25S27BF7\6[1].exe32,385字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\4XY7C1AB\4[1].exe15,354字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\4XY7C1AB\8[1].exe14,035字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\M0OMLYEX\1[1].exe14,437字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\M0OMLYEX\5[1].exe15,005字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\M0OMLYEX\9[1].exe13,364字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\Z8OCRA4R\3[1].exe15,146字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\Z8OCRA4R\7[1].exe14,269字节<br />
%Documents and Settings%\Temporary Internet <br />
Files\Content.IE5\Z8OCRA4R\down[1].exe28,160字节<br />
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:<br />
HKCR\CLSID\{2598FF45-DA60-F48A-BC43-10AC47853D52}<br />
\InprocServer32<br />
注册表值: (默认)<br />
类型: REG_SZ<br />
值: C:\WINNT\system32\rarjbpi.dll<br />
HKCU\SOFTWARE\MICROSOFT\Internet Explorer<br />
\Toolbar\Explorer<br />
注册表值: ITBarLayout<br />
类型: REG_BINARY<br />
值: 110000005C0000000000000034000000...<br />
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION<br />
\Explorer\ShellExecuteHooks<br />
注册表值: {2598FF45-DA60-F48A-BC43-10AC47853D52}<br />
类型: REG_SZ<br />
值: rarjbpi.dll<br />
HKCR\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}<br />
\InprocServer32<br />
注册表值: (默认)<br />
类型: REG_SZ<br />
值: C:\WINNT\system32\avzxdmn.dll<br />
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION<br />
\Explorer\ShellExecuteHooks<br />
注册表值: {4859245F-345D-BC13-AC4F-145D47DA34F4}<br />
类型: REG_SZ<br />
值: avzxdmn.dll<br />
(4)修复SPI链,删除被劫持的映像。 |
|
发表于 2007-10-14 17:53
|