pioneer
超级版主
积分 4563
发帖 4545
注册 2007-7-16
来自 BJ
|
#2
病毒分析
该样本程序被执行后,拷贝自身到系统目录%SystemRoot%\system\下,名称为“jjxzwzjy090110.exe”,并释放名为“jjxzajcj32dl.dll”的文件。
遍历枚举下列安全进程名,一旦发现尝试使用“ntsd -c q –p pid”命令关闭该安全进程,实现自身的保护:
| Quote: | RUNIEP.exe
KRegEx.exe
KVXP.kxp
360tray.exe
RSTray.exe
QQDoctor.exe
DrRtp.exe |
|
添加如下相关注册表项实现自身随机启动:
| Quote: | 项:HKLM\ Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
键值:dlmcjjcdfc
指向数据:%SystemRoot%\system\jjxzwzjy090110.exe |
|
修改下列的注册表键值实现去除显示隐藏文件效果,企图隐藏木马:
| Quote: | 项:HKLM\ Software \Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
键值:CheckedValue
指向数据:0 |
|
不断遍历查找下列指定关键字的窗口,发现后尝试发送参数为“F060”的“WM_SYSCOMMAND”消息关闭该窗口:
在注册表HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\下添加下列子项,达到劫持指定安全软件的目的:
子项名:
| Quote: | 360rpt.exe
360safe.exe
360tray.exe
adam.exe
avp.com
avp.exe
ccenter.exe
ccsvchst.exe
cross.exe
enc98.exe
filedsty.exe
ftcleanershell.exe
guangd.exe
hijackthis.exe
icesword.exe
iparmo.exe
iparmor.exe
ispwdsvc.exe
kabaload.exe
kascrscn.scr
kasmain.exe
kastask.exe
kav32.exe
kavdx.exe
kavpfw.exe
kavsetup.exe
kavstart.exe
kislnchr.exe
kmailmon.exe
kmfilter.exe
kpfw32.exe
kpfw32x.exe
kpfwsvc.exe
kregex.exe
krepair.com
ksloader.exe
kvcenter.kxp
kvdetect.exe
kvfwmcl.exe
kvmonxp.kxp
kvmonxp_1.kxp
kvol.exe
kvolself.exe
kvreport.kxp
kvsrvxp.exe
kvstub.kxp
kvupload.exe
kvwsc.exe
kvxp.kxp
kwatch.exe
kwatch9x.exe
kwatchx.exe
loaddll.exe
magicset.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
navsetup.exe
nod32krn.exe
nod32kui.exe
pfw.exe
pfwliveupdate.exe
qhset.exe
ras.exe
rav.exe
ravmon.exe
ravmond.exe
ravstub.exe
ravtask.exe
regclean.exe
rfwcfg.exe
rfwmain.exe
rfwproxy.exe
rfwsrv.exe
rsagent.exe
rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
sdgames.exe
shcfg32.exe
shuiniu.exe
smartup.exe
sos.exe
sreng.exe
svch0st.exe
symlcsvc.exe
syssafe.exe
systom.exe
taskmgr.exe
tnt.exe
trojandetector.exe
trojanwall.exe
trojdie.kxp
txomou.exe
ua80.exe
ufo.exe
uihost.exe
umxagent.exe
umxattachment.exe
umxcfg.exe
umxfwhlp.exe
umxpol.exe
uplive.exe
wopticlean.exe
xp.exe
zxsweep.exe
qqdoctor.exe
rstray.exe
键值均为:debugger
数据均指向:%SystemRoot%\system32\svchost.exe |
|
创建含木马信息的配置文件到%ALLUSERSPROFILE%\目录下,名称为“jjjydf16.ini”,内容如下:
| Quote: | [mydown]
old_exe=
old_dll32=
ver=090110
fnexe=C:\WINDOWS\system\jjxzwzjy090110.exe
reg_start=dlmcjjcdfc
fn_dll=C:\WINDOWS\system\jjxzajcj32dl.dll |
|
隐藏方式调用“IEXPLORE.EXE”进程,并向其进程空间注入“jjxzajcj32dl.dll”文件,等待联网状态访问下列木马列表网址下载木马,下载后自动调用运行:
| Quote: | | http://www.a3***.com/mydown.asp?ver=090110&tgid=shengji&address=00-0C-**-A5-**-87 |
|
网址内容如下:
| Quote: | begin
1,090113,10241,http://www.wew***3.cn/new/shengji.exe,120,1,180,1,10000,09,0,1,0,1
7,
2,90113,34000,http://www.wew***3.cn/new/css.exe,10,0-24,,
2,0,47000,http://www.wew***3.cn/new/ccc.exe,70,0-24,,
2,90113,16000,http://www.wew***3.cn/new/30.exe,10,0-24,,
2,90113,148000,http://www.wew***3.cn/new/msn180.exe,10,0-24,,
2,90113,77000,http://www.wew***3.cn/new/cpa.exe,10,0-24,,
3,127.0.0.1,js.tongji.cn.yahoo.com
3,127.0.0.1,img.tongji.cn.yahoo.com
End |
|
并修改系统“hosts”文件为如下内容:
| Quote: | 127.0.0.1 js.tongji.cn.yahoo.com
127.0.0.1 img.tongji.cn.yahoo.com |
|
隐藏方式:
调用下列命令实现自身删除:
| Quote: | | cmd /c del "c:\sample.exe" |
|
| |
※文章所有权归【pioneer】与【东方微点论坛】共同所有,转载请注明出处!※
|
 |
|
