"U盤病毒" 的惡意行為重點 2009-02-11
目前已知中毒現象:
1.開啟顯示隱藏檔或資料夾可是還是一樣無法顯示隱藏的檔案或資料夾
2.進去我的電腦想要打開硬碟 如 c,d,e槽,卻出現「選擇程式來開啟檔案」
3.即時通登入後會自動關閉
4.防毒軟體會被停用
5.新的防毒軟體無法安裝
6.無法以正常方式進入安全模式
7.夾帶木馬下載器
8.網路驅動程式發生錯誤 導致無法連線
9.破壞卡巴斯基驅動 導致無法更新或某些防護出錯
建立檔案
1.%systemdrive%\autorun.inf
autorun.inf 內容分析
複製程式
;ww9KrOoa8Li9diKi194p4oijej52K2A55fw4Hkd7i9d7wkC3wLK32k1qjSap4aZrf42
[AutoRun]
;ws6L2cijpA5lKksr0aKdAks1irm7k3skawd1ZawaLpDiok2k40jLk3a4sLwClwwr
open=8ot8y86.exe
;CoaA5Z4DloqLoAlDd15kDrKKs12a735wia4kDws2flda5il4aksrfA8Sq3kZ28rJo0e6Ld2Lkai2mS2sIwiqLs
shell\open\Command=8ot8y86.exe
;8lDqd48lkfo4arKqo92sk3DwsawJZir4wLdlSd3
shell\open\Default=1
;adLl62rK5LDLo44DKsqlq2L0Ka4kJkarliKsif3lLaa1fsO0f23K18aZ2jk73ksfkoAq54wdkfKIdjirdqqwd5koadaoAiojddDl5qkkeC3LSSiiaak8lUw
shell\explore\Command=8ot8y86.exe
;S5LdLZadf4Aw34LA0La0243UoawKck3keAk3a2kd4isKwk6fds2j7lDK3wK10LwjKKawi5os2ikSolrJCrp9i0aJq2AkIsraO2jpksa8301Dlijk
複製程式
[AutoRun]
Open=weiai.exe
Shell\Open=湖羲(&O)
Shell\Open\Command=weiai.exe
Shell\Open\Default=1
Shell\Explore=訧埭奪燴(&X)
Shell\Explore\Command=weiai.exe
根目錄 生成物
2.%systemdrive%%systemdrive%\********.com exe bat cmd pif (不定)
ntde1ect.com
ntdelect.com
nldelect.com
nndelect.com
nsdelect.com
ntdeIect.com
erdeIect.com
XAdeIect.com
copetttt.com
ek.com
f.cmd
nncu6kk.com
g2p3s.exe
8e9gmih.bat
lg.cmd
um.cmd
q83iwmgf.bat
rn.exe
h.cmd
8h3hh3m.exe
bxuup9r.bat
w0owgn.bat
2ifetri.cmd
188qsm.bat
x.com
ep9otvan.com
3wcxx91.cmd
e.bat
8ot8y86.exe
t.exe
3g08.bat
3.
%System%%System%\kavo.exe
%System%\kavo0.dll~kavo9.dll
%System%\taso.exe
%System%\taso0~9.dll
%System%\tavo.exe
%System%\tavo0~9.dll
%System%\avpo.exe
%System%\avpo0~9.dll
%System%\amvo.exe
%System%\amvo0~9.dll
%System%\mmvo.exe
%System%\mmvo0~9.dll
%System%\mnso.exe
%System%\mnso0~9.dll
%System%\kxvo.exe
%System%\kxvo0.dll~kxvo9.dll
%System%\uret463.exe
%System%\lhgjyit0.dll~lhgjyit9.dll
%System%\kacsde.exe
%System%\godert0.dll~godert9.dll
%System%\jvvo.exe
%System%\jvvo0~9.dll
%System%\amwo.exe
%System%\amwo0~9.dll
%System%\j3ewro.exe
%System%\jwedsfdo0~9.dll
%System%\revo.exe
%System%\revo0~9.dll
%System%\lhgjyit0.dll
%System%\lhgjyit2.dll
%System%\uret463.exe
4.%windir%\Debug\***********.dll (亂碼)
5.%windir%\help\**************.dll (亂碼)
6.%windir%\fly32.dll
7.%WIndir%\poor32.dll
8.%Temp%\moil.dll
9.
C:\Documents and Settings\Administrator\Local Settings\Temp\*.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\taso*
C:\Documents and Settings\Administrator\Local Settings\Temp\cc.exe
C:\WINDOWS\TEMP\taso*
C:\WINDOWS\TEMP\*.dll
註:在Win95/98/me %System% 預設值為 C:\windows\System
在WinNT/2000/XP/2003 %System% 系統預設值為 C:\WinNT\System32
建立進程
wuauclt.exe
explorer.exe
IEXPLORER.EXE
gigaget.exe
utorrent.exe
msnmsgr.exe
載入系統服務-
explorer.exe(由kavo1.dll執行)
破壞網路驅動
c:\windows\system32\drivers\tdi.sys
c:\windows\system32\drivers\psched.sys
c:\windows\system32\drivers\tcpip.sys
j3ewro.exe 破壞卡巴斯基驅動 導致無法更新或某些防護出錯
c:\windows\system32\j3ewro.exe
c:\windows\system32\drivers\vga.sys
c:\windows\system32\drivers\klif.sys
c:\windows\system32\cdplay.sys
新增登錄檔-
開機自啟動區
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kavo =
"%System%\kavo.exe" (開機後啟動)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<anhtaaa><C:\WINDOWS\system32\kacsde.exe>
<dorfgwe><C:\WINDOWS\system32\uret463.exe>
kavo.exe
kxvo.exe
tavo.exe
mnsa.exe
avpa.exe
amva.exe
tava.exe
tasa.exe
kava.exe
amwa.exe
jvsoft.exe
tasoft.exe
kmmsoft.exe
kacsde.exe
uret463.exe
建立機碼
{7A908760-8000-4000-A000-9000322145A7}
{59109876-7619-9101-7012-901938475195}
{EC69134A-F15F-D14D-A31A-C31C4D124FCE}
{35FD6584-698F-BCD2-602C-698745210353}
{B1954FAC-1023-154F-895A-1458258AD81B}
{AA041F13-A111-12A3-B0CF-F99818AA68AA}
{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}
{27E1C1B0-7117-4582-8565-682E569810D2}
{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3}
{5D7ED61B-DB3E-44EC-BED5-40307384FF81}
{47994C89-1857-4D33-B196-263ED6FA4CFF}
{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3}
{E996F10E-FCAF-41CC-94C8-B8BF7D6F80AC}
{B058B02A-AC93-4FBA-900B-FA44D9B92805}
{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0}
{749E4FEF-6AFF-41A6-AED8-364222D455A7}
{894C0068-46AC-4F59-A140-EDE0DABA776C}
{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}
登錄檔修改
登錄檔修改[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x00000000 (隱藏於系統當中)
從網路上下載-木馬變種
http://det67.com...c1.rar %Temp%\cc1.rar
hxxp://www.1a123.com/jj/cc.rar (%Temp%\cc.rar)
http://13opd.com/...u1.rar %Temp%\uu1.rar
http://vfqa4.com...l.rar %Temp%\ll.rar
http://dfvg2.com/...lp.rar %Temp%\help.rar
http://mgaazz.com...dr.rar %System%\ddr.exe
http://det67.com...c1.rar %Temp%\cc1.rar
1a123.com... - 61.162.230.89
1a123.com
456kill.com
om7890.com... - 60.169.1.92
Microsofthg.com
Microsoftmg.com
Microsoftrb.com
Om7890.com
Tw7890.com
直接從explorer.exe記憶體區塊讀取的資料.
複製程式
015B2480 CLSID\MADOWN coc.exe aaa.dat XZQURSASABXAWLASOLSFSIKDQ_MN
015B24C0 NoDriveTypeAutoRun Software\Microsoft\Windows\CurrentVersion\Po
015B2500 licies\Explorer CheckedValue Software\Microsoft\Windows\Curre
015B2540 ntVersion\explorer\Advanced\Folder\Hidden\SHOWALL ShowSuperHid
015B2580 den Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\A
015B25C0 dvanced \explorer.exe nhkletd SoftWare\Microsoft\Windows\Curre
015B2600 ntVersion\Run autorun.inf %s%s C:\ IEFrame explorer.exe
015B2640 iexplore.exe Forthgoer 菴侐 211.13.235.228 菴゙ 211.
015B2680 13.235.227 菴媼 211.13.235.226 菴珨 211.13.235.229 Rage
015B26C0 xe.exe 40000 Altair(Non-PvP)
015B2700 40001 Arcturus 40002
015B2740 Vega(Non-PvP) 40003 Rigel
015B2780 40004 Sirius
015B27C0 40005 Canopus
015B2800 %s(%d)/ lin.bin %d=%s http
015B2840 s://login.yahoo.co.jp/config/login_verify2?.src=ym https://logi
015B2880 n.yahoo.co.jp/config/login? YahooWidgetEngine.exe YPagerj.exe
015B28C0 ? ? S-1-5-21-1409082233-839522115-1060284298-1003\So
015B2900 ftware\YahooJapan SHDeleteKeyA shlwapi.dll passwd 絞ゴ怀フ
015B2940 腔%s:%s login h t t p i?
015BFAC0 0u http://vfqa4.com/rbv/uu.rar
015C3000 鬍0 蛞竽栓妨怯闡闡闡闡闡闡闡闡闡闡闡[AutoRun] ;44olSdjsmrpd3w
015C3040 iDHqoLa000lkjri0akiAa7Jk69kk9sd8kawsroep93wSLDr3rsa3SZkq8wsJilai
015C3080 jDefiwaaic30n5oK3os3DjaXFdsw2K1fiLa2aoKwrsj open=q6h6j.com ;jr
015C30C0 l7edjkwnjslke204riraZFl2iiLj1wdK7Ko5sok3l04w4D3ik3kkDrCLwk0o2eqq
015C3100 od9d2qsK54fw02Dd2ipoiwKwlJdKk4w8Dfsew41ifJ9sDKAarIa3rk shell\op
015C3140 en\Command=q6h6j.com
