载入中…

 | 网站首页 | 文章中心 | 下载中心 | 图片中心 | 反木马论坛 |日志分析|样本上传|求助| | 

您现在的位置: 反木马在线 >> 文章中心 >> 木马查杀 >> 文章正文
一个类似AV终结者的新病毒的分析
作者:佚名    文章来源:不详    点击数:    更新时间:2008-2-4

昨天拿到一个病毒 据说类似AV终结者,测试了一下
结果如下:
File: debug.exe
Size: 46592 bytes
MD5: 153D51C2BB487B1DFE9F40355C34BE23
SHA1: 13B4466D8CEFC5A71B787E5B8AB21CDB8FEB8049
CRC32: 6EB3D331
加壳方式:ASPack 2.12
瑞星 卡巴等还不能检测出该病毒


文件变化:
释放文件
C:\WINDOWS\Debug\debug.exe
C:\WINDOWS\Web\css.css
C:\MSDOS.log
C:\WINDOWS\Temp\~tmp83.tmp
在D盘 E盘下 生成gbk.com和autorun.inf

C:\WINDOWS\Web\css.css插入其他进程

结束如下进程
kvmonxp.kxp
kvsrvxp.exe
trojdie.kxp
kregex.exe
uihost.exe
avp.exe
avp.exe
360safe.exe
runiep.exe
ras.exe
ccenter.exe
ravtask.exe
ravmon.exe
ravmond.exe
ravstub.exe
kwatch.exe
kavstart.exe
kpfwsvc.exe
kmailmon.exe
kpfw32.exe
kavsvc.exe
kav.exe

关闭如下服务 并把相应服务的启动类型改为 禁用
sharedaccess
ccenter
kvsrvxp
kvwsc
kavsvc
kingsoft antivirus kwatch service
kingsoft personal firewall service
rsravmon service
rising proxy service
rising process communication center
rising personal firewall service
卡巴斯基反病毒6.0个人版

创建如下影像劫持项
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe
指向 C:\WINDOWS\Debug\debug.exe
C:\WINDOWS\Web\css.css监视 IFEO键值的修改 如果一旦被删除则马上恢复

删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden 键
破坏显示隐藏文件

连接网络 下载http://xxxxxxxx.mircosofts.com/history.txt到C盘下
读取里面的内容下载木马
http://xxxxxxxx.2288.org/ms_info32.exe
http://xxxxxxxx.2288.org/ms_info33.exe
http://xxxxxxxx.2288.org/bots.exe
到C:\Windows下面 分别命名为1.exe~3.exe

木马运行完毕后
生成的文件如下
C:\WINDOWS\1.exe
C:\WINDOWS\2.bat
C:\WINDOWS\2.exe
C:\WINDOWS\2.vbs
C:\WINDOWS\3.exe
C:\WINDOWS\IEXPLORE.EXE
C:\WINDOWS\tmp$$$.vbs
C:\WINDOWS\W1NL0GON.EXE
C:\WINDOWS\system32\comspn.dll
C:\WINDOWS\system32\inetcfg.h
C:\WINDOWS\system32\mst.tlb
C:\WINDOWS\system32\SCardSer.exe
C:\WINDOWS\system32\spnup.dll
其中1.exe会把系统时间改为2099年12月30日
sreng日志情况
启动项目    

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<MS Reporter(dont disable)><C:\WINDOWS\W1NL0GON.EXE>    []
服务
[Net Login Helper / netlog][Stopped/Auto Start]    <C:\WINDOWS\system32\SCardSer.exe ><N/A>

测试中未发现 主程序 有创建启动项的行为 很奇怪

解决方法:
安全模式下(开机后不断 按F8键    然后出来一个高级菜单 选择第一项 安全模式 进入系统)
首先把系统时间改回来
把sreng改名为其他名称 运行
启动项目    注册表 删除如下项目
<MS Reporter(dont disable)><C:\WINDOWS\W1NL0GON.EXE>    []

“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:

Net Login Helper / netlog
把下面的 代码拷入记事本中然后另存为1.reg文件
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

双击1.reg把这个注册表项导入


双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后删除C:\WINDOWS\1.exe
C:\WINDOWS\2.bat
C:\WINDOWS\2.exe
C:\WINDOWS\2.vbs
C:\WINDOWS\3.exe
C:\WINDOWS\IEXPLORE.EXE
C:\WINDOWS\tmp$$$.vbs
C:\WINDOWS\W1NL0GON.EXE
C:\WINDOWS\system32\comspn.dll
C:\WINDOWS\system32\inetcfg.h
C:\WINDOWS\system32\mst.tlb
C:\WINDOWS\system32\SCardSer.exe
C:\WINDOWS\system32\spnup.dll
C:\WINDOWS\Debug\debug.exe
C:\WINDOWS\Web\css.css
C:\MSDOS.log
C:\WINDOWS\Temp\~tmp83.tmp
右键点击 菜单中的打开 打开D E删除gbk.com和autorun.inf

重启计算机 进入正常模式
下载 autoruns
http://www.skycn.com/soft/17567.html
由于这个软件也被映像劫持了 所以我们把他改个名字
打开这个软件后 找到Image hijack (映像劫持)
删除除了Your Image File Name Here without a pathSymbolic Debugger for Windows 2000 Microsoft
Corporation c:\windows\system32\ntsd.exe
以外的所有项目

然后修复你的杀毒软件 和其他安全软件 全盘杀毒即可
发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
 
  • 上一篇文章:

  • 下一篇文章:
    • 相关新闻
    分析日志[AV终结者和Delf.epw]
    AV终结者查杀
    论坛新帖
    新 闻 TOP 10
  • 没有热点文章
    		•
    点击申请点击申请点击申请点击申请点击申请点击申请点击申请
    点击申请点击申请点击申请点击申请点击申请点击申请点击申请点击申请
    文字链接: 热门下说网
    Copyright © 2008 FanMuMa.com All Rights Reserved
    客服邮箱:fanmuma#126.com(将#换为@) 站长:Fisco 联系电话:15802671439 联系QQ:337803 
    捍卫属于个人的一切--