ghost.pif[新变种]

载入中…

ghost.pif[新变种]

作者：佚名文章来源：不详点击数：更新时间：2008-2-4

前几天分析过这个病毒

他就是导致最近杀毒软件出现应用程序正常初始化（0xc00000ba)失败的病毒
不过今天又出了新变种
分析了一下
File: Ghost.pif
Size: 22066 bytes
MD5: D1773EBD161E95473184877539D0ED3D
SHA1: 35E5D8EE4346C70834CC7DA06C98ACB44D35F9C4
CRC32: B6EF4C92
运行后生成
C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll

添加注册表键值
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\: "C:\Program

Files\Internet Explorer\HiJack.dll"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}\: ""
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\: "C:\Program

Files\Internet Explorer\msvcrt.dll"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}\: ""
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\: "C:\Program

Files\Common Files\Relive.dll"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\InProcServer32\ThreadingModel:

"Apartment"
HKLM\SOFTWARE\Classes\CLSID\{D7515C61-A66C-4319-A0E0-D416CB8059E3}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-

FB6EE3CC6CD6}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0EA12C16-CDEF-6AC1-236E-

CD3FE82F5213}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7515C61-A66C-4319-

A0E0-D416CB8059E3}\: ""

查询以下注册表项目的某些键值来获取相关安全软件的安装目录，在获得安装目录下生成以系统文件名"ws2_32.dll"

命名的文件夹
SOFTWARE\\rising\\Rav
SOFTWARE\\Kingsoft\\AntiVirus
SOFTWARE\\JiangMin
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal
SOFTWARE\\KasperskyLab\\SetupFolders
SOFTWARE\Network Associates\TVD\Shared Components\Framework
SOFTWARE\Eset\Nod\CurrentVersion\Info
SOFTWARE\\Symantec\\SharedUsage
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

并在ws2_32.dll文件夹下生成歧义文件夹1..\导致windows下无法删除该文件夹

控制explorer连接网络202.59.153.91:80下载木马
http://xxx.us/oK/svchost.exe
http://xxx.us/Sign/csrss.exe
http://xxx.us/Sign/svchost32.exe
http://xxx.us/Sign/smss.exe
http://xxx.us/Sign/services.exe
http://xxx.us/Sign/svchost.exe
http://xxx.us/Sign/conime.exe
http://xxx.us/Sign/ctfmon.exe
http://xxx.us/Sign/mmc.exe
http://xxx.us/Sign/IEXPLORE.EXE
http://xxx.us/Sign/stpgldk.exe
http://xxx.us/Sign/srogm.exe
http://xxx.us/Sign/spglsdr.exe
http://xxx.us/Sign/copypfh.exe
http://xxx.us/Sign/okfile.exe
到临时文件夹

运行后分别在临时文件夹下创建文件

fyso.exe
jtso.exe
mhso.exe
qjso.exe
qqso.exe
wgso.exe
wlso.exe
wmso.exe
woso.exe
ztso.exe
daso.exe
tlso.exe
rxso.exe
svchost.exe
IEXPLORE.EXE
svchost32.exe
srogm.exe
csrss.exe
conime.exe
mmc.exe
spglsdr.exe
services.exe
copypfh.exe
smss.exe
fyso0.dll
jtso0.dll
mhso0.dll
qjso0.dll
qqso0.dll
wgso0.dll
wlso0.dll
wmso0.dll
woso0.dll
ztso0.dll
tlso0.dll
daso0.dll
rxso0.dll

添加注册表启动项目

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe"
...
各个木马创建HKCU\Software\SetVer\ver键

解决办法：
1.打开sreng
启动项目注册表删除如下项目
<wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe> [N/A]
<ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe> []
<mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe> []
<fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe> []
<jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe> []
<wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe> []
<wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe> []
<wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe> []
<qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe> []
<rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe> []
<wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe> []
<tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe> []
<dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe> []
<{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}><C:\Program Files\Internet Explorer\HiJack.dll>

[Microsoft Corporation]
<{0EA12C16-CDEF-6AC1-236E-CD3FE82F5213}><C:\Program Files\Internet Explorer\msvcrt.dll>

[Microsoft Corporation]
系统修复浏览器加载项选中
[]
{D7515C61-A66C-4319-A0E0-D416CB8059E3} <C:\Program Files\Common Files\Relive.dll, Microsoft

Corporation>
并单击右下角的删除所选内容在弹出的对话框中选择是
2.重启计算机
双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件（

推荐）"前面的钩。在提示确定更改时，单击“是” 然后确定
删除C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\HiJack.bak
C:\Program Files\Internet Explorer\HiJack.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll
清空临时文件夹C:\DOCUME~1\用户名\LOCALS~1\Temp
3.删除瑞星江民卡巴 360文件夹下的ws2_32.dll
方法：
假如你的瑞星在C:\Program files\rising\rav下面
则这样做开始运行输入cmd C:\Program files\rising\rav\ws2_32.dll      回车
rd 1..\       回车
关闭cmd窗口      直接删除ws2_32.dll文件夹即可
其他的文件夹下的ws2_32.dll以此类推

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

上一篇文章：亲历NTFS数据流病毒svchost.exe:exe.exe

下一篇文章：感染型下载者Worm.Agent.xo的分析