ghost.pif，romdrivers.dll[U盘木马]的分析

载入中…

作者：佚名文章来源：不详点击数：更新时间：2008-2-4

特点：
1.U盘传播
2.木马下载器

File: Ghost.pif
Size: 19527 bytes
MD5: 32C89902E912757B30C648C2AFAB2E3A
SHA1: 6318FCE89503D4DE19337E2E1D6EDA6C15EA3268
CRC32: 49BA1E56

运行后
生成
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

注册表操作

删除HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}

HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"

增加

HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0CB68AD9-FF66-3E63-636B-B693E62F6236}: ""

达到开机启动时加载romdrivers.dll的目的 romdrivers.dll利用Explorer加载

删除C:\WINDOWS\system32\drivers\etc\hosts

试图扫描所有磁盘，然后在每个磁盘的根目录建立autorun.inf 和ghost.pif

连接网络

下载木马

http://xxa.Us/%6F%4B%4B/%37%79%37%56%65%72.txt
http://xxa.us/oKK/TestOKK.exe
http://xxa.us/oKK/smss.exe
http://xxa.us/Sign/csrss.exe
http://xxa.us/Sign/svchost32.exe
http://xxa.us/Sign/smss.exe
http://xxa.us/Sign/services.exe
http://xxa.us/Sign/svchost.exe
http://xxa.us/Sign/conime.exe
http://xxa.us/Sign/ctfmon.exe
http://xxa.us/Sign/mmc.exe
http://xxa.us/Sign/IEXPLORE.EXE
http://xxa.us/Sign/stpgldk.exe
http://xxa.us/Sign/srogm.exe
http://xxa.us/Sign/spglsdr.exe
http://xxa.us/Sign/copypfh.exe

运行后分别在临时文件夹下创建文件

fyso.exe
jtso.exe
mhso.exe
qjso.exe
qqso.exe
wgso.exe
wlso.exe
wmso.exe
woso.exe
ztso.exe
daso.exe
tlso.exe
rxso.exe
svchost.exe
IEXPLORE.EXE
svchost32.exe
srogm.exe
csrss.exe
conime.exe
mmc.exe
spglsdr.exe
services.exe
copypfh.exe
smss.exe
fyso0.dll
jtso0.dll
mhso0.dll
qjso0.dll
qqso0.dll
wgso0.dll
wlso0.dll
wmso0.dll
woso0.dll
ztso0.dll
tlso0.dll
daso0.dll
rxso0.dll

添加注册表启动项目

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlsa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasa: "C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe"

各个木马创建HKCU\Software\SetVer\ver键

增加类似HKU\Software\SetVer\ver\7y7: "v1.92"
HKU\Software\SetVer\ver\Me: "1.291"
HKU\Software\SetVer\ver\1: "2.95"
HKU\Software\SetVer\ver\2: "2.95"
HKU\Software\SetVer\ver\3: "2.99"
HKU\Software\SetVer\ver\4: "2.92"
HKU\Software\SetVer\ver\5: "2.92"
HKU\Software\SetVer\ver\6: "2.95"
HKU\Software\SetVer\ver\7: "2.95"
HKU\Software\SetVer\ver\8: "2.92"
HKU\Software\SetVer\ver\9: "2.98"
HKU\Software\SetVer\ver\10: "1.97"
HKU\Software\SetVer\ver\11: "1.99"
HKU\Software\SetVer\ver\12: "1.89"
HKU\Software\SetVer\ver\13: "1.9"的键值

每个键值的数值代表所下载的13个木马的版本木马几乎天天更新

sreng日志如下：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

<{0CB68AD9-FF66-3E63-636B-B693E62F6236}><C:\Program Files\Internet Explorer\romdrivers.dll> [Microsoft Corporation]

    <wosa><C:\DOCUME~1\用户名\LOCALS~1\Temp\woso.exe>    []
      <ztsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso.exe>    []
      <mhsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso.exe>    []
      <fysa><C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso.exe>    []
      <jtsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso.exe>    []
      <wlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso.exe>    []
      <wgsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso.exe>    []
      <rxsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso.exe>    []
      <wdsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso.exe>    []
      <tlsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\tlso.exe>    []
      <dasa><C:\DOCUME~1\用户名\LOCALS~1\Temp\daso.exe>    []
      <wmsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso.exe>    []
      <qjsa><C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso.exe>    []

进程中

      [C:\DOCUME~1\用户名\LOCALS~1\Temp\qjso1.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\wmso1.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\daso1.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\wdso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\rxso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\jtso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\wgso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\fyso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\wlso0.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\mhso1.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\ztso1.dll]    [N/A, ]
      [C:\DOCUME~1\用户名\LOCALS~1\Temp\woso0.dll]    [N/A, ]

清除办法：

安全模式下(开机后不断按F8键然后出来一个高级菜单选择第一项安全模式进入系统)

双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件（推荐）"前面的钩。在提示确定更改时，单击“是” 然后确定

右键点击右键菜单中的打开打开C盘

删除C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.bkk
C:\Program Files\Internet Explorer\romdrivers.dll

清空C:\DOCUME~1\用户名\LOCALS~1\Temp下面所有内容

打开sreng

启动项目注册表删除如下项目

<{0CB68AD9-FF66-3E63-636B-B693E62F6236}><C:\Program Files\Internet Explorer\romdrivers.dll> [Microsoft Corporation]

右键点击右键菜单中的打开打开其他分区删除autorun.inf和ghost.pif

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

上一篇文章： [iede2.exe]Trojan.DL.Mnless.ajp病毒解析

下一篇文章： servet.exe新下载者木马