flyleaf 发表于 2010-4-30 14:23

Worm/Win32.Ridnu.e[Email]分析

一、 病毒标签:
病毒名称: Worm/Win32.Ridnu.e
病毒类型: 木马
文件 MD5: 7D4195A0E36285264A0539BDC2390643
公开范围: 完全公开
危害等级: 4
文件长度: 375,101 字节
感染系统: Windows98以上版本
加壳类型: tElock 0.98b1

二、 病毒描述:
该恶意代码文件图标伪装成图片格式文件,以诱导用户进行点击,当用户打开此病毒文件后,在每个磁盘根目录下创建Autorun.inf病毒文件,该文件用来监视含有Windows等字眼的窗口,找到后将其关闭,如发现NOTEPAD标题的窗口则将其标题设置为Message For My Princess,并在其窗口内输入文字,拷贝自身病毒文件到系统的多个目录下,并在自身文件尾部添加垃圾数据来扰乱安全软件对其查杀,在当前用户的Local Settings目录下衍生随机病毒名创建进程监视当前打开的磁盘目录,如果发现EXE文件将其属性设置为隐藏,并将病毒自身命名成后缀名为.scr的文件,修改注册表文件关联、添加注册表病毒启动项及映像劫持,该病毒通过微软自带的Outlook Express电子邮件进行自身传播。

三、 行为分析:
本地行为:
1、拷贝自身到以下目录
%System32%\msvbvm60.dll
%System32%\wa.exe
%System32%\Mr_CoolFace.scr
%Windir%\Negeri Serumpun Sebalai .pif .bat .com .scr .exe
%Documents and Settings%\当前用户ll Users\Documents\Smansa_Pkp.scr
%Documents and Settings%\当前用户ll Users\Documents\Nitip dulu jangan dihapus.scr
%Documents and Settings%\当前用户\Local Settings\Temp\inf4D2.tmp
%Documents and Settings%\当前用户\Local Settings\Application Data\Polymorph1.exe
%Documents and Settings%\当前用户\Local Settings\Application Data\Polymorph2.exe
%Documents and Settings%\当前用户\Local Settings\DNALSI_AKGNAB.exe
%Documents and Settings%\当前用户\Local Settings\DNALSI_AKGNAB.exe.mutant
%Documents and Settings%\当前用户\Local Settings\Mr_CF_Mutation.Excalibur
%Documents and Settings%\当前用户\Local Settings\xx.exe
%Documents and Settings%\当前用户\Application Data\Autorun.inf
%Documents and Settings%\当前用户\Application Data\Mr_CF\Folder.htt
%Documents and Settings%\当前用户\Application Data\Mr_CF\Desktop.ini
%Documents and Settings%\当前用户\Application Data\explorer.exe
%Documents and Settings%\当前用户\Application Data\Mr_CoolFace.exe
%Documents and Settings%\当前用户\Application Data\SMA Negeri 1 Pangkalpinang.exe
%Documents and Settings%\当前用户\Application Data\Mutant.exe
%Documents and Settings%\当前用户\Application Data\Sahang.exe
%Documents and Settings%\当前用户\Application Data\Timah.exe
%Program Files%\Common Files\_cmd.exe
%Program Files%\Common Files\freecel.exe
%Program Files%\Common Files\msheart.exe
%Program Files%\Common Files\N0TEPAD.exe
%Program Files%\Common Files\w1nm1ne.exe
%Program Files%\Common Files\kalkulator.exe
%Program Files%\Common Files\tskmgr.exe
%Program Files%\Common Files\reged1t.exe
%Program Files%\Common Files\kartu.exe
%Program Files%\Common Files\Laba_Laba.exe
%Program Files%\Common Files\msconf1g.exe
%HomeDrive%\Mr_CoolFace.scr
%HomeDrive%\Autorun.inf
%HomeDrive%\Mr_CF.pif
%HomeDrive%\Folder.htt
%HomeDrive%\Desktop.ini
%HomeDrive%\explorer.exe
%HomeDrive%\Mutant.htm

2、搜索以下后缀名的文件,找到之后将其属性设置为隐藏,并拷贝自身文件为以下文件名的scr文件
.SWF 、.swf 、.GIF 、.gif 、.BMP 、.bmp 、.BAT 、.bat 、.INF 、.inf 、.htm 、.Avi、.AVI 、.avi、.3Gp 、.3GP 、.3gp 、.Mpg 、.MPG 、.mpg 、.MIDI 、.Midi 、.midi 、.Wmv 、.WMV 、.wmv 、.Wma 、.WMA 、.wma 、.Mp4 、.MP4 、.mp4 、.Mp3 、.MP3 、.mp3、.Mid 、.MID 、.mid 、.Mov 、.MOV 、.mov 、.Jpeg 、.JPEG 、.jpeg 、.Jpg 、.JPG 、.jpg

3、修改注册表项
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
新: 字符串: "MR_COO~1.SCR"
旧: 字符串: "C:\WINDOWS\System32\logon.scr"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
新: 字符串: "C:\Mutant.htm"
旧: 字符串: "http://www.baidu.com/"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
新: DWORD: 2 (0x2)
旧: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
新: DWORD: 1 (0x1)
旧: DWORD: 0 (0)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPath
新: DWORD: 1 (0x1)
旧: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\@
新: 字符串: "JPEG Image"
旧: 字符串: "应用程序"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\@
新: 字符串: "JPEG Image"
旧: 字符串: "屏幕保护程序"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\@
新: 字符串: "Princess Document"
旧: 字符串: "文本文档"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
新: 字符串: "C:\Mutant.htm"
旧: 字符串: "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
新: 字符串: "explorer.exe "C:\explorer.exe""
旧: 字符串: "Explorer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
新: 字符串: "C:\WINDOWS\system32\userinit.exe, C:\explorer.exe"
旧: 字符串: "C:\WINDOWS\system32\userinit.exe,"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
4、添加注册表项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lyomktdi.exe
值: 字符串: "C:\Documents and Settings\a\Local Settings\lyomktdi.exe"

HKEY_LOCAL_MACHINE、SOFTWARE、Microsoft、Windows NT、CurrentVersion、Image File Execution Options、ANSAV.exe、Debugger
值: 字符串: "C:、Explorer.exe"
ANSAV32.exe、calc.exe、ccapp.exe、CClaw.exe、cmd.exe、freecell.exe、mplayer2.exe、msconfig.exe、mshearts.exe、Nip.exe、Nipsvc.exe、Niu.exe、Njeeves.exe、notepad.exe、Nvccf.exe、Nvcoas.exe、Nvcod.exe、Nvcsched.exe、PCMAV.exe、regedit.exe、sol.exe、spider.exe、taskkill.exe、tasklist.exe、taskmgr.exe、URemovalCRC32.exe、winamp.exe、winmine.exe、wmplayer.exe、Zanda.exe、Zlh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
值: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Alumni_Smoensa_Pangkalpinang
值: 字符串: "Mr_CoolFace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My_Old_Class
值: 字符串: "3IPA2.pif"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qj
值: 字符串: "un.exe"

5、监视当前窗口如果发现含有WINDOWS等字眼的窗口则将其关闭,如发现NOTEPAD标题的窗口则将其标题设置为Message For My Princess,并在其窗口内输入文字,监视当前打开的磁盘目录,如果发现EXE文件将其属性设置为隐藏,并将病毒自身命名为该文件名后缀名为scr,

注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。
      %Windir%            WINDODWS所在目录
    %DriveLetter%            逻辑驱动器根目录
    %ProgramFiles%         系统程序默认安装目录
    %HomeDrive%           当前启动的系统的所在分区
    %Documents and Settings%       当前用户文档根目录
    %Temp%             \Documents and Settings
                    \当前用户\Local Settings\Temp
    %System32%            系统的 System32文件夹
    
    Windows2000/NT中默认的安装路径是C:\Winnt\System32
    windows95/98/me中默认的安装路径是%WINDOWS%\System
    windowsXP中默认的安装路径是%system32%   


四、 清除方案:
1、使用安天防线可彻底清除此病毒(推荐)。
请到安天网站下载:http://www.antiy.com
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1)使用ATOOL管理工具,“进程管理“查找病毒进程找到强行结束
(2) 强行删除病毒下载的大量病毒文件
%System32%\msvbvm60.dll
%System32%\wa.exe
%System32%\Mr_CoolFace.scr
%Windir%\Negeri Serumpun Sebalai .pif .bat .com .scr .exe
%Documents and Settings%\当前用户ll Users\Documents\Smansa_Pkp.scr
%Documents and Settings%\当前用户ll Users\Documents\Nitip dulu jangan dihapus.scr
%Documents and Settings%\当前用户\Local Settings\Temp\inf4D2.tmp
%Documents and Settings%\当前用户\Local Settings\Application Data\Polymorph1.exe
%Documents and Settings%\当前用户\Local Settings\Application Data\Polymorph2.exe
%Documents and Settings%\当前用户\Local Settings\DNALSI_AKGNAB.exe
%Documents and Settings%\当前用户\Local Settings\DNALSI_AKGNAB.exe.mutant
%Documents and Settings%\当前用户\Local Settings\Mr_CF_Mutation.Excalibur
%Documents and Settings%\当前用户\Local Settings\xx.exe
%Documents and Settings%\当前用户\Application Data\Autorun.inf
%Documents and Settings%\当前用户\Application Data\Mr_CF\Folder.htt
%Documents and Settings%\当前用户\Application Data\Mr_CF\Desktop.ini
%Documents and Settings%\当前用户\Application Data\explorer.exe
%Documents and Settings%\当前用户\Application Data\Mr_CoolFace.exe
%Documents and Settings%\当前用户\Application Data\SMA Negeri 1 Pangkalpinang.exe
%Documents and Settings%\当前用户\Application Data\Mutant.exe
%Documents and Settings%\当前用户\Application Data\Sahang.exe
%Documents and Settings%\当前用户\Application Data\Timah.exe
%Program Files%\Common Files\_cmd.exe
%Program Files%\Common Files\freecel.exe
%Program Files%\Common Files\msheart.exe
%Program Files%\Common Files\N0TEPAD.exe
%Program Files%\Common Files\w1nm1ne.exe
%Program Files%\Common Files\kalkulator.exe
%Program Files%\Common Files\tskmgr.exe
%Program Files%\Common Files\reged1t.exe
%Program Files%\Common Files\kartu.exe
%Program Files%\Common Files\Laba_Laba.exe
%Program Files%\Common Files\msconf1g.exe
%HomeDrive%\Mr_CoolFace.scr
%HomeDrive%\Autorun.inf
%HomeDrive%\Mr_CF.pif
%HomeDrive%\Folder.htt
%HomeDrive%\Desktop.ini
%HomeDrive%\explorer.exe
%HomeDrive%\Mutant.htm
(3)恢复被修改的注册表项
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
新: 字符串: "MR_COO~1.SCR"
旧: 字符串: "C:\WINDOWS\System32\logon.scr"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
新: 字符串: "C:\Mutant.htm"
旧: 字符串: "http://www.baidu.com/"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
新: DWORD: 2 (0x2)
旧: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
新: DWORD: 1 (0x1)
旧: DWORD: 0 (0)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPath
新: DWORD: 1 (0x1)
旧: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\@
新: 字符串: "JPEG Image"
旧: 字符串: "应用程序"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\@
新: 字符串: "JPEG Image"
旧: 字符串: "屏幕保护程序"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\@
新: 字符串: "Princess Document"
旧: 字符串: "文本文档"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
新: 字符串: "C:\Mutant.htm"
旧: 字符串: "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
新: 字符串: "explorer.exe "C:\explorer.exe""
旧: 字符串: "Explorer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
新: 字符串: "C:\WINDOWS\system32\userinit.exe, C:\explorer.exe"
旧: 字符串: "C:\WINDOWS\system32\userinit.exe,"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
新: 字符串: "C:\explorer.exe"
旧: 字符串: "cmd.exe"
(4)删除病毒添加的注册表项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lyomktdi.exe
值: 字符串: "C:\Documents and Settings\a\Local Settings\lyomktdi.exe"
HKEY_LOCAL_MACHINE、SOFTWARE、Microsoft、Windows NT、CurrentVersion、Image File Execution Options、ANSAV.exe、Debugger
值: 字符串: "C:、Explorer.exe"
ANSAV32.exe、calc.exe、ccapp.exe、CClaw.exe、cmd.exe、freecell.exe、mplayer2.exe、msconfig.exe、mshearts.exe、Nip.exe、Nipsvc.exe、Niu.exe、Njeeves.exe、notepad.exe、Nvccf.exe、Nvcoas.exe、Nvcod.exe、Nvcsched.exe、PCMAV.exe、regedit.exe、sol.exe、spider.exe、taskkill.exe、tasklist.exe、taskmgr.exe、URemovalCRC32.exe、winamp.exe、winmine.exe、wmplayer.exe、Zanda.exe、Zlh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Alumni_Smoensa_Pangkalpinang
值: 字符串: "Mr_CoolFace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My_Old_Class
值: 字符串: "3IPA2.pif"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qj
值: 字符串: "un.exe"

flyleaf 发表于 2010-4-30 14:24

专杀下载链接:http://www.antiy.com/download/AVLPK_Ridnu.e.rar
页: [1]
查看完整版本: Worm/Win32.Ridnu.e[Email]分析