Trojan/Win32.Agent.ven[Dropper]分析
本帖最后由 flyleaf 于 2009-6-18 11:07 编辑一、 病毒标签:
病毒名称: Trojan/Win32.Agent.ven
病毒类型: 木马
文件 MD5: 3E2857BCAC69BF6366443FB1B890D161
公开范围: 完全公开
危害等级: 3
文件长度: 155,648 字节
感染系统: Windows98以上版本
开发工具: Borland Delphi 6.0 - 7.0
二、 病毒描述:
该恶意代码为木马类,该病毒图标伪装成系统文件夹,误导用户点击使用恶意代码运行,病毒运行后检测自身是否处于调试状态如是则退出进程,判断操作系统类型,获取系统版本信息,创建hosts文件到%System32%\drivers\etc\目录下,将系统的hosts文件重命名为hosts.o1d,劫持大量域名地址指向同一个IP地址,并将病毒创建的hosts文件属性修改为隐藏,调用taskkill.exe使用命令结束系统部分进程,调用API函数清除本地DNS缓存,释放掉shdocvw.dll库文件里的#220序号函数模块句柄地址为76370000,该操作可能会对应用程序造成异常,试图读取修改火狐浏览器的profiles.ini配置文件,创建注册表、修改注册表项,病毒运行完毕后释放批处理文件删除自身文件,试图连接网络发送统计信息。
三、 行为分析:
本地行为:
1、文件运行后会释放以下文件
%System32%\drivers\etc\hosts
2、检测自身是否处于调试状态如是则退出进程,判断操作系统类型,获取系统版本信息,创建hosts文件到%System32%\drivers\etc\目录下,将系统的hosts文件重命名为hosts.o1d, 劫持大量域名地址指向同一个IP地址,并将病毒创建的hosts文件属性修改为隐藏。
3、修改、创建注册表项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\
值: <值未设置>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PDM
值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
值: DWORD: 1 (0x1)
4、调用taskkill.exe使用:/f /im iexpl* /im firefox* /im mozi* /im opera* /im safar*命令结束含有:iexpl*、firefox*、mozi*、opera*、safar*名的进程,调用API函数DnsFlushResolverCache清除本地DNS缓存,释放掉shdocvw.dll库文件里的#220序号函数模块句柄地址为76370000,该操作可能会对应用程序造成异常,试图读取修改火狐浏览器的profiles.ini配置文件。
5、被劫持的大量域名地址列表:
206.53.61.77 google.ae
206.53.61.77 google.as
206.53.61.77 google.at
206.53.61.77 google.az
206.53.61.77 google.ba
206.53.61.77 google.be
206.53.61.77 google.bg
206.53.61.77 google.bs
206.53.61.77 google.ca
206.53.61.77 google.cd
206.53.61.77 google.com.gh
206.53.61.77 google.com.gi
206.53.61.77 google.com.hk
206.53.61.77 google.com.jm
206.53.61.77 google.com.ly
206.53.61.77 google.com.mx
206.53.61.77 google.com.my
206.53.61.77 google.com.na
206.53.61.77 google.com.nf
206.53.61.77 google.com.ng
206.53.61.77 google.ch
206.53.61.77 google.com.np
206.53.61.77 google.com.om
206.53.61.77 google.com.pa
206.53.61.77 google.com.pr
206.53.61.77 google.com.qa
206.53.61.77 google.com.sg
206.53.61.77 google.com.tj
206.53.61.77 google.com.tr
206.53.61.77 google.com.tw
206.53.61.77 google.com.ua
206.53.61.77 google.dj
206.53.61.77 google.com.vc
206.53.61.77 google.it.ao
206.53.61.77 google.de
206.53.61.77 google.dk
206.53.61.77 google.dm
206.53.61.77 google.dz
206.53.61.77 google.ee
206.53.61.77 google.fi
206.53.61.77 google.fm
206.53.61.77 google.fr
206.53.61.77 google.ge
206.53.61.77 google.gg
206.53.61.77 google.gm
206.53.61.77 google.gr
206.53.61.77 google.gy
206.53.61.77 google.ht
206.53.61.77 google.ie
206.53.61.77 google.im
206.53.61.77 google.in
206.53.61.77 google.it
206.53.61.77 google.ki
206.53.61.77 google.kz
206.53.61.77 google.la
206.53.61.77 google.li
206.53.61.77 google.lk
206.53.61.77 google.lv
206.53.61.77 google.ma
206.53.61.77 google.md
206.53.61.77 google.ms
206.53.61.77 google.mu
206.53.61.77 google.mv
206.53.61.77 google.mw
206.53.61.77 google.nl
206.53.61.77 google.no
206.53.61.77 google.nr
206.53.61.77 google.nu
206.53.61.77 google.pl
206.53.61.77 google.pn
206.53.61.77 google.pt
206.53.61.77 google.ro
206.53.61.77 google.ru
206.53.61.77 google.rw
206.53.61.77 google.sc
206.53.61.77 google.se
206.53.61.77 google.sh
206.53.61.77 google.si
206.53.61.77 google.sm
206.53.61.77 google.sn
206.53.61.77 google.st
206.53.61.77 google.tl
206.53.61.77 google.tm
206.53.61.77 google.tt
206.53.61.77 google.us
206.53.61.77 google.vg
206.53.61.77 google.vu
206.53.61.77 google.ws
206.53.61.77 google.co.bw
206.53.61.77 google.co.ck
206.53.61.77 google.co.id
206.53.61.77 google.co.il
206.53.61.77 google.co.in
206.53.61.77 google.co.jp
206.53.61.77 google.co.ke
206.53.61.77 google.co.kr
206.53.61.77 google.co.ls
206.53.61.77 google.co.ma
206.53.61.77 google.co.mz
206.53.61.77 google.co.nz
206.53.61.77 google.co.th
206.53.61.77 google.co.tz
206.53.61.77 google.co.ug
206.53.61.77 google.co.uk
206.53.61.77 google.co.za
206.53.61.77 google.co.zm
206.53.61.77 google.co.zw
206.53.61.77 google.com
206.53.61.77 google.com.af
206.53.61.77 google.com.ag
206.53.61.77 google.com.ai
206.53.61.77 google.com.ar
206.53.61.77 google.com.au
206.53.61.77 google.com.bn
206.53.61.77 google.com.br
206.53.61.77 google.com.by
206.53.61.77 google.com.bz
206.53.61.77 google.com.co
206.53.61.77 google.com.cu
206.53.61.77 google.com.ec
206.53.61.77 google.com.et
206.53.61.77 google.com.fj
206.53.61.77 www.google.ae
206.53.61.77 www.google.as
206.53.61.77 www.google.at
206.53.61.77 www.google.az
206.53.61.77 www.google.ba
206.53.61.77 www.google.be
206.53.61.77 www.google.bg
206.53.61.77 www.google.bs
206.53.61.77 www.google.ca
206.53.61.77 www.google.cd
206.53.61.77 www.google.com.gh
206.53.61.77 www.google.com.gi
206.53.61.77 www.google.com.hk
206.53.61.77 www.google.com.jm
206.53.61.77 www.google.com.ly
206.53.61.77 www.google.com.mx
206.53.61.77 www.google.com.my
206.53.61.77 www.google.com.na
206.53.61.77 www.google.com.nf
206.53.61.77 www.google.com.ng
206.53.61.77 www.google.ch
206.53.61.77 www.google.com.np
206.53.61.77 www.google.com.om
206.53.61.77 www.google.com.pa
206.53.61.77 www.google.com.pr
206.53.61.77 www.google.com.qa
206.53.61.77 www.google.com.sg
206.53.61.77 www.google.com.tj
206.53.61.77 www.google.com.tr
206.53.61.77 www.google.com.tw
206.53.61.77 www.google.com.ua
206.53.61.77 www.google.dj
206.53.61.77 www.google.com.vc
206.53.61.77 www.google.it.ao
206.53.61.77 www.google.de
206.53.61.77 www.google.dk
206.53.61.77 www.google.dm
206.53.61.77 www.google.dz
206.53.61.77 www.google.ee
206.53.61.77 www.google.fi
206.53.61.77 www.google.fm
206.53.61.77 www.google.fr
206.53.61.77 www.google.ge
206.53.61.77 www.google.gg
206.53.61.77 www.google.gm
206.53.61.77 www.google.gr
206.53.61.77 www.google.gy
206.53.61.77 www.google.ht
206.53.61.77 www.google.ie
206.53.61.77 www.google.im
206.53.61.77 www.google.in
206.53.61.77 www.google.it
206.53.61.77 www.google.ki
206.53.61.77 www.google.kz
206.53.61.77 www.google.la
206.53.61.77 www.google.li
206.53.61.77 www.google.lk
206.53.61.77 www.google.lv
206.53.61.77 www.google.ma
206.53.61.77 www.google.md
206.53.61.77 www.google.ms
206.53.61.77 www.google.mu
206.53.61.77 www.google.mv
206.53.61.77 www.google.mw
206.53.61.77 www.google.nl
206.53.61.77 www.google.no
206.53.61.77 www.google.nr
206.53.61.77 www.google.nu
206.53.61.77 www.google.pl
206.53.61.77 www.google.pn
206.53.61.77 www.google.pt
206.53.61.77 www.google.ro
206.53.61.77 www.google.ru
206.53.61.77 www.google.rw
206.53.61.77 www.google.sc
206.53.61.77 www.google.se
206.53.61.77 www.google.sh
206.53.61.77 www.google.si
206.53.61.77 www.google.sm
206.53.61.77 www.google.sn
206.53.61.77 www.google.st
206.53.61.77 www.google.tl
206.53.61.77 www.google.tm
206.53.61.77 www.google.tt
206.53.61.77 www.google.us
206.53.61.77 www.google.vg
206.53.61.77 www.google.vu
206.53.61.77 www.google.ws
206.53.61.77 www.google.co.bw
206.53.61.77 www.google.co.ck
206.53.61.77 www.google.co.id
206.53.61.77 www.google.co.il
206.53.61.77 www.google.co.in
206.53.61.77 www.google.co.jp
206.53.61.77 www.google.co.ke
206.53.61.77 www.google.co.kr
206.53.61.77 www.google.co.ls
206.53.61.77 www.google.co.ma
206.53.61.77 www.google.co.mz
206.53.61.77 www.google.co.nz
206.53.61.77 www.google.co.th
206.53.61.77 www.google.co.tz
206.53.61.77 www.google.co.ug
206.53.61.77 www.google.co.uk
206.53.61.77 www.google.co.za
206.53.61.77 www.google.co.zm
206.53.61.77 www.google.co.zw
206.53.61.77 www.google.com
206.53.61.77 www.google.com.af
206.53.61.77 www.google.com.ag
206.53.61.77 www.google.com.ai
206.53.61.77 www.google.com.ar
206.53.61.77 www.google.com.au
206.53.61.77 www.google.com.bn
206.53.61.77 www.google.com.br
206.53.61.77 www.google.com.by
206.53.61.77 www.google.com.bz
206.53.61.77 www.google.com.co
206.53.61.77 www.google.com.cu
206.53.61.77 www.google.com.ec
206.53.61.77 www.google.com.et
206.53.61.77 www.google.com.fj
206.53.61.77 search.yahoo.com
206.53.61.77 www.search.yahoo.com
206.53.61.77 search.live.com
206.53.61.77 search.msn.com
206.53.61.77 googleads.g.doubleclick.net
206.53.61.77 www.googleads.g.doubleclick.net
206.53.61.77 pubads.g.doubleclick.net
206.53.61.77 www.pubads.g.doubleclick.net
206.53.61.77 partner.googleadservices.com
206.53.61.77 www.partner.googleadservices.com
206.53.61.77 www.partner.googleadservices.com
网络行为:
1、试图连接网络提交安装统计信息,并试图读取网络下载病毒文件
http://206.53.61.**/report/reports/working.php(试图读取网络下载病毒文件,该链接地址失效)
UserID=1013007708&wv=wvXP&res=5&lng=PE (试图连接网络提交安装统计信息)
注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
四、 清除方案:
1、使用安天防线可彻底清除此病毒(推荐)。
请到安天网站下载:http://www.antiy.com
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1) 使用ATOOL“文件管理”强行删除以下文件
%System32%\drivers\etc\hosts
%System32%\drivers\etc\hosts.o1d将hosts.o1d重命名为hosts
(3)删除病毒创建及修改的注册表项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\
值: <值未设置>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PDM
值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
值: DWORD: 1 (0x1)
页:
[1]