找回密码
 注册创意安天

Win32/Floxif.A

[复制链接]
发表于 2012-8-23 12:33 | 显示全部楼层 |阅读模式
中国的......

http://blogs.technet.com/b/mmpc/archive/2012/08/22/there_2700_s-nothing-old-school-about-viruses.aspx

Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif - which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region.
Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1):


Figure 1: The virus replaces 5 bytes at entry point
The virus body drops a malicious file with a deceptive file name %Program Files%\Common Files\System\symsrv.dll" and then it calls the export function FloodFix of the dropped DLL. The rest of the work is done in this export function, which can be detailed as the following:
  • Restore the stolen code(including the 5 bytes at the entry point and another code chunk overwritten by the virus) for the host file
  • Process the relocation table for the host file (the relocation table entry has been removed from the PE file after infection)
  • Pass control back to the host file

Win32/Floxif adopts 2 different infection strategies to choose the DLL to infect:
  • Enumerate the loaded DLL files in the running processes
  • Blanket search for all the DLL files on all drives

In both cases, DLL files under %windows% directory are avoided.
Below is a list of the top 10 reported infected DLL files in our telemetry:
  • jvm.dll
  • MSVCR71.DLL
  • awt.dll
  • jqs_plugin.dll
  • ZipLib.dll
  • WSignature.dll
  • xappex.1.1.1.38.(919).dll
  • MSVCR100.dll
  • msoxmlmf.dll
  • XLUE.dll

Win32/Floxif downloads an encrypted PE file and executes it. The downloaded file is detected as Trojan:Win32/Plexardu.A.
Chun Feng
MMPC Melbourne

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?注册创意安天

×
发表于 2012-8-28 14:56 | 显示全部楼层
已经处理!
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册创意安天

本版积分规则

Archiver|手机版|小黑屋|创意安天 ( 京ICP备09068574,ICP证100468号。 )

GMT+8, 2024-11-22 11:41

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表