找回密码
 注册创意安天

Worm/Win32.AutoRun.etm分析

[复制链接]
发表于 2009-2-3 10:32 | 显示全部楼层 |阅读模式
一、 病毒标签:
病毒名称: Worm/Win32.AutoRun.etm
病毒类型: 蠕虫
文件 MD5: 4AA1BD21CD37E822348E19CE4917323E
公开范围: 完全公开
危害等级: 4
文件长度: 40,630 字节
感染系统: Windows98以上版本
开发工具: Borland Delphi 6.0 - 7.0
加壳类型: Upack 0.3.9 beta2s -> Dwing

二、 病毒描述:
该病毒为蠕虫类,病毒运行后复制自身到系统目录下,并衍生病毒文件;修改注册表,添加启动项,降低ie浏览器的安全性能,锁定“文件夹选项”中对隐藏文件的显隐选择,连接网络下载病毒文件,并执行;病毒运行完毕后删除自身。

三、 行为分析:
本地行为:
1、文件运行后会释放以下文件
%System%\jjxzajcj32dl.dll                                                63,488 字节[随机文件名]
%System%\jjxzwzjy090118.exe                                        40,630 字节[随机文件名]

2、新增注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
注册表值: "CheckedValue"
新建键值: DWORD: 0 (0)
原键值: DWORD: 1 (0x1)
描述:锁定“文件夹选项”中对隐藏文件的显隐选择
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
注册表值: "Check_Associations"
类型: REG_SZ
值: "no"
描述:降低ie浏览器的安全性能
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
注册表值: "dlmcjjcdfc"
类型: REG_SZ
值: "C:\WINDOWS\system\jjxzwzjy090118.exe"
描述:启动项,使病毒文件随资源管理器启动

网络行为:
1、连接网络下载要下载的病毒列表
协议:TCP
域名或IP地址:www.a3168.com
列表地址:HTTP://www.a3168.com/mydown.asp? ... s=00-0C-29-9C-7B-01
列表内容:
begin
1,090120,10241,http://www.wew2223.cn/new/shengji.exe,120,1,180,1,10000,11,0,1,0,1
7,
2,0,34000,http://www.wew2223.cn/new/css.exe,10,0-24,,
2,0,47000,http://www.wew2223.cn/new/ggg.exe,30,0-24,,
2,90120,16000,http://www.wew2223.cn/new/30.exe,100,0-24,,
2,0,148000,http://www.wew2223.cn/new/msn180.exe,10,0-24,,
3,127.0.0.1,js.tongji.cn.yahoo.com
3,127.0.0.1,img.tongji.cn.yahoo.com
end
2、下载文件的危害说明:
http://www.wew2223.cn/new/shengji.exe
Worm/Win32.AutoRun.etn
http://www.wew2223.cn/new/css.exe
Rootkit/Win32.Agent.fvn
http://www.wew2223.cn/new/ggg.exe
Trojan/Win32.QQPass.eu[stealer]
http://www.wew2223.cn/new/30.exe
Trojan/Win32.VB.irf
http://www.wew2223.cn/new/msn180.exe
AdWare/Win32.AdMedia.ed[:not_virus]

注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
%Temp%  = C:\Documents and Settings\AAAAA\Local Settings\Temp 当前用户TEMP缓存变量
    %Windir%\                           WINDODWS所在目录
%DriveLetter%\                        逻辑驱动器根目录
%ProgramFiles%\                        系统程序默认安装目录
%HomeDrive% = C:\ 当前启动的系统的所在分区
%Documents and Settings%\        当前用户文档根目录
四、 清除方案:
        1、使用安天防线可彻底清除此病毒(推荐)。
        2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1) 使用安天防线工具中的“进程管理”关闭病毒进程
Ggg.exe;svteppsk.exe;IEXPLORER.EXE;dfcjj32tmp0.exe
(2) 删除病毒文件       
%Windir%\30.exe
%Windir%\css.exe
%Windir%\ggg.exe
%Windir%\installreg.asp
%Windir%\system\jjxzajcj32dl.dll
%Windir%\system\jjxzwzjy090120.exe
%System32%\40674985.dat
%System32%\anymie360.dll
%System32%\anymie360.exe
%System32%\cjpoajni.dll
%System32%\coebccid.dll
%System32%\ddgjndgf.dll
%System32%\dfcjj32tmp0.exe
%System32%\dllcache\beep.sys
%System32%\drivers\beep.sys
%System32%\drivers\etc\hosts
%System32%\fgjkccga.dll
%System32%\gmgedabp.dll
%System32%\ifigadlj.dll
%System32%\lgloboec.dll
%System32%\lpceeabp.dll
%System32%\nbepjcll.dll
%System32%\pknphokc.dll
%System32%\sadfasdf.jpg
%System32%\svtepps.dll
%System32%\svteppsk.exe
%System32%\sysdlwd2.dll
%System32%\TnmgtjD.dll
%Windir%\ver.txt
清空%Temp%
清空IE临时目录
(3) 恢复病毒修改的注册表项目,删除病毒添加的注册表项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
新: 字符串: "IEXPLORE.exe"
旧: 字符串: "mshta.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
新: 字符串: "svtepps.dll"
旧: 字符串: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\FlashPlayerUpdate
键值: 字符串: "C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\gmgedabp.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\ifigadlj.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\sysmxd6.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0009-0001-69B8DB553683}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\sysdlwd2.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5058B8EC-9E4F-431F-8415-E2AD3569F02A}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\lgloboec.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\lpceeabp.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BE93C55-419A-40FA-8750-F4D2EBEF1847}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\nbepjcll.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9479184C-D769-4611-A992-526D8E72968D}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\pknphokc.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C398A372-7022-40B1-9715-9BA47E9C59E9}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\cjpoajni.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\coebccid.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD037D0F-C51F-4870-9478-BD982536E415}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\ddgjndgf.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F034CC0A-377A-4247-A276-2D484EAA1229}\InProcServer32\@
键值: 字符串: "C:\WINDOWS\system32\fgjkccga.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3FDEB171-8F86-0004-0001-69B8DB553683}
键值: 字符串: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3FDEB171-8F86-0009-0001-69B8DB553683}
键值: 字符串: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5058B8EC-9E4F-431F-8415-E2AD3569F02A}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7BE93C55-419A-40FA-8750-F4D2EBEF1847}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9479184C-D769-4611-A992-526D8E72968D}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C398A372-7022-40B1-9715-9BA47E9C59E9}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD037D0F-C51F-4870-9478-BD982536E415}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{F034CC0A-377A-4247-A276-2D484EAA1229}
键值: <值未设置>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Alcmtr
键值: 字符串: "anymie360.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\dlmcjjcdfc
键值: 字符串: "C:\WINDOWS\system\jjxzwzjy090120.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\qq20009
键值: 字符串: "C:\WINDOWS\ggg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\060EDAB9
键值: 字符串: "{060EDAB9-2AD0-4AC4-BCBF-8EA541BE735B}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\2F20AD53
键值: 字符串: "{2F20AD53-13A2-4340-8D4F-64EBBFDC98A7}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\5058B8EC
键值: 字符串: "{5058B8EC-9E4F-431F-8415-E2AD3569F02A}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\59CEEAB9
键值: 字符串: "{59CEEAB9-A039-4185-B4E8-8E1E5FD7F9FB}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\7BE93C55
键值: 字符串: "{7BE93C55-419A-40FA-8750-F4D2EBEF1847}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\9479184C
键值: 字符串: "{9479184C-D769-4611-A992-526D8E72968D}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\C398A372
键值: 字符串: "{C398A372-7022-40B1-9715-9BA47E9C59E9}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\C8EBCC2D
键值: 字符串: "{C8EBCC2D-1377-4E2B-951F-407D8E4DBD5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DD037D0F
键值: 字符串: "{DD037D0F-C51F-4870-9478-BD982536E415}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\F034CC0A
键值: 字符串: "{F034CC0A-377A-4247-A276-2D484EAA1229}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Description
键值: 字符串: "Provides support for media palyer. This service can't be stoped."
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\DisplayName
键值: 字符串: "MS Media Control Center"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\ImagePath
键值: 字符串: "%SystemRoot%\System32\svchost.exe -k krnlsrvc"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\ObjectName
键值: 字符串: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Parameters\ServiceDll
键值: 字符串: "C:\WINDOWS\system32\TnmgtjD.dll"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Start
键值: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\DisplayName
键值: 字符串: "Safe Mon 360"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\ImagePath
键值: 字符串: "\??\C:\WINDOWS\system32\40674985.dat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeMon0\Start
键值: DWORD: 1 (0x1)
您需要登录后才可以回帖 登录 | 注册创意安天

本版积分规则

Archiver|手机版|小黑屋|创意安天 ( 京ICP备09068574,ICP证100468号。 )

GMT+8, 2024-11-18 03:28

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表