病毒分析:
1、木马文件vip.exe(server.exe)运行后
生成%CommonProgramFiles%Microsoft Shared\MSInfo\System16.ins 27,415 字节
和 %CommonProgramFiles%Microsoft Shared\MSInfo\System16.jup 23,319 字节
System16.ins注入到进程explorer.exe
2、增加注册表项
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{014A26F5-FBAD-4549-9CA1-C38210704BD1}"=""
3、连接w.zpx520.com下载以下20个文件
http://w.zpx520.com/down/game01.exe 16,384 字节
http://w.zpx520.com/down/game02.exe 26,112 字节
http://w.zpx520.com/down/game03.exe 26,112 字节
http://w.zpx520.com/down/game04.exe 9,798 字节
http://w.zpx520.com/down/game05.exe 26,112 字节
http://w.zpx520.com/down/game06.exe 8,824 字节
http://w.zpx520.com/down/game07.exe 26,112 字节
http://w.zpx520.com/down/game08.exe 已失效
http://w.zpx520.com/down/game09.exe 8,436 字节
http://w.zpx520.com/down/game10.exe 10,589 字节
http://w.zpx520.com/down/game11.exe 10,131 字节
http://w.zpx520.com/down/game12.exe 35,036 字节
http://w.zpx520.com/down/game13.exe 22,528 字节
http://w.zpx520.com/down/game14.exe 70,409 字节
http://w.zpx520.com/down/game15.exe 10,752 字节
http://w.zpx520.com/down/game16.exe 10,065 字节
http://w.zpx520.com/down/game17.exe 196,608 字节
http://w.zpx520.com/down/game18.exe 24,638 字节
http://w.zpx520.com/down/game19.exe 10,355 字节
http://w.zpx520.com/down/game20.exe 22,528 字节
4、然后就是大量病毒运行。以上病毒文件运行后,会下载大量病毒、木马文件。其中
game1和game18生成病毒文件并加载到启动项
在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run下
game1.exe生成
启动键名:MSDEG32 程序路径:%windir%\System32\LYLoader.exe
game18.exe生成
启动键名:ctfnom 程序路径:%windir%\System32\ctfnom.exe
game2,game3,game5,game7均创建服务
game2.exe生成服务WMIApiSrv 启动路径%windir%\System32\rundll32.exe WMIApiSrv.dll,input
game3.exe生成服务RemoteDbg 启动路径%windir%\System32\rundll32.exe RemoteDbg.dll,input
game5.exe生成服务MSdebugsvc启动路径%windir%\System32\rundll32.exe msdebug.dll,input
game7.exe生成服务WinDHCPsvc启动路径%windir%\System32\rundll32.exe windhcp.ocx,input
game4,game10,game11,game16,game19均生成键值在
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks下
game4.exe 生成{1F12545B-1212-1314-5679-4512ACEF8901}键值为wdapri.dll
game10.exe生成{413AF41A-21B1-131B-1BFC-D2A90DF4A2B4}键值为xycpri.dll
game11.exe生成{325AB2F3-234A-7469-2F43-E341713ABFA3}键值为wgcpri.dll
game16.exe生成{26368135-64FA-BC34-DA32-DCF4FD431C92}键值为qhbpri.dll
game19.exe生成{12311A42-AC1B-158F-FD32-5674345F23A1}键值为dhbpri.dll
并将生成的dll文件插入进程explorer,生成
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs",并将键值改为自己生成的dll
game6,game9,game13,game20均将生成的exe文件加载到启动项,dat或dll文件插入explorer进程
game6.exe 生成%windir%\System32\RAV00AE.exe和%windir%\System32\RAV00AE.DAT
game9.exe 生成%windir%\System32\RAV008C.exe和%windir%\System32\RAV008C.DAT
game13.exe生成%windir%\AVPSrv.exe和%windir%\System32\AVPSrv.dll
game20.exe生成%windir%\MsIMMs32.exe和%windir%\System32\MsIMMs32.dll
game12,game15修改Winsock SPI链的值并创建服务加载dll,其中
game12.exe生成msupdate.dll,创建服务WS2IFSL,指向文件%windir%\System32\msupdate.dll
game15.exe生成moyu103.dll和mydata.exe。并将创建服务Microsoft Autorun6加载mydata.exe
game14.exe在目录%windir%\System32下生成1.1、5wjaxob.xob、d4ri5w.pc3三个文件,并将1.1添加到启动项
game17.exe在目录%windir%\System32下生成Packet.dll、WanPacket.dll、wpcap.dll三个文件
在目录%windir%\System32\drivers\下生成npf.sys、svchost.exe、scvhost.exe三个文件并运行scvhost.exe
|