Worm.Delf.dy 1_.ii Worm.Delf.dy Setup.exe
<table style="TABLE-LAYOUT: fixed;"><tbody><tr><td><div class="cnt"><div><div>一个捆绑型的病毒,还能下木马```</div><div></div><div>样本来至剑盟````有点意思,破例开了双HIPS跟踪``</div><div></div><div>今天的卡吧、AVG、BitDefender、NOD32等都没有报``</div><div></div><div>瑞星报的是:<strong><font color="#ff69b4">Worm.Delf.dy</font></strong></div><div></div><div><br/><font color="#ff0000"><strong>Aditional Information</strong></font></div><div><font color="#ff0000"></font></div><div><font color="#4169e1">File size: 20000 bytes <br/>MD5: 3087e68819f9521b7f8be1a17734c3fe <br/>SHA1: 82b39340a3da0bdde544f0f5e6b9df81e71797a2 <br/>CRC32 : 1C5A03D<br/>RIPEMD160: 397194446721BA5D7DD6A79CC2ADDC5690D9E49F<br/>Tiger_192: 4C55317A0FEEA4579665AE892B112E57972671985F50ABAC<br/>SHA160 : 82B39340A3DA0BDDE544F0F5E6B9DF81E71797A2<br/>packers: Upack 0.3.9 beta2s <br/>Languages:Borland Delphi 6.0-7.0</font></div><div></div><div></div><div><strong>运行,释放:</strong></div><div><br/><font color="#0000ff">C:\WINNT\system\internat.exe 20000 字节</font></div><div><font color="#0000ff">C:\WINNT\system\SYSTEM32.vxd 855 字节</font></div><div><font color="#0000ff">1_.ii 20000 字节</font></div><div></div><div> 1、internat.exe常驻进程,调用CMD的Dir命令,遍历分区搜索EXE可执行文件,保存列表至:%Windir%\win.log</div><div></div><div>并修改所有运行中的程序的内存空间(便于用来后来捆绑)</div><div></div><div> 2、按win.log里列表的"黑名单"进行捆绑,跳过系统盘、System Volume Information、Recycled文件夹和下列文件名:</div><div></div><div>CA.exe NMCOSrv.exe CONFIG.exe Updater.exe WE8.exe settings.exe PES5.exe PES6.exe </div><div>zhengtu.exe xenettools.exe laizi.exe proxy.exe Launcher.exe WoW.exe Repair.exeBackgroundDownloader.exe eo2_unins_web.exe O2Jam.exe O2JamPatchClient.exe </div><div>O2ManiaDriverSelect.exe OTwo.exe sTwo.exe GAME2.EXE GAME3.EXE Game4.exe game.exe hypwise.exe Roadrash.exe O2Mania.exe Lobby_Setup.exe eCoralQQ.exe QQ.exe QQexternal.exe BugReport.exe tm.exe ra2.exe ra3.exe ra4.exeexedzh.exe Findbug.EXE fb3.exe Meteor.exe mir.exe </div><div>KartRider.exe NMService.exeztconfig.exe patchupdate.exe</div><div><br/></div><div>貌似都是网游、QQ等进程,给下载木马盗号埋下伏笔.....</div><div></div><div> 3、接下来从D盘开始进行捆绑感染,被捆绑的文件增加21034字节。用WinHex对比了下,原来是把病毒代码捆绑到文件尾部,并修改了PE头,优先执行捆绑尾部的代码,后执行程序。(原程序运行无影响)。</div><div></div><div> 4、另一个线程,参数是/update,连接222.220.16.186(TCP)下载16个木马,都是盗号木马(隔段时间重新连接)</div><div></div><div>被捆绑后文件,运行后首先执行1_.ii,后在同目录下生成个批处理,内容为:</div><div></div><div>:try<br/>del "%病毒路径%\1_.ii"<br/>if exist "%病毒路径%" goto try<br/>del %0</div><div></div><div>也就是执行捆绑尾部的病毒后删除自身</div><div></div><div>那么每次运行被感染的程序其实就是重新激活病毒,重头做上面那些,并遍历分区生成</div><div></div><div>Autorun.inf和Steup.exe</div><div></div><div>Autorun.inf内容:</div><div></div><div><br/>OPEN=setup.exe<br/>shellexecute=setup.exe<br/>shell\打开(&O)\command=setup.exe</div><div></div><div>达到双击分区激活病毒的效果,并支持U盘等移动介质传播。</div><div></div><div> 没有特别好的解决方法,因为每个被“感染”的文件都等于是病毒,只要不小心运行感染的文件后,之前做的一切将都是徒劳的。</div><div></div><div></div><div><strong><font color="#ff0000" size="2">最大限度遏制方法:</font></strong></div><div></div><div><a href="http://free.ys168.com/?gudugengkekao1" target="_blank"></a><a href="http://free.ys168.com/?gudugengkekao1" target="_blank"><font color="#000000">http://free.ys168.com/?gudugengkekao1</font></a>下载:</div><div></div><div><a title="上传时间:2007-5-29" href="http://free.ys168.com/infile/note/note_6.htm?<a href= http://ys-I.ys168.com/?PowerRmv.com_73eq0bksp0bisn0cr0c2bt7bspm0c2b5btomlnl1b6z99f11f09ztarget=_blank>http://ys-I.ys168.com/?PowerRmv.com_73eq0bksp0bisn0cr0c2bt7bspm0c2b5btomlnl1b6z99f11f09z</a>" target="_blank"><font color="#000000"><font size="+0">PowerRmv.com</font> 101KB</font></a>
</div><div></div><div><a title="上传时间:2007-5-29" href="http://free.ys168.com/infile/note/note_6.htm?<a href= http://ys-I.ys168.com/?SREng.rar_73eo0bksp0bisn0cr0c2bt7bspm0c2b5btol0cmphu14z97f14ztarget=_blank>http://ys-I.ys168.com/?SREng.rar_73eo0bksp0bisn0cr0c2bt7bspm0c2b5btol0cmphu14z97f14z</a>" target="_blank"><font color="#000000"><font size="+0">SREng.rar</font> 597KB</font></a>
</div><div></div><div>打开PowerRmv,<font color="#0000ff">选上抑制对象再次生成</font>,填入(一次一个,找不到的忽略):</div><div></div><div>C:\Windows\Win.log</div><div>C:\Windows\system32\upxdnd.dll<br/>C:\Windows\system32\msdebug.dll<br/>C:\Windows\system32\windhcp.ocx<br/>C:\Windows\system32\nwizdh.exe<br/>C:\Windows\system32\msccrt.dll<br/>C:\Windows\system32\RemoteDbg.dll<br/>C:\Windows\system32\WinForm.dll<br/>C:\Windows\system32\AVPSrv.dll<br/>C:\Windows\system32\Kvsc3.dll<br/>C:\Windows\system\internat.exe</div><div>C:\Windows\system\1.exe<br/>C:\Windows\system\2.exe<br/>C:\Windows\system\5.exe<br/>C:\Windows\system\6.exe<br/>C:\Windows\system\7.exe<br/>C:\Windows\system\8.exe<br/>C:\Windows\system\9.exe<br/>C:\Windows\system\10.exe<br/>C:\Windows\system\14.exe<br/>C:\Windows\system\SYSTEM32.vxd</div><div>C:\Windows\upxdnd.exe<br/>C:\Windows\msccrt.exe<br/>C:\Windows\WinForm.exe<br/>C:\Windows\AVPSrv.exe<br/>C:\Windows\Kvsc3.exe</div><div>C:\autorun.inf<br/>C:\setup.exe<br/>D:\autorun.inf<br/>D:\setup.exe<br/>E:\autorun.inf<br/>E:\setup.exe<br/>F:\autorun.inf<br/>F:\setup.exe<br/>*:\autorun.inf<br/>*:\setup.exe</div><div></div><div>*为移动介质盘符。</div><div></div><div>打开SREng删除:</div><div></div><div><strong>注册表</strong></div><div></div><div></div><div> <k55d7c><C:\DOCUME~1\admin\LOCALS~1\Temp\iexplorer.exe> []<br/> <13e2><C:\DOCUME~1\admin\LOCALS~1\Temp\c0nime.exe> []</div><div></div><div></div><div> <WinForm><C:\winnt\WinForm.exe> []<br/> <upxdnd><C:\winnt\upxdnd.exe> []<br/> <msccrt><C:\winnt\msccrt.exe> []<br/> <AVPSrv><C:\winnt\AVPSrv.exe> []<br/> <Kvsc3><C:\winnt\Kvsc3.exe> []</div><div></div><div><strong>服务</strong></div><div></div><div><br/> <C:\DOCUME~1\admin\LOCALS~1\Temp\WIKLD.exe><N/A><br/><br/> <C:\winnt\system32\rundll32.exe RemoteDbg.dll,input><Microsoft Corporation><br/><br/> <C:\winnt\system32\rundll32.exe windhcp.ocx,input><Microsoft Corporation></div><div></div><div>记得修改QQ、邮箱等密码。。。。</div><div></div><div>然后把病毒文件上报杀软,等识别吧`````</div><div></div><div>如果有兴趣的,可以用WinHex删除捆绑的数据,我成功了几个,不过蛮累的,不推荐....</div><div></div><div>一些图:</div><div></div><div><br/><img src="http://www.dehuaca.com/UPLOADFILE/2007-6/20076227421846560.jpg" style="WIDTH: 650px;" alt=""/><br/><br/><br/><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381453744.jpg" target="_blank"></a><img src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381453744.jpg" alt=""/><br/><br/><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381481724.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381481724.jpg" border="0"/></a><br/><br/></div><div><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381427293.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120381427293.jpg" border="0"/></a><br/><br/></div><div><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385473915.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385473915.jpg" border="0"/></a><br/><br/></div><div></div><div><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385466458.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385466458.jpg" border="0"/></a><br/><br/></div><div><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385494438.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385494438.jpg" border="0"/></a><br/><br/><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385440007.jpg" target="_blank"></a><br/><br/><br/><a href="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385474041.jpg" target="_blank"><img title="dvubb" alt="图片点击可在新窗口打开查看" src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385474041.jpg" border="0"/></a></div><div></div><div></div><div><img src="http://www.dehuaca.com/UPLOADFILE/2007-6/200762120385440007.jpg" style="WIDTH: 650px;" alt=""/><br/></div></div></div></td></tr></tbody></table><br/>
页:
[1]