昨天在 PCZone 論壇上看見 DarkSkyline 張貼了一篇文章「芳芳軟件園軟體下載-發現Java Script Virus」(這是大陸的網站),好奇心驅使之下,花了點時間分析了一下此病毒,蠻慘的,因為大部分的防毒軟體都偵測不到,而且,此病毒幹了很多壞事。如果沒事的話,勸各位還是不要隨意瀏覽大陸網站或下載來路不明的程式。
執行之後,有下面的行為:
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\upx.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\cmdbcs.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\msccrt.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\windds32.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\windhcp.ocx (注入檔案總管的執行程序)
C:\WINDOWS\system32\wsttrs.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\wsvs.dll (注入檔案總管的執行程序)
[Added service]
NAME: Win32DDS
DISPLAY: Win32 Display Driver
FILE: C:\WINDOWS\system32\\rundll32.exe windds32.dll,input
NAME: WinDHCPsvc
DISPLAY: Windows DHCP Service
FILE: C:\WINDOWS\system32\\rundll32.exe windhcp.ocx,input
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\upx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\upx.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\zaqxsw[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zaq10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zaq2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zaq5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zaq9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\zaq4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\zaq7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\zaq1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\zaq3[1].exe
C:\Program Files\Common Files\System\IDrivers.pif
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\ctfnom.exe
C:\WINDOWS\system32\drivers\usbue.sys
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\windds32.dll
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\wsttrs.dll
C:\WINDOWS\system32\wsvs.dll
C:\WINDOWS\wsttrs.exe
C:\WINDOWS\wsvs.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=wsvs,Data=C:\WINDOWS\wsvs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=wsttrs,Data=C:\WINDOWS\wsttrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=upx,Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=msccrt,Data=C:\WINDOWS\msccrt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=cmdbcs,Data=C:\WINDOWS\cmdbcs.exe
cmdbcs.exe
[ Trend ], "TSPY_ONLINEGA.SF"
ctfnom.exe:
[ Trend ], "TROJ_Generic"
IDrivers.pif:
[ Trend ], "TROJ_DLOADER.HRG"
msccrt.dll:
[ Trend ], "TSPY_ONLINEGA.ZT"
msccrt.exe:
[ Trend ], "TSPY_ONLINEGA.ZT"
upx.dll:
[ Trend ], "TSPY_ZHENGTU.CZ"
upx.exe:
[ Trend ], "TSPY_ZHENGTU.CZ"
windds32.dll:
[ Trend ], "TROJ_AGENT.KNG"
windhcp.ocx:
[ Trend ], "TROJ_AGENT.KNH"
wsttrs.dll:
[ Trend ], "TSPY_ZHENGTU.BO"
wsttrs.exe:
[ Trend ], "TSPY_ONLINEGA.SE"
wsvs.dll:
[ Trend ], "TSPY_LEGMIR.ALO"
wsvs.exe:
[ Trend ], "TSPY_ONLINEGA.GM"
zaq1[1].exe:
[ Trend ], "TSPY_ZHENGTU.CZ"
zaq2[1].exe:
[ Trend ], "TSPY_ONLINEGA.ZT"
zaq3[1].exe:
[ Trend ], "TROJ_AGENT.KEP"
zaq4[1].exe:
[ Trend ], "TSPY_ONLINEGA.GM"
zaq5[1].exe:
[ Trend ], "TSPY_ONLINEGA.SE"
zaq7[1].exe:
[ Trend ], "TROJ_Generic"
zaq9[1].exe:
[ Trend ], "TROJ_AGENT.KEQ"
zaq10[1].exe:
[ Trend ], "TSPY_ONLINEGA.SF"
zaqxsw[1].exe:
[ Trend ], "TROJ_DLOADER.HRG"
1[1].exe:
[ Trend ], "Possible_Infostl"
cmdbcs.dll:
[ Panda ], "Trj/Legmir.AMG"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
[ Grisoft ], "Trojan horse PSW.Legendmir.DZP"
usbue.sys:
[ Symantec ], "Trojan Horse"
[ HBEDV ], "TR/Rootkit.Gen"
留言列表
