今天接到了一个叫Gameservet.exe的样本 测试了一下 测试结果真的让人震惊 这是个超级变态的木马下载器
当今流行的木马几乎都全了 而且最后还捣登出来个威金来 哎 现在的病毒都太厉害 那些无耻的制造病毒者 你们还让人活么?!
越来越多的这类案例提示:每个用户应该做好自己系统的防护。不能仅仅指望一两款杀软保护自己系统的安全。对于病毒,防远重于杀。by baohe
下面就说说测试过程:
File: Gameservet.exe
Size: 18432 bytes
MD5: BA4A429C23099F62EEE31699D5E920F8
SHA1: AA0713E2DEF90CE7A1FB4B49717ECE7CB2621C1D
CRC32: F68BFF78
加壳方式 UPX 0.89.6 - 1.02 / 1.05 - 1.24
运行后建立服务
WindowsGame
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/Security/Security: 01 00 14 80 90 00 00 00 9C 00
00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01
00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00
18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00
00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01
00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/Type: 0x00000110
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/Start: 0x00000002
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/ErrorControl: 0x00000000
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/ImagePath: "C:/WINDOWS/system32/Gameservet.exe"
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/DisplayName: "Windows_Down"
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/ObjectName: "LocalSystem"
HKLM/SYSTEM/CurrentControlSet/Services/WindowsGame/Description: "Windows_Down"
下载http://w.xxxxxx.com/down/game1.exe~game13.exe
和http://w.xxxxxx.com/down/8888-521ww.exe到system32文件夹
8888-521ww.exe继续执行下载 下载servet.exe (又一个木马下载器)到system32文件夹
servet.exe下载http://www.xxxxx.cn/1.exe~15.exe到system32文件夹
所有的木马都植入成功后的sreng日志是这样的
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<msupdate><C:/WINDOWS/AntiAdwa.exe other> [N/A]
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run]
<winform><C:/WINDOWS/winform.exe> []
<mppds><C:/WINDOWS/mppds.exe> []
<cmdbs><C:/WINDOWS/cmdbs.exe> []
<upxdnd><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/upxdnd.exe> []
<cmdbcs><C:/WINDOWS/cmdbcs.exe> []
<wosa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso.exe> []
<qjsa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qjso.exe> []
<mhsa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso.exe> []
<intian><C:/WINDOWS/wintexe.exe> []
<load><C:/WINDOWS/uninstall/rundl132.exe> []
<testrun><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/testexe.exe> []
<Kvsc3><C:/WINDOWS/Kvsc3.exe> []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run]
<visin><C:/WINDOWS/system32/ctfnom.exe> [Microsoft Corporation]
<twin><C:/WINDOWS/system32/ctfnom.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:/WINDOWS/system32/msacn.dll> []
服务
[Windows User Mode Driver / UMWdfmgr][Stopped/Auto Start]
<rundll32.exe C:/WINDOWS/winamps.dll _start@16><N/A>
[Windows_Down / WindowsGame][Stopped/Auto Start]
<C:/WINDOWS/system32/Gameservet.exe><N/A>
[WinWMServiceNow / WinWMServiceNow][Stopped/Auto Start]
<C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/RAVWM.EXE><N/A>
[Windows_SysDown / WindowsDown][Stopped/Auto Start]
<C:/WINDOWS/system32/servet.exe><N/A>
驱动
[CelInDrv / CelInDrv][Stopped/Disabled]
</??/C:/WINDOWS/system32/Drivers/CelInDriver.sys><N/A>
正在运行的进程
[PID: 696][C:/WINDOWS/system32/lsass.exe] [Microsoft Corporation, 5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)]
C:/WINDOWS/system32/RAVWM506.dll] [N/A, ]
[PID: 852][C:/WINDOWS/system32/svchost.exe] [Microsoft Corporation, 5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)]
C:/WINDOWS/system32/fksdy.dll] [N/A, ]
C:/WINDOWS/system32/fdbohu.dll] [N/A, ]
C:/WINDOWS/system32/iakpsa.dll] [N/A, ]
[PID: 1392][C:/WINDOWS/Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-
2158)]
C:/WINDOWS/system32/wscsv.dll] [N/A, ]
C:/WINDOWS/system32/fksdy.dll] [N/A, ]
C:/WINDOWS/system32/wgptl.dll] [N/A, ]
C:/WINDOWS/system32/wtrmm.dll] [N/A, ]
C:/WINDOWS/system32/hreax.dll] [N/A, ]
C:/WINDOWS/system32/mppds.dll] [N/A, ]
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/upxdnd.dll] [N/A, ]
C:/WINDOWS/system32/winform.dll] [N/A, ]
C:/WINDOWS/system32/cmdbs.dll] [N/A, ]
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/testdll.dll] [N/A, ]
C:/WINDOWS/system32/cmdbcs.dll] [N/A, ]
C:/WINDOWS/system32/wintdll.dll] [N/A, ]
C:/WINDOWS/winamps.dll] [N/A, ]
C:/WINDOWS/system32/fdbohu.dll] [N/A, ]
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso1.dll] [N/A, ]
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso1.dll] [N/A, ]
C:/WINDOWS/system32/nwizAsktao.dll] [N/A, ]
C:/WINDOWS/system32/nwizqqfo.dll] [N/A, ]
C:/WINDOWS/system32/testdll.dll] [N/A, ]
C:/WINDOWS/system32/iakpsa.dll] [N/A, ]
C:/WINDOWS/system32/nwiztlbb.dll] [N/A, ]
C:/WINDOWS/system32/nwizhx2.dll] [N/A, ]
电脑已经被病毒 XX了
不过还好 安全模式没被破坏
而且所有的木马的技术含量似乎都没这么强
去掉启动 删除服务 然后删除文件就都OK 了
具体解决办法: (还是老一套咯,各位不要笑话哈)
如果发现此时很多exe被感染了 那可能就是那个威金搞的了 先下载威金专杀全盘杀毒吧
然后进入安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)
打开sreng
启动项目 注册表 删除如下项目 (如果有哪项你认识或者确认不是病毒 请不要删除)
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<msupdate><C:/WINDOWS/AntiAdwa.exe other> [N/A]
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run]
<winform><C:/WINDOWS/winform.exe> []
<mppds><C:/WINDOWS/mppds.exe> []
<cmdbs><C:/WINDOWS/cmdbs.exe> []
<upxdnd><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/upxdnd.exe> []
<cmdbcs><C:/WINDOWS/cmdbcs.exe> []
<wosa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/woso.exe> []
<qjsa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qjso.exe> []
<mhsa><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso.exe> []
<intian><C:/WINDOWS/wintexe.exe> []
<load><C:/WINDOWS/uninstall/rundl132.exe> []
<testrun><C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/testexe.exe> []
<Kvsc3><C:/WINDOWS/Kvsc3.exe> []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run]
<visin><C:/WINDOWS/system32/ctfnom.exe> [Microsoft Corporation]
<twin><C:/WINDOWS/system32/ctfnom.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:/WINDOWS/system32/msacn.dll> []
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
[Windows User Mode Driver / UMWdfmgr][Stopped/Auto Start]
<rundll32.exe C:/WINDOWS/winamps.dll _start@16><N/A>
[Windows_Down / WindowsGame][Stopped/Auto Start]
<C:/WINDOWS/system32/Gameservet.exe><N/A>
[WinWMServiceNow / WinWMServiceNow][Stopped/Auto Start]
<C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/RAVWM.EXE><N/A>
[Windows_SysDown / WindowsDown][Stopped/Auto Start]
<C:/WINDOWS/system32/servet.exe><N/A>
在“启动项目”-“服务”-“驱动程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”:
[CelInDrv / CelInDrv][Stopped/Disabled]
</??/C:/WINDOWS/system32/Drivers/CelInDriver.sys><N/A>
双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件
(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定
然后
清空 C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp
删除C:/WINDOWS/system32/ctfnom.exe
C:/WINDOWS/system32/system文件夹
C:/WINDOWS/AntiAdwa.exe other
C:/WINDOWS/winform.exe
C:/WINDOWS/mppds.exe
C:/WINDOWS/cmdbs.exe
C:/WINDOWS/cmdbcs.exe
C:/WINDOWS/wintexe.exe
C:/WINDOWS/uninstall/rundl132.exe
C:/WINDOWS/Kvsc3.exe
C:/WINDOWS/system32/ctfnom.exe
C:/WINDOWS/system32/msacn.dll
C:/WINDOWS/system32/nwizAsktao.dll
C:/WINDOWS/system32/nwizqqfo.dll
C:/WINDOWS/system32/testdll.dll
C:/WINDOWS/system32/iakpsa.dll
C:/WINDOWS/system32/nwiztlbb.dll
C:/WINDOWS/system32/nwizhx2.dll
C:/WINDOWS/winamps.dll
C:/WINDOWS/system32/Gameservet.exe
C:/WINDOWS/system32/servet.exe
C:/WINDOWS/system32/fksdy.dll
C:/WINDOWS/system32/fdbohu.dll
C:/WINDOWS/system32/iakpsa.dll
C:/WINDOWS/system32/wscsv.dll
C:/WINDOWS/system32/fksdy.dll
C:/WINDOWS/system32/wgptl.dll
C:/WINDOWS/system32/wtrmm.dll
C:/WINDOWS/system32/hreax.dll
C:/WINDOWS/system32/mppds.dll
C:/WINDOWS/system32/winform.dll
C:/WINDOWS/system32/cmdbs.dll
C:/WINDOWS/system32/cmdbcs.dll
C:/WINDOWS/system32/wintdll.dll
C:/WINDOWS/winamps.dll
C:/WINDOWS/system32/fdbohu.dll
C:/WINDOWS/system32/Drivers/CelInDriver.sys
C:/WINDOWS/system32/game1.exe~game13.exe(如果有的话)
C:/WINDOWS/system32/8888-521ww.exe(如果有的话)
C:/WINDOWS/system32/1.exe~15.exe(如果有的话)
最近此类木马下载器非常猖狂 一般会通过网站挂马传播 所以预防还是最重要的 请大家务必及时升级杀毒软件和防
火墙
打全系统补丁 防患于未然!
以上情况是本人测试所得,如需转帖,请注明作者(清新阳光)和出处 谢谢!
作者:newcenturymoon
来源于:http://forum.ikaka.com/topic.asp?board=28&artid=8312462
3189
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
