网络信息安全是一个博大精深的技术体系,安天将自己的注意力专注于主要矛盾,即计算机网络病毒问题。
    根据有关机构统计,全球超过80%的安全事件均与病毒有关,网络病毒是信息社会面临的主要安全挑战之一,因此,安天人将“天下无毒”作为自己追求的安全境界。
    安天将网络安全工作者的宏观视野与反病毒工程师的成熟细腻有机结合。将反病毒技术与网络监控技术、计算机犯罪取证技术、安全评估技术等进行了有机的结合,形成了自身的产品内涵。
  当前位置:首页 - 安全响应中心 -> 病毒分析报告

Trojan/Win32.Agent.ven[Dropper]分析
出处:安天实验室 时间:2009年6月18日
 

  • 病毒标签
 

病毒名称: Trojan/Win32.Agent.ven[Dropper]
病毒类型: 木马
文件 MD5: 3E2857BCAC69BF6366443FB1B890D161
公开范围: 完全公开
危害等级: 3
文件长度: 155,648 字节
感染系统: Windows98以上版本
开发工具: Borland Delphi 6.0 - 7.0

  • 病毒描述
 

    该恶意代码为木马类,该病毒图标伪装成系统文件夹,误导用户点击使用恶意代码运行,病毒运行后检测自身是否处于调试状态如是则退出进程,判断操作系统类型,获取系统版本信息,创建hosts文件到%System32%\drivers\etc\目录下,将系统的hosts文件重命名为hosts.o1d,劫持大量域名地址指向同一个IP地址,并将病毒创建的hosts文件属性修改为隐藏,调用taskkill.exe使用命令结束系统部分进程,调用API函数清除本地DNS缓存,释放掉shdocvw.dll库文件里的#220序号函数模块句柄地址为76370000,该操作可能会对应用程序造成异常,试图读取修改火狐浏览器的profiles.ini配置文件,创建注册表、修改注册表项,病毒运行完毕后释放批处理文件删除自身文件,试图连接网络发送统计信息。

  • 行为分析-本地行为
 

1、文件运行后会释放以下文件
%System32%\drivers\etc\hosts
2、检测自身是否处于调试状态如是则退出进程,判断操作系统类型,获取系统版本信息,创建hosts文件到%System32%\drivers\etc\目录下,将系统的hosts文件重命名为hosts.o1d, 劫持大量域名地址指向同一个IP地址,并将病毒创建的hosts文件属性修改为隐藏。

3、修改、创建注册表项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\[xSP_2:1013007708_7]
值: <值未设置>

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PDM
值: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
值: DWORD: 1 (0x1)

4、调用taskkill.exe使用:/f /im iexpl* /im firefox* /im mozi* /im opera* /im safar*命令结束含有:iexpl*、firefox*、mozi*、opera*、safar*名的进程,调用API函数DnsFlushResolverCache清除本地DNS缓存,释放掉shdocvw.dll库文件里的#220序号函数模块句柄地址为76370000,该操作可能会对应用程序造成异常,试图读取修改火狐浏览器的profiles.ini配置文件。

5、被劫持的大量域名地址列表:
206.53.61.77 google.ae
206.53.61.77 google.as
206.53.61.77 google.at
206.53.61.77 google.az
206.53.61.77 google.ba
206.53.61.77 google.be
206.53.61.77 google.bg
206.53.61.77 google.bs
206.53.61.77 google.ca
206.53.61.77 google.cd
206.53.61.77 google.com.gh
206.53.61.77 google.com.gi
206.53.61.77 google.com.hk
206.53.61.77 google.com.jm
206.53.61.77 google.com.ly
206.53.61.77 google.com.mx
206.53.61.77 google.com.my
206.53.61.77 google.com.na
206.53.61.77 google.com.nf
206.53.61.77 google.com.ng
206.53.61.77 google.ch
206.53.61.77 google.com.np
206.53.61.77 google.com.om
206.53.61.77 google.com.pa
206.53.61.77 google.com.pr
206.53.61.77 google.com.qa
206.53.61.77 google.com.sg
206.53.61.77 google.com.tj
206.53.61.77 google.com.tr
206.53.61.77 google.com.tw
206.53.61.77 google.com.ua
206.53.61.77 google.dj
206.53.61.77 google.com.vc
206.53.61.77 google.it.ao
206.53.61.77 google.de
206.53.61.77 google.dk
206.53.61.77 google.dm
206.53.61.77 google.dz
206.53.61.77 google.ee
206.53.61.77 google.fi
206.53.61.77 google.fm
206.53.61.77 google.fr
206.53.61.77 google.ge
206.53.61.77 google.gg
206.53.61.77 google.gm
206.53.61.77 google.gr
206.53.61.77 google.gy
206.53.61.77 google.ht
206.53.61.77 google.ie
206.53.61.77 google.im
206.53.61.77 google.in
206.53.61.77 google.it
206.53.61.77 google.ki
206.53.61.77 google.kz
206.53.61.77 google.la
206.53.61.77 google.li
206.53.61.77 google.lk
206.53.61.77 google.lv
206.53.61.77 google.ma
206.53.61.77 google.md
206.53.61.77 google.ms
206.53.61.77 google.mu
206.53.61.77 google.mv
206.53.61.77 google.mw
206.53.61.77 google.nl
206.53.61.77 google.no
206.53.61.77 google.nr
206.53.61.77 google.nu
206.53.61.77 google.pl
206.53.61.77 google.pn
206.53.61.77 google.pt
206.53.61.77 google.ro
206.53.61.77 google.ru
206.53.61.77 google.rw
206.53.61.77 google.sc
206.53.61.77 google.se
206.53.61.77 google.sh
206.53.61.77 google.si
206.53.61.77 google.sm
206.53.61.77 google.sn
206.53.61.77 google.st
206.53.61.77 google.tl
206.53.61.77 google.tm
206.53.61.77 google.tt
206.53.61.77 google.us
206.53.61.77 google.vg
206.53.61.77 google.vu
206.53.61.77 google.ws
206.53.61.77 google.co.bw
206.53.61.77 google.co.ck
206.53.61.77 google.co.id
206.53.61.77 google.co.il
206.53.61.77 google.co.in
206.53.61.77 google.co.jp
206.53.61.77 google.co.ke
206.53.61.77 google.co.kr
206.53.61.77 google.co.ls
206.53.61.77 google.co.ma
206.53.61.77 google.co.mz
206.53.61.77 google.co.nz
206.53.61.77 google.co.th
206.53.61.77 google.co.tz
206.53.61.77 google.co.ug
206.53.61.77 google.co.uk
206.53.61.77 google.co.za
206.53.61.77 google.co.zm
206.53.61.77 google.co.zw
206.53.61.77 google.com
206.53.61.77 google.com.af
206.53.61.77 google.com.ag
206.53.61.77 google.com.ai
206.53.61.77 google.com.ar
206.53.61.77 google.com.au
206.53.61.77 google.com.bn
206.53.61.77 google.com.br
206.53.61.77 google.com.by
206.53.61.77 google.com.bz
206.53.61.77 google.com.co
206.53.61.77 google.com.cu
206.53.61.77 google.com.ec
206.53.61.77 google.com.et
206.53.61.77 google.com.fj
206.53.61.77 www.google.ae
206.53.61.77 www.google.as
206.53.61.77 www.google.at
206.53.61.77 www.google.az
206.53.61.77 www.google.ba
206.53.61.77 www.google.be
206.53.61.77 www.google.bg
206.53.61.77 www.google.bs
206.53.61.77 www.google.ca
206.53.61.77 www.google.cd
206.53.61.77 www.google.com.gh
206.53.61.77 www.google.com.gi
206.53.61.77 www.google.com.hk
206.53.61.77 www.google.com.jm
206.53.61.77 www.google.com.ly
206.53.61.77 www.google.com.mx
206.53.61.77 www.google.com.my
206.53.61.77 www.google.com.na
206.53.61.77 www.google.com.nf
206.53.61.77 www.google.com.ng
206.53.61.77 www.google.ch
206.53.61.77 www.google.com.np
206.53.61.77 www.google.com.om
206.53.61.77 www.google.com.pa
206.53.61.77 www.google.com.pr
206.53.61.77 www.google.com.qa
206.53.61.77 www.google.com.sg
206.53.61.77 www.google.com.tj
206.53.61.77 www.google.com.tr
206.53.61.77 www.google.com.tw
206.53.61.77 www.google.com.ua
206.53.61.77 www.google.dj
206.53.61.77 www.google.com.vc
206.53.61.77 www.google.it.ao
206.53.61.77 www.google.de
206.53.61.77 www.google.dk
206.53.61.77 www.google.dm
206.53.61.77 www.google.dz
206.53.61.77 www.google.ee
206.53.61.77 www.google.fi
206.53.61.77 www.google.fm
206.53.61.77 www.google.fr
206.53.61.77 www.google.ge
206.53.61.77 www.google.gg
206.53.61.77 www.google.gm
206.53.61.77 www.google.gr
206.53.61.77 www.google.gy
206.53.61.77 www.google.ht
206.53.61.77 www.google.ie
206.53.61.77 www.google.im
206.53.61.77 www.google.in
206.53.61.77 www.google.it
206.53.61.77 www.google.ki
206.53.61.77 www.google.kz
206.53.61.77 www.google.la
206.53.61.77 www.google.li
206.53.61.77 www.google.lk
206.53.61.77 www.google.lv
206.53.61.77 www.google.ma
206.53.61.77 www.google.md
206.53.61.77 www.google.ms
206.53.61.77 www.google.mu
206.53.61.77 www.google.mv
206.53.61.77 www.google.mw
206.53.61.77 www.google.nl
206.53.61.77 www.google.no
206.53.61.77 www.google.nr
206.53.61.77 www.google.nu
206.53.61.77 www.google.pl
206.53.61.77 www.google.pn
206.53.61.77 www.google.pt
206.53.61.77 www.google.ro
206.53.61.77 www.google.ru
206.53.61.77 www.google.rw
206.53.61.77 www.google.sc
206.53.61.77 www.google.se
206.53.61.77 www.google.sh
206.53.61.77 www.google.si
206.53.61.77 www.google.sm
206.53.61.77 www.google.sn
206.53.61.77 www.google.st
206.53.61.77 www.google.tl
206.53.61.77 www.google.tm
206.53.61.77 www.google.tt
206.53.61.77 www.google.us
206.53.61.77 www.google.vg
206.53.61.77 www.google.vu
206.53.61.77 www.google.ws
206.53.61.77 www.google.co.bw
206.53.61.77 www.google.co.ck
206.53.61.77 www.google.co.id
206.53.61.77 www.google.co.il
206.53.61.77 www.google.co.in
206.53.61.77 www.google.co.jp
206.53.61.77 www.google.co.ke
206.53.61.77 www.google.co.kr
206.53.61.77 www.google.co.ls
206.53.61.77 www.google.co.ma
206.53.61.77 www.google.co.mz
206.53.61.77 www.google.co.nz
206.53.61.77 www.google.co.th
206.53.61.77 www.google.co.tz
206.53.61.77 www.google.co.ug
206.53.61.77 www.google.co.uk
206.53.61.77 www.google.co.za
206.53.61.77 www.google.co.zm
206.53.61.77 www.google.co.zw
206.53.61.77 www.google.com
206.53.61.77 www.google.com.af
206.53.61.77 www.google.com.ag
206.53.61.77 www.google.com.ai
206.53.61.77 www.google.com.ar
206.53.61.77 www.google.com.au
206.53.61.77 www.google.com.bn
206.53.61.77 www.google.com.br
206.53.61.77 www.google.com.by
206.53.61.77 www.google.com.bz
206.53.61.77 www.google.com.co
206.53.61.77 www.google.com.cu
206.53.61.77 www.google.com.ec
206.53.61.77 www.google.com.et
206.53.61.77 www.google.com.fj
206.53.61.77 search.yahoo.com
206.53.61.77 www.search.yahoo.com
206.53.61.77 search.live.com
206.53.61.77 search.msn.com
206.53.61.77 googleads.g.doubleclick.net
206.53.61.77 www.googleads.g.doubleclick.net
206.53.61.77 pubads.g.doubleclick.net
206.53.61.77 www.pubads.g.doubleclick.net
206.53.61.77 partner.googleadservices.com
206.53.61.77 www.partner.googleadservices.com
206.53.61.77 www.partner.googleadservices.com

  • 行为分析-网络行为
 

试图连接网络提交安装统计信息,并试图读取网络下载病毒文件
http://206.53.61.**/report/reports/working.php (试图读取网络下载病毒文件,该链接地址失效)
UserID=1013007708&wv=wvXP&res=5&lng=PE (试图连接网络提交安装统计信息)

注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。
     %Windir%             WINDODWS所在目录
     %DriveLetter%          逻辑驱动器根目录
     %ProgramFiles%          系统程序默认安装目录
     %HomeDrive%           当前启动的系统的所在分区
     %Documents and Settings%    当前用户文档根目录
     %Temp%             \Documents and Settings\当前用户\Local Settings\Temp
     %System32%           系统的 System32文件夹
    
     Windows2000/NT中默认的安装路径是C:\Winnt\System32
     windows95/98/me中默认的安装路径是C:\Windows\System
     windowsXP中默认的安装路径是C:\Windows\System32

  • 清除方案
 

1、使用安天防线可彻底清除此病毒(推荐),请点击下载(http://www.antiyfx.com)
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
推荐使用ATool管理工具,请点击下载(http://www.antiy.com/cn/download/index.htm)
(1) 使用ATOOL“文件管理”强行删除以下文件
%System32%\drivers\etc\hosts
%System32%\drivers\etc\hosts.o1d将hosts.o1d重命名为hosts

(2)删除病毒创建及修改的注册表项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\[xSP_2:1013007708_7]
值: <值未设置>

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PDM
值: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
值: DWORD: 1 (0x1)