安全响应·Security
病毒分析报告·Report

Trojan-Downloader.Win32.Small.elo分析

出处:安天实验室 时间:2007-06-05 11:00

病毒标签:

病毒名称: Trojan-Downloader.Win32.Small.elo
中文名称: 下载者变种
病毒类型: 木马类
文件 MD5: 49225E04EF3CC90B9B96AB6C9AC0CD9D
公开范围: 完全公开
危害等级: 4
文件长度: 1,097,736 字节
感染系统: Win9X以上系统
开发工具: Microsoft Visual C++ 5.0

病毒描述:

  该病毒运行后,衍生病毒文件到多个目录下,添加注册表自动运行项与系统服务项以跟随
系统引导病毒体。修改用户 host文件以重定向到不良网址,进而造成链式反应。下载的病毒体
多为网络游戏盗号程序。

行为分析:

1 、衍生下列副本与文件:

    %WinDir%\upxdnd.exe
    %System32%\msdebug.dll
    %System32%\netsrvcs.dll
    %System32%\nwizAsktao.dll
    %System32%\nwizAsktao.exe
    %System32%\nwiztlbb.dll
    %System32%\nwiztlbu.exe
    %System32%\RemoteDbg.dll
    %System32%\upxdnd.dll
    %System32%\windds32.dll
    %System32%\WMIApiSrv.dll
    %System32%\xpdhcp.dll
   
2 、新建注册表键值:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\Installed Components\
    {6A202101-F04D-11cf-64CD-31FF5FE1CF20}\StubPath
    Value: String: "%WINdir\System32\nwiztlbu.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\Installed Components\
    {6A202101-F04D-11cf-64CD-31FF5FE1CF20}\StubPath
    Value: String: "%WINdir\System32\nwiztlbu.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upxdnd
    Value: String: "%\WinDir%\upxdnd.exe"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\Description
    Value: String: " 启用 IEEE 802.11 适配器的自动配置 ."
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\DisplayName
    Value: String: "Wireless Service"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSRVC\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
    %WinDir%\Syste|m32\rundll32.exenetsrvcs.dll,input.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\Description
    Value: String: " 为 Windows Management Instrumentation
    (WMI) 提供所需的系统函数。"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\Displa yName
    Value: String: "WMI Performance API"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIApiSrv\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
    %WinDir%\System32\rundll32.exe WMIApiSrv.dll,input.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\Description
    Value: String: " 为远程计算机注册并更新 IP 地址。 "
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\DisplayName
    Value: String: "WinXP DHCP Service"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinXPDHCPsvc\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
    %WinDir%\System32\rundll32.exexpdhcp.dll,input.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\Description
    Value: String: "Provides system and desktop level
    support to the display driver"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\DisplayName
    Value: String: "Win32 Display Driver"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32DDS\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
    %WinDir\System32\rundll32.exe windds32.dll,input.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\Description
    Value: String: " 允许 Administrators 组的成员进行远程调试。 "
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\DisplayName
    Value: String: "Remote Debug Service"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteDbg\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
    %WinDir%\System32\rundll32.exeRemoteDbg.dll,input.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\Description
    Value: String: " 为计算机系统提供 32 位调试服务。如果此服务被禁用,
    所有明确依赖它的服务都将不能启动。 "
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\DisplayName
    Value: String: "Win32 Debug Service"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDebugsvc\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello Download\DisplayName
    Value: String: "TCP/IP Check"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello Download\ImagePath
    Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
    %Program Files%\Common Files\System\wab32res.exe.

3 、修改 host 文件为下列内容:

    127.0.0.1     localhost
    127.0.0.1     mmm.caifu18.net
    127.0.0.1     www.18dmm.com
    127.0.0.1     d.qbbd.com
    127.0.0.1     www.5117music.com
    127.0.0.1     www.union123.com
    127.0.0.1     www.wu7x.cn
    127.0.0.1     www.54699.com
    127.0.0.1     www1.6tan.com
    127.0.0.1     www2.6tan.com
    127.0.0.1     www.97725.com
    127.0.0.1     down.97725.com
    127.0.0.1     ip.315hack.com
    127.0.0.1     ip.54liumang.com
    127.0.0.1     www.41ip.com
    127.0.0.1     xulao.com
    127.0.0.1     www.heixiou.com
    127.0.0.1     www.9cyy.com
    127.0.0.1     www.hunll.com
    127.0.0.1     www.down.hunll.com
    127.0.0.1     do.77276.com
    127.0.0.1     www.baidulink.com
    127.0.0.1     adnx.yygou.cn
    127.0.0.1     222.73.220.45
    127.0.0.1     www.f5game.com
    127.0.0.1     www.guazhan.cn
    127.0.0.1     wm,103715.com
    127.0.0.1     www.my6688.cn
    127.0.0.1     i.96981.com
    127.0.0.1     d.77276.com
    127.0.0.1     www1.cw988.cn
    127.0.0.1     cool.47555.com
    127.0.0.1     www.asdwc.com
    127.0.0.1     55880.cn
    127.0.0.1     61.152.169.234
    127.0.0.1     cc.wzxqy.com
    127.0.0.1     www.54699.com
    127.0.0.1     t.gcuj.com
    127.0.0.1     www.puma163.com
    127.0.0.1     ceoww.com
    127.0.0.1     boolom.com
    127.0.0.1     adult-novel.cn
    127.0.0.1     ll.chinasese.net
    127.0.0.1     www.tellumore.com
    127.0.0.1     www.o1wg.com
    127.0.0.1     www.qq756.com
    127.0.0.1     ll.chinasese.net
    127.0.0.1     cool.47555.com

注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\Winnt\System32 , windows95/98/me 中默认的安装路径是 C:\Windows\System , windowsXP 中默认的安装路径是 C:\Windows\System32 。

清除方案:
 

1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。
    (1)使用安天木马防线断开网络,结束病毒进程:
      %WinDir%\upxdnd.exe
      %System32%\nwizAsktao.exe
    (2)删除并恢复病毒添加与修改的注册表键值:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      ActiveSetup\InstalledComponents\
      {6A202101-F04D-11cf-64CD-31FF5FE1CF20}\StubPath
      Value: String: "%WINdir\System32\nwiztlbu.exe"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      ActiveSetup\InstalledComponents\
      {6A202101-F04D-11cf-64CD-31FF5FE1CF20}\StubPath
      Value: String: "%WINdir\System32\nwiztlbu.exe"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run\Upxdnd
      Value: String: "%\WinDir%\upxdnd.exe"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WZCSRVC\Description
      Value: String: " 启用 IEEE 802.11 适配器的自动配置 ."
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WZCSRVC\DisplayName
      Value: String: "Wireless Service"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WZCSRVC\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
      %WinDir%\Syste|m32\rundll32.exenetsrvcs.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WMIApiSrv\Description
      Value: String: " 为 Windows Management Instrumentation
      (WMI) 提供所需的系统函数。 "
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WMIApiSrv\DisplayName
      Value: String: "WMI Performance API"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WMIApiSrv\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
      %WinDir%\System32\rundll32.exe WMIApiSrv.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WinXPDHCPsvc\Description
      Value: String: " 为远程计算机注册并更新 IP 地址。 "
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WinXPDHCPsvc\DisplayName
      Value: String: "WinXP DHCP Service"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\WinXPDHCPsvc\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
      %WinDir%\System32\rundll32.exexpdhcp.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Win32DDS\Description
      Value: String: "Provides system and desktop
      level support to the display driver"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Win32DDS\DisplayName
      Value: String: "Win32 Display Driver"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Win32DDS\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 52 (0x34) bytes
      %WinDir\System32\rundll32.exe windds32.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\RemoteDbg\Description
      Value: String: " 允许 Administrators 组的成员进行远程调试。"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\RemoteDbg\DisplayName
      Value: String: "Remote Debug Service"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\RemoteDbg\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes
      %WinDir%\System32\rundll32.exeRemoteDbg.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\MSDebugsvc\Description
      Value: String: " 为计算机系统提供 32 位调试服务。
      如果此服务被禁用,所有明确依赖它的服务都将不能启动。 "
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\MSDebugsvc\DisplayName
      Value: String: "Win32 Debug Service"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\MSDebugsvc\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 51 (0x33) bytes
      %WinDir%\System32\rundll32.exe msdebug.dll,input.
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Hello Download\DisplayName
      Value: String: "TCP/IP Check"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Hello Download\ImagePath
      Value: Type: REG_EXPAND_SZ Length: 50 (0x32) bytes
       %Program Files%\Common Files\System\wab32res.exe.
    (3)删除病毒衍生文件:
      %WinDir%\upxdnd.exe
      %System32%\msdebug.dll
      %System32%\netsrvcs.dll
      %System32%\nwizAsktao.dll
      %System32%\nwizAsktao.exe
      %System32%\nwiztlbb.dll
      %System32%\nwiztlbu.exe
      %System32%\RemoteDbg.dll
      %System32%\upxdnd.dll
      %System32%\windds32.dll
      %System32%\WMIApiSrv.dll
      %System32%\xpdhcp.dll
    (4)恢复 %WinDir%\system32\drivers\etc\hosts 文件内容为:
      127.0.0.1     localhost
    (5)使用安天木马防线扫描全盘。
附:
 


点击此处下载木马防线2005+

病毒上报信箱: submit@virusview.net
[TOP]