安全响应·Security
|
Virus.Win32.AutoRun.tn分析
出处:安天CERT 时间:2007-10-12 10:40
 病毒标签: |
|
病毒名称:
Virus.Win32.AutoRun.tn
病毒类型: 病毒类
文件 MD5: db9dcd04e8fc96d7b83c0476d5902ec7
公开范围: 完全公开
危害等级: 高
文件长度: 28,160字节
感染系统: Win98以上版本
开发工具: Borland Delphi 6.0 - 7.0
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24
|
| 病毒描述: |
|
该病毒运行后释放病毒自身到各个驱动器的根目录下,并释放一个autorun.inf文件,
当用户打开驱动器是就会自动执行该病毒,同时衍生大量的游戏木马到系统文件夹下;对
SPI进行劫持;下载大量游戏木马并且运行;对安全软件进行映像劫持
|
| 行为分析: |
|
本地行为:
1、文件运行后会释放以下文件:
%System32%\Systom.exe 28,160字节
%DriveLetter%\auToRun.inf 156字节
%DriveLetter%\nx.exe 28,160字节
%System32%\5temp.exe 32,385字节
%System32%\addrmshelp.dll 11,888字节
%System32%\auToRun.inf 156字节
%System32%\avzxdmn.dll 23,126字节
%System32%\avzxdst.exe 15,146字节
%System32%\daemon_mgm.exe 49,152字节
%System32%\kafyeaz.exe 13,364字节
%System32%\kafyezy.dll 19,044字节
%System32%\kawdbaz.exe 14,035字节
%System32%\kawdbzy.dll 20,058字节
%System32%\kvdxcis.exe 14,269字节
%System32%\kvdxcma.dll 20,072字节
%System32%\kvmxeis.exe 14,437字节
%System32%\kvmxema.dll 20,580字节
%System32%\NetMonInstaller.exe 6,656字节
%System32%\npf_mgm.exe 49,152字节
%System32%\qdshm.dll 9,818字节
%System32%\rpcapd.exe 86,016字节
%System32%\rsmydpm.dll 22,094字节
%System32%\rsmydsp.exe 15,005字节
%System32%\rsztcpm.dll 23,110字节
%System32%\rsztcsp.exe 15,354字节
%System32%\Systom.exe 28,160字节
%System32%\wpc2.exe 659,456字节
%System32%\wuapi.dll.mui 25,944字节
%System32%\wuaucpl.cpl.mui 25,944字节
%System32%\wuaueng.dll.mui 16,216字节
%System32%\wucltui.dll.mui 30,040字节
%System32%\zxarps.exe 24,064字节
2、对安全软件映像劫持,劫持安全软件如下:
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
AST.exe
AutoRuns.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
krepair.COM
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmc.exe
mmqczj.exe
mmsk.exe
msconfig.exe
NAVSetup.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
regedit.exe
rfwcfg.exe
RfwMain.exe
rfwProxy.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.exe
symlcsvc.exe
SysSafe.exe
taskmgr.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE.exe
WoptiClean.exe
zxsweep.exe
3、新增注册表:
HKCR\CLSID\{2598FF45-DA60-F48A-BC43-10AC47853D52}
\InprocServer32
注册表值: (默认)
类型: REG_SZ
值: C:\WINNT\system32\rarjbpi.dll
HKCU\SOFTWARE\MICROSOFT\Internet Explorer
\Toolbar\Explorer
注册表值: ITBarLayout
类型: REG_BINARY
值: 110000005C0000000000000034000000...
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION
\Explorer\ShellExecuteHooks
注册表值: {2598FF45-DA60-F48A-BC43-10AC47853D52}
类型: REG_SZ
值: rarjbpi.dll
HKCR\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}
\InprocServer32
注册表值: (默认)
类型: REG_SZ
值: C:\WINNT\system32\avzxdmn.dll
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION
\Explorer\ShellExecuteHooks
注册表值: {4859245F-345D-BC13-AC4F-145D47DA34F4}
类型: REG_SZ
值: avzxdmn.dll
4、修改注册表:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\Internet Explorer\Extensions
\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
注册表值: ButtonText
新建键值:
类型: REG_SZ
值: @shdoclc.dll,-866@2052,相关站点
原键值:
类型: REG_SZ
值: @shdoclc.dll,-866
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\Internet Explorer\Extensions
\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
注册表值: MenuText
新建键值:
类型: REG_SZ
值: @shdoclc.dll,-864@2052,显示相关站点(&R)
原键值:
类型: REG_SZ
值: @shdoclc.dll,-864
HKLM\SOFTWARE\MICROSOFT\Internet Explorer
\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
注册表值: MenuStatusBar
新建键值:
类型: REG_SZ
值: @shdoclc.dll,-865@2052,显示与当前页相关的站点。
原键值:
类型: REG_SZ
值: @shdoclc.dll,-865
HKCU\SOFTWARE\MICROSOFT\Internet Explorer
\Toolbar\ShellBrowser
注册表值: {0E5CBF21-D15F-11D0-8301-00AA005B4383}
新建键值:
类型: REG_BINARY
值: 21BF5C0E5FD1D011830100AA005B4383...
原键值:
类型: REG_BINARY
值: 21BF5C0E5FD1D011830100AA005B4383...
网络行为:
1、连接网络下载病毒文件:
连接网络:
www.tes***com(222.208.183.***)
下载病毒文件并自动运行:
%Documents and Settings%\Temporary Internet
Files\Content.IE5\25S27BF7\14[1].exe 265,781字节
病毒名:Trojan-PSW.Win32.OnLineGames.eom
%Documents and Settings%\Temporary Internet Files
\Content.IE5\25S27BF7\2[1].exe 20,044字节
病毒名:Trojan-PSW.Win32.OnLineGames.eon
%Documents and Settings%\Temporary Internet Files
\Content.IE5\25S27BF7\6[1].exe 32,385字节
病毒名:Virus.Win32.AutoRun.sx
%Documents and Settings%\Temporary Internet Files
\Content.IE5\4XY7C1AB\4[1].exe 15,354字节
病毒名:Trojan-PSW.Win32.OnLineGames.ejq
%Documents and Settings%\Temporary Internet Files
\Content.IE5\4XY7C1AB\8[1].exe 14,035字节
病毒名:Trojan-PSW.Win32.OnLineGames.enh
%Documents and Settings%\Temporary Internet Files
\Content.IE5\M0OMLYEX\1[1].exe 14,437字节
病毒名:Trojan-PSW.Win32.OnLineGames.ejx
%Documents and Settings%\Temporary Internet Files
\Content.IE5\M0OMLYEX\5[1].exe 15,005字节
病毒名:Trojan-PSW.Win32.OnLineGames.eau
%Documents and Settings%\Temporary Internet Files
\Content.IE5\M0OMLYEX\9[1].exe 13,364字节
病毒名:Trojan-PSW.Win32.OnLineGames.epf
%Documents and Settings%\Temporary Internet Files
\Content.IE5\Z8OCRA4R\3[1].exe 15,146字节
病毒名:Trojan-PSW.Win32.OnLineGames.enb
%Documents and Settings%\Temporary Internet Files
\Content.IE5\Z8OCRA4R\7[1].exe 14,269字节
病毒名:Trojan-PSW.Win32.OnLineGames.eei
%Documents and Settings%\Temporary Internet Files
\Content.IE5\Z8OCRA4R\down[1].exe 28,160 bytes
病毒名:Virus.Win32.AutoRun.tn
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
|
|
|
| 清除方案: |
| |
1 、使用安天木马防线可彻底清除此病毒 ( 推荐 )
2 、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1)使用安天木马防线“进程管理”关闭病毒进程
(2)删除病毒文件:
%System32%\Systom.exe 28,160字节
%DriveLetter%\auToRun.inf 156字节
%DriveLetter%\nx.exe 28,160字节
%System32%\5temp.exe 32,385字节
%System32%\addrmshelp.dll 11,888字节
%System32%\auToRun.inf 156字节
%System32%\avzxain.dll 55字节
%System32%\avzxdmn.dll 23,126字节
%System32%\avzxdst.exe 15,146字节
%System32%\c.txt 510字节
%System32%\daemon_mgm.exe 49,152字节
%System32%\kafyacs.dll 62字节
%System32%\kafyeaz.exe 13,364字节
%System32%\kafyezy.dll 19,044字节
%System32%\kawdacs.dll 57字节
%System32%\kawdbaz.exe 14,035字节
%System32%\kawdbzy.dll 20,058字节
%System32%\kvdxacf.dll 64字节
%System32%\kvdxcis.exe 14,269字节
%System32%\kvdxcma.dll 20,072字节
%System32%\kvmxecf.dll 62字节
%System32%\kvmxeis.exe 14,437字节
%System32%\kvmxema.dll 20,580字节
%System32%\NetMonInstaller.exe 6,656字节
%System32%\npf_mgm.exe 49,152字节
%System32%\qdshm.dll 9,818字节
%System32%\rpcapd.exe 86,016字节
%System32%\rsmyafg.dll 51字节
%System32%\rsmydpm.dll 22,094字节
%System32%\rsmydsp.exe 15,005字节
%System32%\rsztafg.dll 47字节
%System32%\rsztcpm.dll 23,110字节
%System32%\rsztcsp.exe 15,354字节
%System32%\Systom.exe 28,160字节
%System32%\test1.txt 98字节
%System32%\wpc2.exe 659,456字节
%System32%\wuapi.dll.mui 25,944字节
%System32%\wuaucpl.cpl.mui 25,944字节
%System32%\wuaueng.dll.mui 16,216字节
%System32%\wucltui.dll.mui 30,040字节
%System32%\zxarps.exe 24,064字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\25S27BF7\14[1].exe265,781字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\25S27BF7\2[1].exe20,044字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\25S27BF7\6[1].exe32,385字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\4XY7C1AB\4[1].exe15,354字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\4XY7C1AB\8[1].exe14,035字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\M0OMLYEX\1[1].exe14,437字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\M0OMLYEX\5[1].exe15,005字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\M0OMLYEX\9[1].exe13,364字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\Z8OCRA4R\3[1].exe15,146字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\Z8OCRA4R\7[1].exe14,269字节
%Documents and Settings%\Temporary Internet
Files\Content.IE5\Z8OCRA4R\down[1].exe28,160字节
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
HKCR\CLSID\{2598FF45-DA60-F48A-BC43-10AC47853D52}
\InprocServer32
注册表值: (默认)
类型: REG_SZ
值: C:\WINNT\system32\rarjbpi.dll
HKCU\SOFTWARE\MICROSOFT\Internet Explorer
\Toolbar\Explorer
注册表值: ITBarLayout
类型: REG_BINARY
值: 110000005C0000000000000034000000...
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION
\Explorer\ShellExecuteHooks
注册表值: {2598FF45-DA60-F48A-BC43-10AC47853D52}
类型: REG_SZ
值: rarjbpi.dll
HKCR\CLSID\{4859245F-345D-BC13-AC4F-145D47DA34F4}
\InprocServer32
注册表值: (默认)
类型: REG_SZ
值: C:\WINNT\system32\avzxdmn.dll
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION
\Explorer\ShellExecuteHooks
注册表值: {4859245F-345D-BC13-AC4F-145D47DA34F4}
类型: REG_SZ
值: avzxdmn.dll
(4)修复SPI链,删除被劫持的映像。
|
| 附: |
| |
点击此处下载木马防线2005+
 病毒上报信箱: submit@virusview.net |
|
