安全响应·Security
病毒分析报告·Report

Worm.Win32.AutoRun.jj分析

出处:安天病毒分析组 时间:2008-01-05 11:30

病毒标签:

病毒名称: Worm.Win32.AutoRun.jj
病毒类型: 蠕虫类
文件 MD5: 6E240C7028E17576E64694473F23324D
公开范围: 完全公开
危害等级: 5
文件长度: 18,482 字节
感染系统: Windows98以上版本
开发工具: Microsoft Visual C++ 6.0
加壳类型: nSPack 2.1 - 2.5 -> North Star/Liu Xing Ping [Overlay]

病毒描述:

  该病毒属蠕虫类,病毒运行后复制自身到%System32%下,并在该目录下衍生
病毒文件;复制自身到各个盘符根目录下,并衍生autorun.inf文件,实现用户双
击打开盘符自动运行病毒的目的;修改注册表,删除服务,使系统不再给用户发送
错误报告;创建服务,使病毒能够随机启动;屏蔽开机时“使用最后一次正确的配
置”;病毒运行完毕后删除自身;连接网络下载病毒文件并自动运行,可以偷取大
部分网络游戏的帐号和密码。
行为分析:

本地行为:

1、文件运行后会释放以下文件:

    %System%3c352cc8.exe     18,482 字节
    %WinDir%aff1cd48.dll     40,960 字节
    %DriveLetter%\autorun.inf  78 字节
    %DriveLetter%\auto.exe    18,482 字节
    
2、新增注册表:

    [HKEY_CURRENT_USER\SYSTEM
    \CurrentControlSet\Services\83F6EA98]
    注册表值: "Description"
    类型: REG_SZ
    值: "AFF1CD48"
    描述: 服务描述

    [HKEY_CURRENT_USER\SYSTEM
    \CurrentControlSet\Services\83F6EA98]
    注册表值: "DisplayName"
    类型: REG_SZ
    值:"83F6EA98"
    描述:服务名称
    [HKEY_CURRENT_USER\SYSTEM
    \CurrentControlSet\Services\83F6EA98]
    注册表值: "ImagePath"
    类型: REG_SZ
    值:"C:\WINDOWS\system32\3C352CC8.EXE -k"
    描述:服务映像文件的启动路径

    [HKEY_LOCAL_MACHINE\SOFTWARE
    \Microsoft\Windows NT]
    注册表值: "ReportBootOk"
    类型: DWORD
    值:1(0x1)
    描述: 屏蔽开机时"使用最后一次正确的配置"
    
    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\83F6EA98]
    注册表值: "Description"
    类型: REG_SZ
    值:"AFF1CD48"
    描述:服务描述

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\83F6EA98]
    注册表值: "DisplayName"
    类型: REG_SZ
    值:"83F6EA98"
    描述:服务名称
    
    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\83F6EA98]
    注册表值: "ImagePath"
    类型: REG_EXPAND_SZ
    值:"C:\WINDOWS\system32\3C352CC8.EXE -k"
    描述:服务映像文件的启动路径
    
    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\83F6EA98]
    注册表值: "Start"
    类型: DWORD
    值:"2"
    描述:服务的启动方式,自动。
    
3、修改注册表:

    [HKEY_LOCAL_MACHINE\SOFTWARE
    \Microsoft\Windows\CurrentVersion
    \Explorer\Advanced\Folder\Hidden\SHOWALL]
    新建键值:DWORD:"CheckedValue"="0"
    原键值:DWORD:"CheckedValue"="1"
    描述:隐藏具有隐藏属性的文件。

4、删除注册表键值:

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\ERSvc]
    注册表值: "Description"
    类型: REG_SZ
    值:"服务和应用程序在非标准环境下运行时允许
    错误报告。"
    描述:服务描述

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\ERSvc]
    注册表值: "DisplayName"
    类型: REG_SZ
    值:"Error Reporting Service"
    描述:服务名称

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\ERSvc]
    注册表值: "ImagePath"
    类型: REG_EXPAND_SZ
    值:"%SystemRoot%\System32\svchost.exe
    -k netsvcs"
    描述:服务映像文件的启动路径
    
    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\ERSvc]
    注册表值: "Start"
    类型: DWORD
    值:"2"
    描述:服务的启动方式,自动。

网络行为:

1、连接网络下载病毒文件:

    连接网络:

    http://33.xinga****.cn/soft/soft
    /f2b4657b5568d072.exe
    infected: Worm.Win32.AutoRun.blt

    http://sk***.tom.com/download
    /archive/01400974/SkypeClient.exe
    一款聊天软件,属正常文件

    http://222.73.247.***/mh0618.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwa

    http://222.73.247.***/my0616.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwb

    http://222.73.247.***/qj0617.exe
    infected: Trojan-PSW.Win32.OnLineGames.mup

    http://222.73.26.*/tl0619.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvv

    http://220.189.255.**/wow0617.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvu

    http://222.73.254.**/dh3.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvz

    http://220.189.255.**/qqsg.exe
    infected: Trojan-PSW.Win32.OnLineGames.muv

    http://222.73.247.***/jh0619.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvx

    http://222.73.254.**/zt0616.exe
    infected: Trojan-PSW.Win32.OnLineGames.mux

    http://222.73.247.***/wl0618.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwj

    http://123.www****.cn/cq0619.exe
    infected: Trojan-PSW.Win32.Lmir.boy
    http://222.73.247.202/wd0618.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwj

    http://123.www****.cn/huaxia.exe
    infected: Trojan-PSW.Win32.OnLineGames.mxb

    http://222.73.254.**/qqhx.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwe

    http://220.189.255.**/dh0616.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwf

    http://61.129.45.***/zy.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwq

    http://61.129.45.***/jr.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwm

    http://61.129.45.***/fh.exe
    infected: Trojan-PSW.Win32.OnLineGames.mxc

    http://220.189.255.**/cs0619.exe
    infected: Trojan-PSW.Win32.OnLineGames.hfr 
 
    下载病毒文件并自动运行:

    %System32%\3C352CC8.EXE
    infected: Worm.Win32.AutoRun.blt

    %System32%\AFF1CD48.DLL
    infected: Virus.Win32.AutoRun.agg

    %System32%\AVPSrv.dll
    infected: Trojan-PSW.Win32.OnLineGames.mti

    %System32%\cmdbcs.dll
    infected: Trojan-PSW.Win32.OnLineGames.mvw

    %System32%\DbgHlp32.dll
    infected: Trojan-PSW.Win32.OnLineGames.mty

    %System32%\k119943262711.exe
    infected: Trojan-PSW.Win32.Lmir.boy

    %System32%\k119943263719.exe
    infected: Trojan-PSW.Win32.OnLineGames.hfr

    %System32%\Kvsc3.dll
    infected: Trojan-PSW.Win32.OnLineGames.mup

    %System32%\LotusHlp.dll
    infected: Trojan-PSW.Win32.OnLineGames.mys

    %System32%\LYLOADER.EXE
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %System32%\LYMANGR.DLL
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %System32%\mppds.dll
    infected: Trojan-PSW.Win32.OnLineGames.mvt

    %System32%\msccrt.dll
    infected: Trojan-PSW.Win32.OnLineGames.mvr

    %System32%\MSDEG32.DLL
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %System32%\MsIMMs32.dll
    infected: Trojan-PSW.Win32.OnLineGames.mwi

    %System32%\MsPrint32D.dll
    infected: Trojan-PSW.Win32.OnLineGames.muw

    %System32%\NAVMon32.dll
    infected: Trojan-PSW.Win32.OnLineGames.mwq

    %System32%\NVDispDrv.dll
    infected: Trojan-PSW.Win32.OnLineGames.myu

    %System32%\PTSShell.dll
    infected: Trojan-PSW.Win32.OnLineGames.muj

    %System32%\SHAProc.dll
    infected: Trojan-PSW.Win32.OnLineGames.mza

    %System32%\upxdnd.dll
    infected: Trojan-PSW.Win32.OnLineGames.muy

    %System32%\WINSvr32.dll
    infected: Trojan-PSW.Win32.OnLineGames.mzj

    %System32%\WSockDrv32.dll
    infected: Trojan-PSW.Win32.OnLineGames.mwa

    %Temp%\LYLOADER.EXE
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %Temp%\LYMANGR.DLL
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %Temp%\MSDEG32.DLL
    infected: Trojan-PSW.Win32.OnLineGames.mzk

    %Windir%\192896MM.DLL
    infected: Trojan-PSW.Win32.OnLineGames.mdd

    %Windir%\192896WL.DLL
    infected: Trojan-PSW.Win32.OnLineGames.iay

    %Windir%\AVPSrv.exE
    infected: Trojan-PSW.Win32.OnLineGames.mvv

    %Windir%\cmdbcs.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvx

    %Windir%\DbgHlp32.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvz

    %Windir%\Kvsc3.exE
    infected: Trojan-PSW.Win32.OnLineGames.mup

    %Windir%\LotusHlp.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwe

    %Windir%\mppds.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvu

    %Windir%\msccrt.exe
    infected: Trojan-PSW.Win32.OnLineGames.mvs

    %Windir%\MsIMMs32.exE
    infected: Trojan-PSW.Win32.OnLineGames.mwj

    %Windir%\MsPrint32D.exe
    infected: Trojan-PSW.Win32.OnLineGames.muv

    %Windir%\NAVMon32.exE
    infected: Trojan-PSW.Win32.OnLineGames.mwq

    %Windir%\NVDispDRV.EXE
    infected: Trojan-PSW.Win32.OnLineGames.myu

    %Windir%\PTSShell.exe
    infected: Trojan-PSW.Win32.OnLineGames.mxb

    %Windir%\SHAProc.exe
    infected: Trojan-PSW.Win32.OnLineGames.mxc

    %Windir%\upxdnd.exe
    infected: Trojan-PSW.Win32.OnLineGames.mux

    %Windir%\WINSvr32.exE
    infected: Trojan-PSW.Win32.OnLineGames.mzj

    %Windir%\WSockDrv32.exe
    infected: Trojan-PSW.Win32.OnLineGames.mwb
    
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
  
    %Windir%             WINDODWS所在目录
    %DriveLetter%          逻辑驱动器根目录
    %ProgramFiles%          系统程序默认安装目录
    %HomeDrive%           当前启动的系统的所在分区
    %Documents and Settings%    当前用户文档根目录
    %Temp%             \Documents and Settings
                    \当前用户\Local Settings\Temp
    %System32%           系统的 System32文件夹
    
    Windows2000/NT中默认的安装路径是C:\Winnt\System32
    windows95/98/me中默认的安装路径是C:\Windows\System
    windowsXP中默认的安装路径是C:\Windows\System32                
    
清除方案:
 

1 、使用安天木马防线可彻底清除此病毒(推荐)。

2 、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
    (1)使用ATOOL“服务管理”删除病毒服务
      “3C352CC8.EXE –K”。
    (2)删除病毒文件:
      %System%3c352cc8.exe
      %WinDir%aff1cd48.dll
      %DriveLetter%\autorun.inf
      %DriveLetter%\auto.exe
    (3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
      删除注册表项
      [HKEY_CURRENT_USER\SYSTEM
      \CurrentControlSet\Services\83F6EA98]
      注册表值: "Description"
      类型: REG_SZ
      值: "AFF1CD48"
      [HKEY_CURRENT_USER\SYSTEM
      \CurrentControlSet\Services\83F6EA98]
      注册表值: "DisplayName"
      类型: REG_SZ
      值:"83F6EA98"
      [HKEY_CURRENT_USER\SYSTEM
      \CurrentControlSet\Services\83F6EA98]
      注册表值: "ImagePath"
      类型: REG_SZ
      值:"C:\WINDOWS\system32\3C352CC8.EXE -k"
      [HKEY_LOCAL_MACHINE\SOFTWARE
      \Microsoft\Windows NT]
      注册表值: "ReportBootOk"
      类型: DWORD
      值:1(0x1)
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\83F6EA98]
      注册表值: "Description"
      类型: REG_SZ
      值:"AFF1CD48"
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\83F6EA98]
      注册表值: "DisplayName"
      类型: REG_SZ
      值:"83F6EA98"
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\83F6EA98]
      注册表值: "ImagePath"
      类型: REG_EXPAND_SZ
      值:"C:\WINDOWS\system32\3C352CC8.EXE -k"
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\83F6EA98]
      注册表值: "Start"
      类型: DWORD
      值:"2"

      恢复注册表项
      [HKEY_LOCAL_MACHINE\SOFTWARE
      \Microsoft\Windows\CurrentVersion
      \Explorer\Advanced\Folder\Hidden\SHOWALL]
      新建键值:DWORD:"CheckedValue"="0"
      原键值:DWORD:"CheckedValue"="1"

      重建注册表项
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\ERSvc]
      注册表值: "Description"
      类型: REG_SZ
      值:"服务和应用程序在非标准环境下
      运行时允许错误报告。"
      描述:服务描述
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\ERSvc]
      注册表值: "DisplayName"
      类型: REG_SZ
      值:"Error Reporting Service"
      描述:服务名称
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\ERSvc]
      注册表值: "ImagePath"
      类型: REG_EXPAND_SZ
      值:"%SystemRoot%\System32
      \svchost.exe -k netsvcs"
      描述:服务映像文件的启动路径
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\ERSvc]
      注册表值: "Start"
      类型: DWORD
      值:"2"
附:
 


点击此处下载木马防线2005+

病毒上报信箱: submit@virusview.net
[TOP]