安全响应·Security
|
Worm.Win32.AutoRun.blg分析
出处:安天病毒分析组 时间:2008-01-09 16:10
 病毒标签: |
|
病毒名称:
Worm.Win32.AutoRun.blg
病毒类型: 蠕虫类
文件 MD5: 80FEEA0D5D3E0F1EDE1C41326F943CA2
公开范围: 完全公开
危害等级: 5
文件长度: 28,160 字节
感染系统: Windows98以上版本
开发工具: Borland Delphi 6.0 - 7.0
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
|
| 病毒描述: |
|
该病毒属蠕虫类,病毒运行后。复制自身到%System32%下,并衍生autorun.inf
文件;复制自身到各个驱动器根目录下,衍生autorun.inf文件,以达到双击打开盘
符自动执行病毒文件的目的,修改系统时间年份为2000年;修改注册表,隐藏具有系
统属性和隐藏属性的文件,并将其锁定,使用户无法进行修改;禁用任务管理器;关
闭系统自动升级,锁定IE主页,使用户无法修改,创建启动项,使病毒能够随机运行;
连接网络,下载病毒文件,并执行,搜索HTML扩展名的文件,在后面添加97个空字节,
该病毒应为病毒的测试版本,为以后版本提供便利;病毒运行完毕后删除自身。
|
| 行为分析: |
|
本地行为:
1、文件运行后会释放以下文件:
%System%\txomou.exe 28,160 字节
%System%\autorun.inf 159 字节
%HomeDrive%\soS.Exe 28,160 字节
%HomeDrive%\Autorun.Inf 159 字节
%DriveLetter%\soS.Exe 28,160 字节
%DriveLetter%\Autorun.Inf 159 字节
2、新建注册表:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run]
注册表值: "crsss"
类型: REG_SZ
值: "C:\WINDOWS\system32\TxoMoU.Exe"
描述: 启动项,使病毒文件当该系统的所有用户登陆该系统时,
运行病毒文件。
[HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Policies\System]
注册表值: "DisableTaskMgr"
类型:DWORD
值:1
描述:禁止用户调用任务管理器
[HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Policies\WindowsUpdate]
注册表值: "DisableWindowsUpdateAccess"
类型:DWORD
值:1
描述:关闭系统自动升级
[HKEY_CURRENT_USER\Software\Policies
\Microsoft\Internet Explorer\Control Panel]
注册表值: "HomePage"
类型:DWORD
值:1
描述:锁定IE主页,使用户无法修改
3、修改注册表:
[HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer\Advanced]
新建键值:DWORD:"Hidden"="0"
原键值:DWORD:"Hidden"="1"
描述:使系统不显示具有隐藏属性的文件
[HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer\Advanced]
新建键值:DWORD:"HideFileExt"="1"
原键值:DWORD:"HideFileExt"="0"
描述:使系统不再显示文件的扩展名
[HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer\Advanced]
新建键值:DWORD:"ShowSuperHidden"="0"
原键值:DWORD:"ShowSuperHidden"="1"
描述:使系统不再显示具有系统属性的文件
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL]
新建键值:字符串:"CheckedValue"="0"
原键值:DWORD:"CheckedValue"="1"
描述:锁定文件夹选项中对隐藏类文件显示信息的修改,
使用户无法更改文件的显示状态
网络行为:
1、连接网络下载病毒文件:
连接网络:
http://60.190.118.***/a1.exe
infected: Trojan.Win32.StartPage.ava
http://60.190.118.***/a10.exe
infected: Trojan-PSW.Win32.OnLineGames.isb
http://60.190.118.***/a11.exe
infected: Trojan-PSW.Win32.OnLineGames.mqz
http://60.190.118.***/a12.exe
infected: Trojan-PSW.Win32.OnLineGames.mwp
http://60.190.118.***/a13.exe
infected: Trojan-PSW.Win32.Lmir.boy
http://60.190.118.***/a14.exe
infected: Trojan-PSW.Win32.OnLineGames.mhs
http://60.190.118.***/a15.exe
infected: Trojan-PSW.Win32.OnLineGames.new
http://60.190.118.***/a16.exe
infected: Trojan-PSW.Win32.OnLineGames.mwj
http://60.190.118.***/a17.exe
infected: Trojan-PSW.Win32.OnLineGames.lue
http://60.190.118.***/a18.exe
infected: Trojan-PSW.Win32.OnLineGames.mvv
http://60.190.118.***/a19.exe
连接失效,无法下载
http://60.190.118.***/a2.exe
infected: Trojan-PSW.Win32.OnLineGames.neu
http://60.190.118.***/a20.exe
infected: Backdoor.Win32.Delf.csn
http://60.190.118.***/a21.exe
infected: Trojan-PSW.Win32.OnLineGames.myj
http://60.190.118.***/a22.exe
infected: Trojan-PSW.Win32.OnLineGames.ltm
http://60.190.118.***/a24.exe
infected: Trojan-PSW.Win32.OnLineGames.ndx
http://60.190.118.***/a25.exe
infected: Trojan-PSW.Win32.OnLineGames.ndj
http://60.190.118.***/a26.exe
infected: Trojan-PSW.Win32.OnLineGames.nbw
http://60.190.118.***/a27.exe
连接失效,无法下载
http://60.190.118.***/a28.exe
infected: Trojan-PSW.Win32.OnLineGames.mzb
http://60.190.118.***/a3.exe
infected: Trojan-PSW.Win32.OnLineGames.nif
http://60.190.118.***/a4.exe
infected: Trojan-Downloader.Win32.Delf.aas
http://60.190.118.***/a5.exe
infected: Trojan-PSW.Win32.OnLineGames.mzs
http://60.190.118.***/a6.exe
infected: Trojan-PSW.Win32.QQPass.aqu
http://60.190.118.***/a7.exe
infected: Trojan-Downloader.Win32.Agent.blm
http://60.190.118.***/a8.exe
infected: Trojan-PSW.Win32.WOW.aif
http://60.190.118.***/a9.exe
infected: Trojan-PSW.Win32.OnLineGames.nbm
下载病毒文件并自动运行:
%System32%\0SvTh.exe
infected: Trojan.Win32.StartPage.ava
%System32%\12SvTh.exe
infected: Trojan-PSW.Win32.Lmir.boy
%System32%\19SvTh.exe
infected: Backdoor.Win32.Delf.csn
%System32%\20SvTh.exe
infected: Trojan-PSW.Win32.OnLineGames.myj
%System32%\3SvTh.exe
infected: Trojan-Downloader.Win32.Delf.aas
%System32%\5SvTh.exe
infected: Trojan-PSW.Win32.QQPass.aqu
%System32%\6SvTh.exe
infected: Trojan-Downloader.Win32.Agent.blm
%System32%\Autorun.Inf
infected: Worm.Win32.AutoRun.hw
%System32%\AVPSrv.dll
infected: Trojan-PSW.Win32.OnLineGames.mti
%System32%\avwghmn.dll
infected: Trojan-PSW.Win32.OnLineGames.mhs
%System32%\avwghst.exe
infected: Trojan-PSW.Win32.OnLineGames.mhs
%System32%\avwlimn.dll
infected: Trojan-PSW.Win32.OnLineGames.mua
%System32%\avwlist.exe
infected: Trojan-PSW.Win32.OnLineGames.mqz
%System32%\cmdbcs.dll
infected: Trojan-PSW.Win32.OnLineGames.jyq
%System32%\FTCCompress.dll
infected: Trojan-PSW.Win32.WOW.aif
%System32%\FUEc.CoM
病毒文件下载地址文本文件,应删除
%System32%\kvdxsmis.exe
infected: Trojan-PSW.Win32.OnLineGames.mwp
%System32%\kvdxsmma.dll
infected: Trojan-PSW.Win32.OnLineGames.mwp
%System32%\Kvsc3.dll
infected: Trojan-PSW.Win32.OnLineGames.mld
%System32%\LotusHlp.dll
infected: Trojan-PSW.Win32.OnLineGames.ndo
%System32%\LYLOADER.EXE
infected: Trojan-PSW.Win32.OnLineGames.nif
%System32%\LYMANGR.DLL
infected: Trojan-PSW.Win32.OnLineGames.nif
%System32%\MSDEG32.DLL
infected: Trojan-PSW.Win32.OnLineGames.nif
%System32%\MsIMMs32.dll
infected: Trojan-PSW.Win32.OnLineGames.mwi
%System32%\MsPrint32D.dll
infected: Trojan-PSW.Win32.OnLineGames.lwe
%System32%\mszxccc32.dll
infected: Trojan-PSW.Win32.OnLineGames.lwe
%System32%\npf.sys
WinPcap文件
%System32%\NVDispDrv.dll
infected: Trojan-PSW.Win32.OnLineGames.nbn
%System32%\Packet.dll
WinPcap文件
%System32%\PTSShell.dll
infected: Trojan-PSW.Win32.OnLineGames.new
%System32%\REGKEY.hiv
infected: Backdoor.win32.Graybird.dxl
%System32%\scvhost.exe
infected: Backdoor.Win32.Delf.awy
%System32%\SHAProc.dll
infected: Trojan-PSW.Win32.OnLineGames.nbw
%System32%\stlbujywow.dll
infected: Trojan-PSW.Win32.Nilage.bwn
%System32%\svchost.exe
infected: Backdoor.Win32.Delf.csn
%System32%\TxoMoU.Exe
infected: Worm.Win32.AutoRun.blg
%System32%\upxdnd.dll
infected: Trojan-PSW.Win32.OnLineGames.mzs
%System32%\WanPacket.dll
WinPcap文件
%System32%\wpcap.dll
WinPcap文件
%System32%\WSockDrv32.dll
infected: Trojan-PSW.Win32.OnLineGames.nev
%Windir%\192896MM.DLL
infected: Trojan-PSW.Win32.OnLineGames.mdd
%Windir%\192896WL.DLL
infected: Trojan-PSW.Win32.OnLineGames.kcw
%Windir%\ardasbse.fon
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\AVPSrv.exE
infected: Trojan-PSW.Win32.OnLineGames.mvv
%Windir%\avwghina.dll
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\avwliinc.dll
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\cmdbcs.exe
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\gejibnd.fon
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\jshubxw.fon
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\jsqxbss.dll
infected: Trojan-PSW.Win32.OnLineGames.isb
%Windir%\jsqxbyc.dll
infected: Trojan-PSW.Win32.OnLineGames.mzb
%Windir%\jsqxbzc.exe
infected: Trojan-PSW.Win32.OnLineGames.mzb
%Windir%\kvdxsmcfb.dll
infected: Trojan-PSW.Win32.OnLineGames.mzb
%Windir%\Kvsc3.exE
infected: Trojan-PSW.Win32.OnLineGames.ltm
%Windir%\LotusHlp.exe
infected: Trojan-PSW.Win32.OnLineGames.ndx
%Windir%\msguasd.fon
infected: Trojan-PSW.Win32.OnLineGames.ndx
%Windir%\MsIMMs32.exE
infected: Trojan-PSW.Win32.OnLineGames.mwj
%Windir%\MsPrint32D.exe
infected: Trojan-PSW.Win32.OnLineGames.lue
%Windir%\mswubsd.fon
infected: Trojan-PSW.Win32.OnLineGames.lue
%Windir%\NVDispDRV.EXE
infected: Trojan-PSW.Win32.OnLineGames.nbm
%Windir%\PTSShell.exe
infected: Trojan-PSW.Win32.OnLineGames.new
%Windir%\rsjzbfg.dll
infected: Trojan-PSW.Win32.OnLineGames.neq
%Windir%\rsjzbpm.dll
infected:Trojan-PSW.Win32.OnLineGames.neq
%Windir%\rsjzbsp.exe
infected: Trojan-PSW.Win32.OnLineGames.ndj
%Windir%\SHAProc.exe
infected: Trojan-PSW.Win32.OnLineGames.nbw
%Windir%\upxdnd.exe
infected: Trojan-PSW.Win32.OnLineGames.mzs
%Windir%\WSockDrv32.exe
infected: Trojan-PSW.Win32.OnLineGames.neu
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
|
|
|
| 清除方案: |
| |
1 、使用安天防线2008可彻底清除此病毒(推荐)。
2 、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1)使用Atool“进程管理”关闭病毒进程:
TxoMoU.Exe
(2)使用Atool“文件管理”删除病毒文件:
%HomeDrive%\soS.Exe
%HomeDrive%\Autorun.Inf
%DriveLetter%\soS.Exe
%DriveLetter%\Autorun.Inf
%System32%\txomou.exe
%System32%\autorun.inf
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
[HKEY_CURRENT_USER\Software
\Microsoft\Windows\CurrentVersion
\Explorer\Advanced]
新建键值:DWORD:"Hidden"="0"
原键值:DWORD:"Hidden"="1"
[HKEY_CURRENT_USER\Software
\Microsoft\Windows\CurrentVersion
\Explorer\Advanced]
新建键值:DWORD:"HideFileExt"="1"
原键值:DWORD:"HideFileExt"="0"
[HKEY_CURRENT_USER\Software
\Microsoft\Windows\CurrentVersion
\Explorer\Advanced]
新建键值:DWORD:"ShowSuperHidden"="0"
原键值:DWORD:"ShowSuperHidden"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion
\Explorer\Advanced\Folder
\Hidden\SHOWALL]
新建键值:字符串:"CheckedValue"="0"
原键值:DWORD:"CheckedValue"="1"
(4) 删除新增注册表项:
[HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion\Run]
注册表值: "crsss"
类型: REG_SZ
值: "C:\WINDOWS\system32\TxoMoU.Exe"
[HKEY_CURRENT_USER\Software
\Microsoft\Windows\CurrentVersion
\Policies\System]
注册表值: "DisableTaskMgr"
类型:DWORD
值:1
[HKEY_CURRENT_USER\Software
\Microsoft\Windows\CurrentVersion
\Policies\WindowsUpdate]
注册表值: "DisableWindowsUpdateAccess"
类型:DWORD
值:1
[HKEY_CURRENT_USER\Software
\Policies\Microsoft\Internet Explorer
\Control Panel]
注册表值: "HomePage"
类型:DWORD
值:1
|
| 附: |
| |
点击此处下载安天防线2008
 病毒上报信箱: submit@virusview.net |
|
