安全响应·Security
病毒分析报告·Report

Trojan-Downloader.Win32.Small.hsh分析

出处:安天病毒分析组 时间:2008-01-24 14:20

病毒标签:

病毒名称: Trojan-Downloader.Win32.Small.hsh
病毒类型: 木马类
文件 MD5: 7F5A731244199C7F29623CC1F106B6C4
公开范围: 完全公开
危害等级: 4
文件长度: 8,848 字节
感染系统: Windows98以上版本
开发工具: Microsoft Visual C++ 6.0
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
病毒描述:

  该病毒属木马类。病毒运行后衍生文件到系统临时目录下,修改注册表,
创建服务,以达到随机运行的目的,病毒在计算机重新启动后将修改
%Windir%\explorer.exe文件,并加载,使任务管理器中出现两个explorer.exe
进程,连接网络下载病毒文件,其中大部分为盗号木马,下载后自动运行,病毒
运行完毕后删除自身。
行为分析:

本地行为:

1、文件运行后会释放以下文件:

    %System%drivers\phy.sys         1,536 字节
    %Documents and Settings%\Administrator
    \Local Settings\Temp\tmp1.tmp      8,192 字节
    %Documents and Settings%\Administrator
    \Local Settings\Temp\tmp2.tmp      8,192 字节
  
2、修改%Windir%下的explorer.exe文件:

    机器重新启动后,tmp1.tmp文件将对explorer.exe文件从起始
    位置进行覆盖,其他位置不进行更改,文件大小不发生变化,不
    在有版本相关的信息,不在具有原文件的功能。

3、新增注册表:

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\phy]
    注册表值: "DisplayName"
    类型: REG_SZ
    值:"phy"
    描述:服务名称

    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\phy]
    注册表值: "ImagePath"
    类型:REG_SZ
    值:"\??\C:\WINDOWS\system32\DRIVERS\phy.sys"
    描述:服务启动的映像路径
    
    [HKEY_LOCAL_MACHINE\SYSTEM
    \ControlSet001\Services\phy]
    注册表值: "Start"
    类型:DWORD
    值:"3"
    描述:服务的启动方式

网络行为:

1、连接网络下载病毒文件:

    连接网络:
    http://58.211.8.**/a1.exe
    infected: Backdoor.Win32.Hupigon.aqur
    
    http://58.211.8.**/a10.exe
    infected: Trojan-PSW.Win32.OnLineGames.odx

    http://58.211.8.**/a11.exe
    infected: Trojan-PSW.Win32.OnLineGames.nmc
    
    http://58.211.8.**/a12.exe
    infected: Trojan-PSW.Win32.OnLineGames.omm
    
    http://58.211.8.**/a13.exe
    infected: Trojan-PSW.Win32.Lmir.bpv

    http://58.211.8.**/a14.exe
    infected: Trojan-PSW.Win32.OnLineGames.onw

    http://58.211.8.**/a15.exe
    infected: Trojan.Win32.Vaklik.eb

    http://58.211.8.**/a16.exe
    infected: Trojan-PSW.Win32.OnLineGames.pef

    http://58.211.8.**/a17.exe
    infected: Trojan-PSW.Win32.OnLineGames.pem

    http://58.211.8.**/a18.exe
    infected: Trojan-PSW.Win32.OnLineGames.obo

    http://58.211.8.**/a19.exe
    infected: Trojan-PSW.Win32.OnLineGames.odx

    http://58.211.8.**/a2.exe
    infected: Trojan.Win32.Vaklik.el

    http://58.211.8.**/a20.exe
    infected: Backdoor.Win32.Delf.csn

    http://58.211.8.**/a21.exe
    infected: Trojan-PSW.Win32.OnLineGames.oeg

    http://58.211.8.**/a22.exe
    infected: Trojan-PSW.Win32.OnLineGames.orf

    http://58.211.8.**/a23.exe
    infected: Trojan-PSW.Win32.OnLineGames.oed

    http://58.211.8.**/a24.exe
    infected: Trojan-Downloader.Win32.Zlob.geh

    http://58.211.8.**/a25.exe
    infected: Trojan.Win32.StartPage.avr

    http://58.211.8.**/a26.exe 无法下载
    
    http://58.211.8.**/a3.exe
    infected: Trojan-PSW.Win32.OnLineGames.omw

    http://58.211.8.**/a4.exe
    infected: Trojan-PSW.Win32.Delf.anb

    http://58.211.8.**/a5.exe
    infected: Trojan-PSW.Win32.OnLineGames.oxl

    http://58.211.8.**/a6.exe
    infected: Trojan-PSW.Win32.QQPass.asf

    http://58.211.8.**/a7.exe 无法下载

    http://58.211.8.**/a8.exe
    infected: Trojan-PSW.Win32.OnLineGames.oji

    http://58.211.8.**/a9.exe
    infected: Trojan-PSW.Win32.OnLineGames.ozk

    下载病毒文件并自动运行:
    %Program Files%\Internet Explorer
    \PLUGINS\Sy_Win7k.Jmp
    infected: Trojan-PSW.Win32.QQPass.ase

    %Program Files%\Internet Explorer
    \PLUGINS\Wn_Sys8x.Sys
    infected: Trojan-PSW.Win32.QQPass.ase

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\LYLOADER.EXE
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\LYMANGR.DLL
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\MSDEG32.DLL
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp18.tmp
    infected: Trojan-PSW.Win32.OnLineGames.ojf

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp21.tmp
    infected: Trojan-PSW.Win32.OnLineGames.pem

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp24.tmp
    infected: Backdoor.Win32.Delf.csn

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp2B.tmp
    infected: Trojan.Win32.StartPage.avr

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp2C.tmp
    infected: Trojan.Win32.StartPage.avr

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp4.tmp
    infected: Backdoor.Win32.Hupigon.aqur

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp7dw.dll
    infected: Trojan-PSW.Win32.QQPass.asf

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmp9.tmp
    infected: Trojan-PSW.Win32.QQPass.asf

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\tmpA.tmp
    infected: Trojan.Win32.StartPage.avr

    %Documents and Settings%\当前用户
    \Local Settings\TEMP\uninsts.exe
    infected: Trojan-PSW.Win32.OnLineGames.pem

    %System32%\auhad.dll
    infected: Trojan-PSW.Win32.OnLineGames.omq

    %System32%\DbgHlp32.dll
    infected: Trojan-PSW.Win32.OnLineGames.omm

    %System32%\exodyndzyzj.dll
    infected: Trojan-PSW.Win32.WOW.ajn

    %System32%\gnaixnauhuoyizqq.dll
    infected: Trojan-PSW.Win32.OnLineGames.okt

    %System32%\ijougiemnaw.dll
    infected: Trojan-PSW.Win32.OnLineGames.ony

    %System32%\Kvsc3.dll
    infected: Trojan-PSW.Win32.OnLineGames.obo

    %System32%\LYLOADER.EXE
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %System32%\LYMANGR.DLL
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %System32%\MSDEG32.DLL
    infected: Trojan-PSW.Win32.OnLineGames.peo

    %System32%\mstfhncn32.dll
    infected: Trojan-PSW.Win32.OnLineGames.pef

    %System32%\niluw.dll
    infected: Trojan-PSW.Win32.OnLineGames.ojb

    %System32%\Packet.dll 正常文件
    %System32%\PTSShell.dll
    infected: Trojan-PSW.Win32.OnLineGames.oqy

    %System32%\SHAProc.dll
    infected: Trojan-PSW.Win32.OnLineGames.pew

    %System32%\SSLDyn.dll
    infected: Trojan-PSW.Win32.OnLineGames.pbu

    %System32%\uohsom.dll
    infected: Trojan-PSW.Win32.OnLineGames.oji

    %System32%\upxdnd.dll
    infected: Trojan-PSW.Win32.OnLineGames.oxo

    %System32%\WanPacket.dll 正常文件

    %System32%\wpcap.dll 正常文件

    %System32%\drivers\msaclue.sys
    infected: Trojan-PSW.Win32.OnLineGames.oxd

    %System32%\drivers\msacpe.sys
    infected: Trojan-PSW.Win32.OnLineGames.oke

    %System32%\drivers\npf.sys 正常文件

    %System32%\drivers\phy.sys
    infected: Trojan-Downloader.Win32.Small.hsh

    %System32%\drivers\scvhost.exe
    infected: Backdoor.Win32.Delf.awy

    %System32%\drivers\svchost.exe
    infected: Backdoor.Win32.Delf.csn

    %Windir%\192896M.exe
    infected: Trojan-PSW.Win32.Lmir.bpv

    %Windir%\192896MM.DLL
    infected: Trojan-PSW.Win32.OnLineGames.oqu

    %Windir%\DbgHlp32.exe
    infected: Trojan-PSW.Win32.OnLineGames.omm

    %Windir%\Kvsc3.exE
    infected: Trojan-PSW.Win32.OnLineGames.obo

    %Windir%\PTSShell.exe
    infected: Trojan.Win32.Vaklik.eb

    %Windir%\SHAProc.exe
    infected: Trojan-PSW.Win32.OnLineGames.orf

    %Windir%\SSLDyn.exE
    infected: Trojan.Win32.Vaklik.el

    %Windir%\upxdnd.exe
    infected: Trojan-PSW.Win32.OnLineGames.oxl

    %Windir%\font\avzxoin.dll
    infected: Trojan-PSW.Win32.OnLineGames.oiy

    %Windir%\font\avzxomn.dll
    infected: Trojan-PSW.Win32.OnLineGames.oin

    %Windir%\font\avzxost.exe
    infected: Trojan-PSW.Win32.OnLineGames.odx

    %Windir%\font\chrebur.fon
    infected: Trojan-PSW.Win32.OnLineGames.oil

    %Windir%\font\gejibnd.fon
    infected: Trojan-PSW.Win32.OnLineGames.oit

    %Windir%\font\jshubxw.fon
    infected: Trojan-PSW.Win32.OnLineGames.oim

    %Windir%\font\jsqxcss.dll
    infected: Trojan-PSW.Win32.OnLineGames.oie

    %Windir%\font\jsqxcyc.dll
    infected: Trojan-PSW.Win32.OnLineGames.oeh

    %Windir%\font\jsqxczc.exe
    infected: Trojan-PSW.Win32.OnLineGames.oed

    %Windir%\font\mszhbsda.fon
    infected: Trojan-PSW.Win32.OnLineGames.oie

    %Windir%\font\rarjfni.dll
    infected: Trojan-PSW.Win32.OnLineGames.oig

    %Windir%\font\rarjfpi.dll
    infected: Trojan-PSW.Win32.OnLineGames.oql

    %Windir%\font\rarjftl.exe
    infected: Trojan-PSW.Win32.OnLineGames.odx

    %Windir%\font\rsjzbfg.dll
    infected: Trojan-PSW.Win32.OnLineGames.oib

    %Windir%\font\rsjzbpm.dll
    infected: Trojan-PSW.Win32.OnLineGames.oef

    %Windir%\font\rsjzbsp.exe
    infected: Trojan-PSW.Win32.OnLineGames.oeg

注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
  
    %Windir%             WINDODWS所在目录
    %DriveLetter%          逻辑驱动器根目录
    %ProgramFiles%          系统程序默认安装目录
    %HomeDrive%           当前启动的系统的所在分区
    %Documents and Settings%    当前用户文档根目录
    %Temp%             \Documents and Settings
                    \当前用户\Local Settings\Temp
    %System32%           系统的 System32文件夹
    
    Windows2000/NT中默认的安装路径是C:\Winnt\System32
    windows95/98/me中默认的安装路径是C:\Windows\System
    windowsXP中默认的安装路径是C:\Windows\System32                
    
清除方案:
 

1 、使用安天防线2008可彻底清除此病毒(推荐),
   请到安天网站下载:www.antiy.com 。 
2 、手工清除请按照行为分析删除对应文件,恢复相关系统设置。  
    (1)使用安天防线2008“进程管理”关闭病毒进程:
     tmp1.tmp
     xplorer.exe (路径为%Windir%)
    (2)删除病毒文件:
     %System%drivers\phy.sys
     %Documents and Settings%\Administrator
     \Local Settings\Temp\tmp1.tmp
     %Documents and Settings%\Administrator
     \Local Settings\Temp\tmp2.tmp
     %Windir%\explorer.exe
    (3)恢复病毒修改过的文件:
      拷贝%Ssystem32%\dllcache\explorer.exe文件到
      %Windir%下,不更改文件名。
    (4)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\phy]
      注册表值: "DisplayName"
      类型: REG_SZ
      值:"phy"
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\phy]
      注册表值: "ImagePath"
      类型:REG_SZ
      值:"\??\C:\WINDOWS\system32\DRIVERS\phy.sys"
      [HKEY_LOCAL_MACHINE\SYSTEM
      \ControlSet001\Services\phy]
      注册表值: "Start"
      类型:DWORD
      值:"3"
附:
 


点击此处下载安天防线2008

病毒上报信箱: submit@virusview.net
[TOP]