基本介紹
- 外文名:Backdoor.Win32.FireFly.i
- 中文名稱 :流螢
- 病毒類型 :後門
- 公開範圍 :完全公開
病毒標籤,行為分析,清除方案,
病毒標籤
病毒名稱: Backdoor.Win32.FireFly.i
檔案 MD5: 435C685127510D58D2E5F9DF27115FA4
危害等級: 中
檔案長度: 37,494 位元組
感染系統: windows98以上版本
開發工具: Borland Delphi 6.0 - 7.0
加殼類型: UPX 0.89.6 - 1.02
命名對照: Symentec[無]
Mcafee[無]
行為分析
1、病毒運行後刪除自身,釋放病毒檔案到新建資料夾%Program Files%\firefly-remote :
%Program Files%\firefly-remote\FireFly.dat
%Program Files%\firefly-remote\FireFly.exe
%Program Files%\firefly-remote\FireFly.ini
%Program Files%\firefly-remote\Install.DLL
2、病毒利用Rootkit隱藏技術,使資料夾firefly-remote和病毒進程FireFly.exe均不可見,關閉病毒進程FireFly.exe才能看到。
3、修改註冊表:
修改的註冊表鍵值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Internet Settings\Cache\Paths\Directory
新建鍵值: 字串: "C:\Documents and Settings\LocalService
\Local Settings\Temporary Internet Files\ContentIE5"
原鍵值: 字串: "C:\Documents and Settings\commander
\Local Settings\Temporary Internet Files\ContentIE5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
新建鍵值: 字串: "C:\Documents and Settings\LocalService
\Local Settings\Temporary Internet Files\ContentIE5\Cache1"
原鍵值: 字串: "C:\Documents and Settings\commander
\Local Settings\Temporary Internet Files\ContentIE5\Cache1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
新建鍵值: 字串: "C:\Documents and Settings\LocalService
\Local Settings\Temporary Internet Files\ContentIE5\Cache2"
原鍵值: 字串: "C:\Documents and Settings\commander\Local Settings
\Temporary Internet Files\ContentIE5\Cache2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
新建鍵值: 字串: "C:\Documents and Settings\LocalService
\Local Settings\Temporary Internet Files\ContentIE5\Cache3"
原鍵值: 字串: "C:\Documents and Settings\commander
\Local Settings\Temporary Internet Files\ContentIE5\Cache3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Internet Settings\Cache\Paths\path4\CachePath
新建鍵值: 字串: "C:\Documents and Settings\LocalService
\Local Settings\Temporary Internet Files\ContentIE5\Cache4"
原鍵值: 字串: "C:\Documents and Settings\commander\Local Settings
\Temporary Internet Files\ContentIE5\Cache4"
新建鍵值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
\C:\Program Files\Firefly-Remote\FireFly.exe
鍵值: 字串: "RemoteControl Software"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\Class
鍵值: 字串: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\Control\ActiveService
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\DeviceDesc
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOT
E_CONTROL\0000\Service
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Contro
l\Enum\0
鍵值: 字串: "Root\LEGACY_REMOTE_CONTROL\0000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Control
\ImagePath
鍵值: 字串: C:\Program Files\Firefly-Remote\FireFly.exe.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote Control
\ObjectName
鍵值: 字串: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\Class
鍵值: 字串: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\Control\ActiveService
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\DeviceDesc
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE
_CONTROL\0000\Service
鍵值: 字串: "Remote Control"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Control
\ImagePath
鍵值: 字串: C:\Program Files\Firefly-Remote\FireFly.exe.
4、新建服務,以達到病毒隨機啟動的目的:
新建服務Remote Control,以達到隨機啟動病毒C:\Program Files\Firefly-Remote\ FireFly.exe的目的。
5、注入到進程IExplore.exe中:
AutoInject IExplore.exe
6、使用動態域名:
7、病毒是遠程控制軟體流螢的受控端程式,可遠程控制中毒用戶的計算機,盜取用戶敏感信息,下載、刪除用戶檔案,抓取用戶螢幕等功能。
8、控制者信息:
IP位址:60.216.121.170(山東省濟南市網通)
連線埠:10288
連線密碼:3316547
註:% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。