Email-Worm.Win32.LovGate.ae

前言:這應該是比較老的病毒了,如果沒記錯,應該是出現在2004年左右吧。今天在劍盟下到了樣本,這類郵件類的蠕蟲我只分析過Warezov,這個愛情後門還是寫的不錯的,我花了4個多小時去看,中間查了些資料,還有些不懂的,挺累的。要不斷學習進步才行!本人是菜鳥,難免會有遺漏的地方。

基本介紹

  • 中文名:Email-Worm.Win32.LovGate.ae(Kaspersky)
  • 病毒大小::192000 bytes
  • 加殼方式:多層ASPACK,JDPACK
  • 病毒類型後門蠕蟲
簡介,病毒行為,

簡介

Email-Worm.Win32.LovGate.ae分析
字串3
樣本MD5:42ab20ee5f4757a44edff753bc508840
樣本SHA1:cc2df80aea902bec125601cd3202a3e5e9010613
編寫語言:Microsoft Visual C++ 6.0
傳播方式:郵件、網路
字串2
行為分析:
字串6

病毒行為

病毒運行後,會釋放自身拷貝和後門組件到:
%Windows%\SVCHOST.EXE
%Windows%\SYSTRA.EXE
%System32%\HXDEF.EXE
%System32%\IEXPLORE.EXE
%System32%\KERNEL66.DLL
%System32%\RAVMOND.EXE
%System32%\TKBELLEXE.EXE
%System32%\UPDATE_OB.EXE
%System32%\LMMIB20.DLL
%System32%\MSJDBC11.DLL
%System32%\MSSIGN30.DLL
%System32%\NETMEETING.EXE
%System32%\ODBC16.DLL
%System32%\SPOLLSV.EXE
字串2
病毒會在各分區根目錄複製副本,創建autorun.inf:
AUTORUN.INF
COMMAND.EXE 字串2
AUTORUN.INF內容:
[AUTORUN]
Open="c:\COMMAND.EXE" /StartExplorer
字串9
病毒創建啟動項,以達到隨機自啟動的目的:
[HKEY_CURRENT_USER\Software\Microsoft\Windows
字串4
NT\CurrentVersion\Windows]
run = "RAVMOND.exe"
字串5
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
字串1
CurrentVersion\Run]
WinHelp = "C:\Windows\System32\TkBellExe.exe" 字串7
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
字串5
CurrentVersion\Run]
Hardware Profile = "C:\Windows\System32\hxdef.exe"
字串6
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ 字串3
CurrentVersion\Run]
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
字串3
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
字串1
CurrentVersion\Run]
Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe 字串3
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ 字串2
CurrentVersion\Run]
Program In Windows = "C:\Windows\System32\IEXPLORE.EXE" 字串5
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ 字串8
CurrentVersion\Run]
Shell Extension = "C:\Windows\System32\spollsv.exe"
字串6
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
字串5
CurrentVersion\Run]
Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
字串9
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ 字串3
CurrentVersion\RunServices]
SystemTra = "C:\Windows\SysTra.EXE" 字串7
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
字串8
CurrentVersion\RunServices]
COM++ System = "svchost.exe"
字串5
病毒會註冊為系統服務
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
字串9
Services\Windows Management Protocol v.0 (experimental)]
顯示名:Windows Management Protocol v.0 (experimental)
描述:Windows Advanced Server Performs Scheduled scans for LANguard
執行檔的路徑:%System32%\MSJDBC11.DLL 字串2
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\_reg]
顯示名:_reg
描述:
執行檔的路徑:%System32%\MSJDBC11.DLL 字串1
病毒修改如下註冊表項目,使用戶在點擊.TXT檔案時運行病毒拷貝:
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
default = "Update_OB.exe %1"
字串9
[HKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\
字串8
open\command]
default = "Update_OB.exe %1" 字串8
該病毒可使用MAPI進行傳播。病毒搜尋系統信箱,找到後會給收到的郵件回信以實現郵件傳播。
字串5
病毒傳送的郵件有如下細節特徵: 字串2
標題:Re: <原始主題> 字串6
正文:
字串6
<原始正文>
<域名> auto-reply:
wrote:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don''''''''''''''''t deal in lies,
Or, being hated, don''''''''''''''''t give way to hating,
And yet don''''''''''''''''t look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE now! <
字串6
附屬檔案:
the hardcore game-.pif 字串1
Sex in Office.rm.scr
字串2
Deutsch BloodPatch!.exe
字串9
s3msong.MP3.pif 字串9
Me_nude.AVI.pif
字串4
How to Crack all gamez.exe
字串1
Macromedia Flash.scr
字串9
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
CloneAttack.rm.scr
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
字串7
除了使用MAPI傳播外,病毒還會使用自帶的SMTP引擎進行傳播 字串2
病毒從含有如下擴展名的檔案中收集郵件地址:
adb
asp
dbx
htm
php
sht
tbb 字串7
發件人:
{隨機人名}.yahoo.com
隨機人名包括:
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra 字串7
正文: (其中之一)
It''''''''''''''''s the long-awaited film version of the Broadway hit. 字串2
The message sent as a binary attachment.
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been 字串8
sent as a binary attachment.
字串4
病毒避免向含有如下字元串的郵件地址傳送郵件:
.gov
.mil
avp
borlan
example
foo.
gov.
hotmail
icrosof
inpris
msn.
mydomai
nodomai
panda
ruslis
sopho
syma
字串7
病毒在Windows資料夾下創建一個名為“Media”的已分享檔案夾,並在其中生成如下自身拷貝:
AUTOEXEC.BAT
CAIN.PIF
CLIENT.EXE
documents and settings.txt.exe
FINDPASS.EXE
I386.EXE
internet explorer.bat
microsoft office.exe
MMC.EXE
MSDN.ZIP.PIF
SUPPORT TOOLS.EXE
WINDOWUPDATE.PIF
windows media player.zip.exe
WINHLP32.EXE
WINRAR.EXE
XCOPY.EXE
字串4
病毒還嘗試使用以下用戶名和密碼訪問區域網路內其它計算機,並試圖利用系統默認開啟的ipc$和admin$進入到“Admin$”共享進行傳播:
Guest 字串7
Administrator
zxcv
yxcv
test123 字串3
test
temp123
temp
sybase
super
secret
pw123
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login
字串1
Login
Internet
home
godblessyou
enable
database
computer
alpha
admin123
Admin
abcd
88888888
2004
2600
2003
123asd
123abc
123456789
1234567
123123
121212
11111111
00000000
000000
pass
54321
12345
password
passwd
server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
root
abc123
12345678
abcdefg
abcdef
888888
666666
111111
admin
administrator
guest
654321
123456 字串4
如果登錄成功,病毒會在遠程機器的“Admin$\System32”資料夾中生成名為“NETMANAGER.EXE”的自身拷貝。 字串7
病毒會開啟Windows Management NetWork Service Extensions(Windows管理網路服務擴展)服務。
字串2
病毒利用Net Stop命令嘗試關閉安全軟體的服務:
Symantec AntiVirus Client
Symantec AntiVirus Server
Rising Realtime Monitor Service
字串8
病毒還會終止與安全和防病毒相關的進程:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising 字串2
病毒收集計算機存儲信息和密碼記錄在C:\Netlog.txt,每隔一段時間發到
字串9
病毒還會在在E、F盤下生成壓縮檔檔案並傳送:
setup.ZIP
setup.RAR
WORK.RAR
WORK.ZIP
install.ZIP
install.RAR
bak.RAR
bak.ZIP
letter.RAR
letter.ZIP
字串5

相關詞條

熱門詞條

聯絡我們